By Larry ShortIn the hallowed halls of my place of employment, they call me (with some degree of affectionate ribbing) the "Dark Lord of the Web," mostly related to my role in helping to get our first corporate web presence rolling, back in the good ole days of 1997. I have continued to work in the internet space in various capacities since then, much of it recently related to social media/new media strategy, so the moniker has stuck to the wall.
As the Dark Lord I frequently advise others how to keep their web assets secure. So it was recently to my extreme chagrin that I discovered myself the victim of what I thought to be at first glance a phishing scam. Someone started sending out messages on my Facebook account, which appeared to be coming from me. They read something like,
"Stay at home mams, u can make $250-$300 an hour working at home ... http://linkhere.com"
The fast redirect link I didn't click on, of course, so I'm not sure where that actually went. I'm guessing nowhere good. ($300 an hour? Probably not stuffing envelopes.)
So I checked on Facebook's help site to see what to do, and they recommended (after deleting the post) changing all my Facebook and email passwords in case I had been the victim of a phishing attempt. I did so immediately, even though, mind you, I am VERY careful about phishing ... I don't ever click on anything that doesn't seem completely straight up, and I always check the real links before I click, as opposed to the text of the link presented to you on the page. If anything looks phishy, I don't click it, so I was really surprised to learn I might have been victimized by phishing.
The next day, with my passwords changed, even more similar messages began to be posted to my friends.
So now I was really worried that perhaps I had been infected with some sort of keystroke-logging virus, and someone was hacking all my passwords. Bad news, if so.
I consulted with our corporate IT department (since I wasn't sure if the problem was on my company laptop or on my desktop at home). They advised thorough antivirus cleaning procedures, so I began to run four separate antivirus scans (using different software ... AntiVir, McAfee, Windows' Malicious Software Removal Tool, Malwarebytes Anti-Malware, and Lavasoft's Ad-Aware. Between installing or updating each of these packages, and then running them, it took hours and hours and hours to complete the scans.
The results of the scans were both encouraging and puzzling. MalWareBytes detected three malicious software objects on my laptop, all related to PUM.Hijack, which I read up on, and it turns out they find it on everyone and it can actually cause problems if I remove this. Microsoft found nothing. Antivir found nothing on my desktop. McAfee found one cookie it didn't like on my laptop, but it was a Webex cookie so I'm assuming it wasn't any huge threat.
So, no viruses.
It was at this point, after hours of running scans, that I took a second look at the actual message posts on my Facebook ... and saw that they had come via Twitter.
And I remembered that I had a Twitter account which I used primarily for the purpose of posting quick status updates to my Facebook. So I went and checked it, and sure enough, whoever had hacked me was actually posting the messages into my Twitter stream.
So, it was evidently a brute force password hack, or possibly a Twitter phish. My Twitter password was moderately secure (letters and numbers, no whole words) but only six characters. I assume they ran some sort of brute force login attempt until they came up with the right combination of numbers and letters. But it's also possible someone faked an email from Twitter and I logged in on a phishing site without knowing it. (Here's one so-and-so who teaches people how to do that.)
At first I was sure they probably had changed my password once they got in, but no, it was still the same. So, I quickly changed it to something substantially stronger (almost twice the length), and that seemed to solve the problem.
So the moral is threefold: 1) Examine the attack carefully before you spend hours running virus scans. (Not that that wasn't a good idea; I do it periodically, anyway, just to be cautious.) 2) Be aware that there are phishers out there seeking to capture your Twitter login info, and know how to protect yourself. And 3) a six-character password, even one that uses moderately good security technique, may no longer be sufficiently secure. Use a longer password, one that does not contain any whole words and uses both numbers and letters (and possibly some other characters).