Security Awareness Blog

How I Got Phished On Twitter

Security awareness is tough, once trained a user must be ever vigilant. This is true even for me and I do this for a living. First of all the bad guys are persistent, they never give up. Sooner or later the end user may make a mistake. Second, attackers are always adapting and changing their methods, including adopting the latest technology. Even for the best of us it is hard to keep up. I should know, I recently got phished. When I look back it was so obvious, but at the time the attack was the perfect storm. Take a look a the image to your left (click on it for a bigger size). A good friend of mine and very well respected SANS instructor Ed Skoudis tweeted about the new Macbook Air that was just released. If there is a passion that both Ed and I share it is Mac laptops. So when I saw Ed's tweet on the new Macbook Air specs I was intrigued and clicked to learn more. I then saw that several of his friends had replied to his tweet. The first was Ed's friend Johannes Ulrich, another trusted member of the SANS community. Then I saw Ed's friend Ryan. Now I had no idea who Ryan was, but figured he must be a friend of Ed's also since he was following him. Ryan also posted about a $100 giftcard for the new Macbook Air, and since I was about to buy one and since this was Ed's friend I clicked on it. *sigh*, sinking feeling. As soon as I clicked on it I knew I messed up. This was not Ed's friend, but a cyber criminal posting this scam in reply to any Macbook Air related tweet. Since I'm relatively new to Twitter I let myself believe there was a trust relationship when there was none. As a result, I got suckered. Fortunately the URL had already been identified as evil and was blocked by This was a wonderful reminder of how you always have to be alert and suspicious, it is a dangerous place out there. It also demonstrates how security awareness is just like patching a computer, it is something you have to be constantly doing to keep the human OS protected against threats.


Posted December 20, 2010 at 2:24 PM | Permalink | Reply


This also illustrates why a layered approach is necessary to bring security to an acceptable level. Humans make mistakes, and even intelligent well-informed people have a lapse, and fortunately another layer''"blocking by tiny.url''"succeeded. And hopefully in many cases where tiny.url has not identified an evil link, many humans will avoid it.
It's been my experience that a strategy that relies on one silver bullet is a strategy that has one point of failure.
Layers are the key, IMO.

Posted December 20, 2010 at 4:55 PM | Permalink | Reply


HJohn, I could not agree more. Security can only reduce risk, not eliminate it. The more layers you have, the more you can reduce risk. This is why I am so excited about awareness, this is the one layer so few organizations have even considered, let alone implement properly.