Hacking (Reuters?) and fake following (Mitt Romney?) on Twitter

According to the Washington Post, @US_CIA tweeted messages that a had good grasp of intelligence issues and could easily “have come out of CIA public affairs.” Until, that is, the odd strange message crept in, like: “The Agency is an equal opportunity employer. Here at the CIA we respect all religions, not just the Church of Latter Day Saints,” and “Dear Ayatollah @khamenei_ir, please consider tweeting in English. Our sole Arabic speaking NED analyst is out on vacation this week.” It was a fake account and the CIA was being spoofed. 

Within the last few days the Gizmodo account was hacked and briefly sent out offensive and racist tweets. It was neither Twitter’s nor Gizmodo’s fault; it was the Honan hack that wasn’t even his fault, but more a social engineering attack against Apple tech support. 

Reuters this week suffered a more traditional hack. “Earlier today @ReutersTech was hacked and changed to @reutersME,” the @Reuters account tweeted on Sunday. There are no details on how this was achieved, but security researcher Robin Wood offered Infosecurity a few possibilities. “My guess,” he said, “would be either a simple password brute force attack against Twitter or something similar to the Gizmodo attack where the attackers got access to a mail account then did a password reset. Another option,” he added, “would be if the password used on the account was used on one of the systems which was recently compromised and had its passwords released. If the password was gained from one of these lists the attackers could just walk straight in, no hack needed.” And there’s not a lot that Twitter can do. “It doesn't take a weakness in Twitter to result in a Twitter account compromise, all you have to do is to find a weak link somewhere in the trust chain and worm your way in from there,” said Wood.

To add to this problem, Barracuda Labs has today released details of its research into the fake Twitter follower market. It set up three Twitter accounts and then bought between 20,000 and 70,000 fake followers for each of them (the average price from eBay is $18 per thousand followers). From its analysis, it discovered that the average fake follower ‘abuser’ has 48,885 Twitter followers while following 1,799 accounts.

But of course some ‘abusers’ can afford more fake followers than others. Barracuda Labs turned its attention to the rapid rise in followers of the Mitt Romney account. There are some disturbing details. Romney’s followers increased by 17% in just one day (116,922 new followers on 21 July). Of these, one in four have never made a single tweet; and 10% have already been suspended by Twitter. “We believe most of these recent followers of Romney are not from a general Twitter population but most likely from a paid Twitter follower service,” it said, adding that “Romney’s newest followers could have been paid for by himself, his associates or by his opponents. So far, there is not a feasible way to confirm who is responsible.”

The problem, however, is that Twitter is in danger of losing credibility due to an increasing number of hacks, spoofs and fake followers.

What’s Hot on Infosecurity Magazine?