SocialToo takes Social Responsibility for DM Spam on Twitter

You ever wake up to look at your tweet and come across this type of completely insincere DM?

image

This would be great if my name were infact John, but it isn’t.  And this is sheer spam!

Well, @jesse has taken SocialToo to a new level by taking responsibility to not promote the sending of DM Spam.  As Twitter grows at the exponential rates it is, vehicles to manage this relationship between real sincere users and fake autobots had to be taken somewhere.   I’m glad to see Jesse step up on this issue.   @louisgray has great coverage of this as well, as an advisor to the Socialtoo team and other boards, his knowledge and skill really provides context for these type of situations.

One of the greatest pieces of this, is as Jesse puts it:

In addition, starting today, while you will no longer have need for blocking SocialToo users’ automated DMs, we encourage you to invite all your friends to come check the same option you were using to block SocialToo DMs, and we’ll block other sites that do automated-dms. If you provide your Twitter username and password (this is required because other services require it – it will be via OAuth in the near future) and check the box, “Turn off automatic Direct Messages from other services?“, we’ll set you up to block DMs from as many services that do this as we can, automatically.

So, if you don’t like to get Auto-DM Spam, whether it WAS from Socialtoo, or from other third party services – subscribing to SocialToo, a responsible social service is the way to go.

I wish you all the best on this, and John you can remove your own Bubble of Spam like this ;)

Twitter Phishing Scam with Blogspot – Post Mortem

What are our lessons learned so far from this little Twitter Phishing Scam?

First of all, this involved infecting a single or single groups of people.

Distribution consisted of Infect a person by sending them to a site to capture their credentials.   Once those usernames and passwords were collected, they would then use those compromised credentials to send this same message (via DM) to their followers, and continue the spread.

If Joe has 10 followers and DM’s it to those 10, and those 10 have 10 followers and DM it to the next 10, shortly you’d have thousands who are redistributing this – So long as they’ve visited the site and entered their credentials to be captured.

I see a lot of anger “I’m going to get person ‘x’ who sent me this message!”

It’s not the fault of the sender, not entirely.   They were compromised by a phishing scam, it happens, you should work towards educating them instead of castrating them.  So next time it will be part of their sense to not transmit their username/password to an untrusted site.

How could this terrible thing have happened? Now I hate (BlogSpot, Twitter, Followers)

Don’t hate the player, just be glad that it WAS done this way (a semi-safe site with only a small portion of cookies which get added to your browser)   Here is what could have happened if it were introduced in an effective ‘distribution manner’.

You visit the site, you are prompted for credentials.  Perhaps you’re prompted for credentials, though the better payload would be in the form of Malware, Spyware, Phishing-ware, Password capturers, and a number of other infection mechanisms.

Once this would be done, you’d be able to compromised on a number of fronts and able to distribute this to millions instead of just the few followers you have – Infecting Facebook, your banking account, etc so on and so forth.

What can I do about this in the future?

The universal rule of communication, especially unsolicited is ask yourself a few questions.   Would you visit this link if you were having a conversation with the person? Having established rapport with them while talking? Yes likely.

However the tip here is – Random “auto-dm’s” does not guarantee a reason to visit their link.  Yes a lot of people DO send out auto-DM’s, to the bane of all of us (SocialToo/ChrisBrogan– Thanks for helping limit that exposure!)  However, don’t bane all communication in the future.   If you think someone seriously DID write a funny blogpost about you because the person knows you, definitely do check it out! But in all seriousness, if you’ve not had some kind of established communication with this person to justify it, and let alone it brings you to not a funny blogpost, but to a fake twitter login page – Be sure to question it and use your common sense here.

Oh, and be wary of ever entering your credentials – again unless you explicitly trust the source.

Hopefully this Post-Mortem helps you deal with this situation, I’m still waiting for my self-infected account to start tweeting out to me (Controlled infection) For every problem there will be people looking to exploit it, and others trying to solve and contain it.   I’ll be there trying to find new solutions and rid the world of future exposure as well :)

Good luck, and feel free to follow me if you like :) @cxi