The Tech Herald

Report: Bank of Melbourne’s Twitter feed used for Phishing

by Steve Ragan - Sep 21 2011, 09:02

Bank of Melbourne’s Twitter feed used for Phishing

The Bank of Melbourne had a bit of a problem last week. Someone compromised their Twitter feed and sent Phishing messages to their followers, many of whom are customers. The malicious links however, sent via direct message to avoid notice, were nothing spectacular and easy to spot with a trained eye.

The problem was discovered last Wednesday. Customers and individuals who follow the Bank of Melbourne on Twitter were sent malicious links via direct message. The messages were the same, aside from variations within the URL, generated with Twitter’s http://t.co address shortener.

“ATTN: Unauthorised DMs sent bw 4-5pm today, do not click link. No customer/personal data compromised. Apologies for the inconvenience,” the bank said to their Twitter followers.

Later the bank added that they “take security very seriously & will be strengthening [their] policies to further protect our social channels.”

For the curious, the Phishing messages looked like this one: “This made me laugh so hard when i saw this about you lol hxxp://t.co/UwtI7Q1”

Image: @melpay

Note: The URL above is being flagged by Twitter as harmful. The forwarding address is offline at this time, but readers should avoid visiting it nevertheless.

The http://t.co address forwarded to a Phishing page on www.ltwittier.com, which harvested usernames and passwords for the social networking site. The technical details on the domain itself are here, and you can safely view one of several Phishing attempts here.

The Tech Herald was able to track down three similar pages on this domain using various URLs, but there may have been others. This makes determining the number of victims nearly impossible.

It is worth noting that the malicious link sent via the Bank of Melbourne’s Twitter account targeted Twitter itself, instead of banking customers. This is why the bank is positive that no customer data was compromised due to the incident. However, if customers used the same password on Twitter as they do for their online banking, there could be a problem.

It’s best to avoid password sharing entirely, but if that is not possible, then the best advice is to ensure that passwords for finance related access are completely separate from those used on social media.

The Bank of Melbourne prides itself on offering friendly and easy interactions, both on and offline. The Phishing links delivered via the bank were looking to exploit the trust developed by the financial organization. However, the Phishing attempts were easily spotted simply because they were missing a few things that would have marked them as an official communication from the bank.

The first item missing is the signature. Each bank employee signs their post on Twitter with their initials. If you look at the bank’s Twitter feed, you will see this represented by ^TT and ^AS. So bank customers could have immediately questioned the validity of the random DM from that alone.

However, the other item of note is the message itself. It is missing proper capitalization, and does not follow the normal patterns of speech used by the bank on Twitter.

This incident aside, similar messages have spread across Twitter over the last few months [example], each linking to a domain looking to harvest information. If you receive one of these messages, remember to think before you click.

Ask the person if they actually sent the message before you access the URL. Look at the message itself, and question how it is written. Does it match the style of writing of the person sending it, considering previous communications? Do you even know the person sending it? If you only know them online and rarely talk to them, should you trust random links sent by them?

In the case of the Bank of Melbourne, we’re told that the likely cause for the account compromise was a weak password used by a staffer with access to Twitter. We’ve asked the bank to confirm if this is correct, and will update with more information as we get it.

In the mean time, this can serve as a lesson for organizations looking to develop social media presences. Online, an organization’s band and reputation matter, so the same policies implemented to protect a company’s resources must be applied equally, to both the business itself internally, as well as on social platforms such as Twitter. This includes password and access management.

While the password strength is at question when it comes to the Bank of Melbourne, their policy of limiting access to Twitter to a few key employees and having them sign their individual posts is something to consider. A policy such as this helps narrow the scope of investigating a security incident.

Around the Web

Comment on this Story

comments powered by Disqus
Security
Index
News
 
Features
Reviews

From Autosaur.com

Man wins Batman version of Nissan Juke

A BATMAN fan has won a special version of the Nissan Juke inspired by the films — and which has a string of features more normally seen on the Batmobile. Adam Williams was presented with the matt black vehicle after a real Batmobile (well, as real as they get) was driven through the streets of the [...]

The post Man wins Batman version of Nissan Juke appeared first on Autosaur.

Lamborghini Gallardo Pictures

Pictures of the Lamborghini Gallardo. The Gallardo was first made in 2003 and is Lamborghini’s most popular model to date with more than 10,000 built in the first seven years alone. They originally had a 5.0 liter V10 engine, but from 2008 onwards featured a 5.2 liter V10 prodcing 552horsepower. It can do 0-62mph in [...]

The post Lamborghini Gallardo Pictures appeared first on Autosaur.

Lamborghini Aventador Pictures

Pictures of the Lamborghini Aventador. The Lamborghini Aventador is a two-seater super car unveiled at the Geneva Motor Show in 2011. It was designed to replace the Lamborghini Murcielago. Both a coupe and convertible/roadster version of the Aventador were made. It has a 6.5 liter V12 engine producing 690bhp and can do 0-60mph in 2.9 [...]

The post Lamborghini Aventador Pictures appeared first on Autosaur.