L9 | Web Management for Credit Unions Weber Marketing Group - Brand Solutions Acton Marketing Blog | Financial Marketing Insights Momentum | Building. Branding. Breakthroughs. CU*SWAG | T-Shirts for Credit Unions

Twitter phishing: It’s here, now

October 15, 2009

Two months ago, The Financial Brand warned of the phishing risks financial institutions face on Twitter. Yesterday, at least two financial institutions had their official corporate Twitter accounts hacked, maybe more. While it seems no serious harm was done, it’s something all banks and credit unions need to be aware of. Here’s how it works.

If you’ve had any experience with Twitter lately, you may have seen one of these rather innocuous-looking messages show up in your private inbox:

hawthorne-spam

Some are phrased differently, like this narcissistic temptation: “Hey is this you in this picture? http://twitter.pictures.url

The only problem is that it’s a scam. The URL may look harmless, something like videos.twitter.secure-logins01.com (link inactive), but if you click on it, it takes you to a spoofed phishing site that looks identical to a real Twitter login screen. At this point, unsuspecting users who enter their account name and password have just handed their information over to hackers, who quickly hijack the account.

Which is precisely what happened to Hawthorne Credit Union and Brewer FCU yesterday. Some hacker started following them on Twitter a while ago. The unsuspecting credit unions repaid the courtesy by following them back. Wait a little while…then one day, a message from someone like jimbo_philly53 shows up in the credit union’s private inbox with a link.

“What’s this?” the person staffing the financial institution’s Twitter account wonders. They click on the link and assume they need to login to Twitter…to see the bait that the hacker has dangled.

Whammy! Account hijacked.

Make that two accounts hijacked.

Reality Check: For a certain period of time, hackers controlled the Twitter accounts of at least two credit unions. Remember, these are official, corporate communications channels.

If the hackers knew what they had, they wouldn’t have squandered their opportunities pushing $300-a-day, work-at-home schemes, as they did with the hijacked Brewer FCU account:

brewer-fcu-spam

If these guys knew they were in control of official credit union Twitter accounts, they would have sent this kind of private message to all the followers of Hawthorne and Brewer credit unions:

brewer-phishing

Fortunately for both credit unions, these hackers were merely interested in perpetuating their own scams.

Hawthorne issued the following apology:

hawthorne-apology

But it could have turned out much worse. Remember, these two credit unions were only caught in a wide hacker dragnet. Someday very soon, financial institutions’ Twitter accounts will come under direct assault by hackers deliberately looking to defraud consumers.

Key Question: What would have happened if some sweet, unsuspecting person coughed up their financial details to these hackers, who then cleaned out their accounts and stole their identity? How would consumers and financial institutions feel about using Twitter if/when that story breaks?

Bottom Line:

  • If you don’t think this is a problem for your financial institution because you aren’t on Twitter today, think again. Someone else could be on Twitter right now, building followers using your brand name. Then...whammy!
  • Never enter your account information at any website without verifying that the URL displayed in your browser window is legitimate. Make sure anyone staffing your social media accounts is careful about this too.


Print This Article Share
Captive Indoor Media | Digital Signage for Financial Institutions




Previous related stories from The Financial Brand:

SPONSORED MESSAGE: Is your bank or credit union ready to go green with its branches? Watch this free webinar playback, “Green Is The New Black,” where the branch-building experts at Momentum outline the strategy, rationale, challenges, advantages and ROI of eco-friendly financial facilities. WATCH NOW

Filed Under: Social Media

Tags: , , , ,

4 Responses

  1. Rich:
    October 15th, 2009 at 9:13 am

    One would think the credit union employees would be better trained. I would hate to know what other ID’s and passwords they have given out this way.

  2. Sandy Manisco:
    October 15th, 2009 at 10:02 am

    Sadly, this is just another method for hackers, same as phishing schemes that have been occuring for years using text, email, phone calls, etc. The screen was identical to Twitter and since my Twitter account doesn’t have any access to member information, I had my guard down and fell for it.

    The scary thing is not that they fooled me into giving my twitter name and password. I’m more concerned about someone creating a fake Hawthorne website for online banking, as hackers have been doing with emails for some time now.

    It reminds me that we need to be constantly reminding members to be cautious about where they enter their personal information.

  3. Toby Galino:
    October 15th, 2009 at 2:46 pm

    More sites should implement two factor authentication to sign in then these types of phishing hacks would be useless. Working for VeriSign I hear some horific stories and VIP tokens are particularly relevant in light of the recent Twitter, Hotmail, & etc credential leaks. I am using 2F in a variety of places already, like eBay and PayPal, My accounts have been attacked on both so those sites were my first stop to register.

  4. The Financial Brand » Blog Archive » Petition to verify Twitter accounts for financial firms:
    October 26th, 2009 at 9:42 am

    [...] Financial Brand now tracks over 600 Twitter accounts for financial institutions, two of which were hacked last week. As more banks and credit unions push the envelope on Twitter, as Vantage Credit Union [...]

Leave a Reply