Have you been twished recently?
Many twishing attacks tend to come in the form of direct messages. The user gets a message that contains basic text like "did you see this pic of you?" followed by a link.
Unsuspecting users click the message and are taken to what appears to be a Twitter login page, but is actually a fake page run by the twishing site. Enter your name and password into the fake login page, and the twishers have everything they need to steal your identity.
"Twishing" is, of course, a pun on "phishing," which is exactly what these scammers are trying to do. As Mashable notes, people are more likely to fall victim to twishing attacks because the direct messages come from people they know and trust. The sentences used by twishers, like "did you see this pic of you," are also reasonably familiar and personal. The actual Twitter website often prompts users to log into their accounts, so the fake login page does not seem out of place or unusual.
The worst part about twishing attacks is that they strike even the most computer- and internet-savvy users. Smart, high-volume internet users will install antivirus progams and keep their Spybot filters updated, but nothing about twishing attacks trips a computer virus protection system or spyware filter. In fact, there's nothing viral about twishing at all—except, of course, the way it spreads from person to person through compromised Twitter accounts.
Vancouver company Hootsuite, unofficially "the most popular social media management tool" with over seven million users, recently released a blog post outlining its efforts to prevent twishing and ensure that users can safely navigate their tweets and social media messages. This post urged users to practice safe security, like changing passwords frequently, and updated users on Hootsuite's efforts to minimize unauthorized account access by, for example, requiring fresh logins every time the site is called up from a different physical location.
This comes after a recent post from CEO Ryan Holmes reminding users of "another benefit of using a social media management system: It acts like an extra firewall." In short, Hootsuite already acts as protection against malware and spam, and works to notify users against suspicious links.
The problem is that fighting hackers is like playing a game of Tower Defense: the faster you work to build your tower, the faster they work to knock it down. The solutions Hootsuite and other third-party Twitter clients develop today are likely to be ineffective in a few years, as twishers and other hackers work to find ever-sophisticated methods of collecting user information. We've come a long way from Nigerian prince email scams—the next twished direct message might contain text even more personalized than "did you see this pic of you."
However, one thing is clear: the owls are on the watch. Hootsuite is working to let customers know that it takes their security seriously, and that the next time the twishers attack, they'll be there to help keep customer accounts safe.