Bank of Melbourne’s Twitter feed used for Phishing
The Bank of Melbourne had a bit of a problem last week. Someone compromised their Twitter feed and sent Phishing messages to their followers, many of whom are customers. The malicious links however, sent via direct message to avoid notice, were nothing spectacular and easy to spot with a trained eye.
The problem was discovered last Wednesday. Customers and individuals who follow the Bank of Melbourne on Twitter were sent malicious links via direct message. The messages were the same, aside from variations within the URL, generated with Twitter’s http://t.co address shortener.
“ATTN: Unauthorised DMs sent bw 4-5pm today, do not click link. No customer/personal data compromised. Apologies for the inconvenience,” the bank said to their Twitter followers.
Later the bank added that they “take security very seriously & will be strengthening [their] policies to further protect our social channels.”
For the curious, the Phishing messages looked like this one: “This made me laugh so hard when i saw this about you lol hxxp://t.co/UwtI7Q1”
Note: The URL above is being flagged by Twitter as harmful. The forwarding address is offline at this time, but readers should avoid visiting it nevertheless.
The http://t.co address forwarded to a Phishing page on www.ltwittier.com, which harvested usernames and passwords for the social networking site. The technical details on the domain itself are here, and you can safely view one of several Phishing attempts here.
The Tech Herald was able to track down three similar pages on this domain using various URLs, but there may have been others. This makes determining the number of victims nearly impossible.
It is worth noting that the malicious link sent via the Bank of Melbourne’s Twitter account targeted Twitter itself, instead of banking customers. This is why the bank is positive that no customer data was compromised due to the incident. However, if customers used the same password on Twitter as they do for their online banking, there could be a problem.
It’s best to avoid password sharing entirely, but if that is not possible, then the best advice is to ensure that passwords for finance related access are completely separate from those used on social media.
The Bank of Melbourne prides itself on offering friendly and easy interactions, both on and offline. The Phishing links delivered via the bank were looking to exploit the trust developed by the financial organization. However, the Phishing attempts were easily spotted simply because they were missing a few things that would have marked them as an official communication from the bank.
The first item missing is the signature. Each bank employee signs their post on Twitter with their initials. If you look at the bank’s Twitter feed, you will see this represented by ^TT and ^AS. So bank customers could have immediately questioned the validity of the random DM from that alone.
However, the other item of note is the message itself. It is missing proper capitalization, and does not follow the normal patterns of speech used by the bank on Twitter.
This incident aside, similar messages have spread across Twitter over the last few months [example], each linking to a domain looking to harvest information. If you receive one of these messages, remember to think before you click.
Ask the person if they actually sent the message before you access the URL. Look at the message itself, and question how it is written. Does it match the style of writing of the person sending it, considering previous communications? Do you even know the person sending it? If you only know them online and rarely talk to them, should you trust random links sent by them?
In the case of the Bank of Melbourne, we’re told that the likely cause for the account compromise was a weak password used by a staffer with access to Twitter. We’ve asked the bank to confirm if this is correct, and will update with more information as we get it.
In the mean time, this can serve as a lesson for organizations looking to develop social media presences. Online, an organization’s band and reputation matter, so the same policies implemented to protect a company’s resources must be applied equally, to both the business itself internally, as well as on social platforms such as Twitter. This includes password and access management.
While the password strength is at question when it comes to the Bank of Melbourne, their policy of limiting access to Twitter to a few key employees and having them sign their individual posts is something to consider. A policy such as this helps narrow the scope of investigating a security incident.