Is Twitter Putting Businesses At Risk?

Twitter

Research has found that thousands of businesses and consumers are putting themselves at risk each day by publicly revealing their email addresses on Twitter.

My company monitored Twitter in January and found that users were publicly sharing email addresses connected with their inboxes, social media identities, and bank accounts – leaving them open to advanced ‘social spear phishing’ attacks.

Social spear phishing attacks see criminals attacking harvested email addresses with information gleaned from monitoring users’ Twitter conversations. I recommend that businesses update all acceptable use policies to warn employees of this threat.

Researchers found over a 24-hour period:

  • More than 11,000 email addresses were shared worldwide

Researchers also conducted geo-targeted searches and discovered that:

  • More than 30 email addresses were shared every hour in London

Twitter users blindly think that email addresses are safe for public consumption. However, by publicly tweeting your email, you’re connecting it with your name, location and information on your social graph. Criminals can exploit this wealth of information by directing waves of highly targeted phishing attacks at individuals or businesses, masquerading as users’ friends or associates to encourage them to click on malicious links.

Together this collection of data can also allow criminals to compromise email accounts, paving the way for further malicious activity including accessing bank accounts, harvesting additional passwords and launching major spam campaigns.

Businesses employing social media to communicate with customers need to consider ways to ensure that employees are protected from these new threats. Employers should re-evaluate acceptable use policies to discourage staff from sharing email addresses on Twitter.

Gmail, Hotmail and many other free web-based email services are particularly under threat as cyber criminals can harvest social information on individuals via Twitter to break into these accounts. Business leaders, journalists and celebrities were all found to be publicly sharing this data.

Top Twitter security tips

  • Always use direct messages (DMs) for sending emails addresses to contacts on Twitter
  • Treat emails from friends linking you to other sites with caution
  • Never use passwords that be inferred from publicly assessable information
  • Update acceptable use policies (AUPs) to warn employees about sharing email addresses

Twitter Security

Carl Leonard holds the position of Security Research Manager, EMEA at Websense. Carl is responsible for the effectiveness of the EMEA Security Research Team and collaboration with the global Websense Security Labs teams. Research and project work is oriented around the advancement of the ThreatSeeker network and daily incident handling duties. Carl is an active spokesperson discussing and advising on security-related matters with national and international security publications, and a regular contributor to externally-facing blogs and alerts. Carl has over 5 years experience in the threat research arena.