It’s not always done well.

For instance, lately I have been receiving emails, about one a day, along the following lines:

Hi
It`s Rosalyn again. Will you ever contact me?
I made those nude pictures especially for you.

Phew, state-of-the-art social engineering there! The next day it was Jessie, not Rosalyn, but the message was the same.

Since this approach clearly hasn’t worked with me, the spammers thought they’d try a different approach.

Hi
It`s Cleveland again. Will you ever contact me?

Genius!

How it works

The mechanism is pretty simple. You get a direct message from someone you follow, encouraging you in some way to click a link. The techniques used to get you to click are the clever bit.

So you click on the link and it looks legit. Except it asks you to provide your Twitter ID and password. Obviously this is a bad idea. Well, I say ‘obviously’, but it’s not so obvious because heaps of people get caught. Even people who make a living on their social media expertise. Whoopsie!

Once you provide your password, the nasty scammers can log into your Twitter account and send direct messages to all your friends, supposedly from you, asking them to click on the link. Or possibly several different links, with several different enticements. A few of your friends fall for it and the cycle continues.

Presumably the hijackers could also use your details to send Tweets, supposedly from you, for various nefarious spammy purposes.

Clever enticements

As I mentioned, the clever part is the way the scammers convince you to click the link, what security geeks call ‘social engineering’. It needs to sound like a plausible message you’d receive from a friend or someone you know, the enticement needs to be appealing to you and the link needs to look legitimate.

These started out fairly basic: things like ‘Hey, take this free quiz’ or ‘Hey. Can u do this for me?’ The ‘hey’ part makes it sound like a genuine message from a friend. In fact, the only thing that tipped me off was the fact that the message came from someone I didn’t know particularly well and it seemed overly familiar. If it had been from a real-life friend, I might easily have been fooled.

The next phase was an IQ test, with messages like ‘Want to check to see whos iq is higher?’ and ‘u seem smart. take this iq quiz.’ Appealing to people’s competitiveness and vanity always gets you places.

Today I received a direct message telling me someone had found me on a site called ‘xsgay’. You can imagine this would be of great concern to quite a lot of people, regardless of their personal preferences. And once you’re worried and not thinking clearly, you’re much less likely to fret about why this site is asking for your Twitter details, and just fill them in. Uh oh!

What (not) to do

As far as I understand, these scams have a fairly low success rate because they rely on you entering your ID and password, or at least clicking a link to provide those details to the scam site. But like spam and online banking phishing scams, a low success rate multiplied by millions of messages adds up to a sufficient number of people who get fooled.

So not getting caught out is fairly simple:

1. Be suspicious of people contacting you at random – if it’s outside the normal pattern of behaviour, question it
2. Don’t click suspicious links
3. Don’t provide your ID or password to a site unless you know it’s trustworthy
4. If your account gets hijacked, change your password as soon as you find out. And probably start apologising to a lot of people.