Twitterank Phishing Scam Twitterank钓鱼式攻击
November 13th, 2008 · by David Bradley >>二○○八年十一月十三日由大卫布拉德利“·” 9 Comments 9评论
Are you a narcissistic Twitter user like me?你是像我这样的自恋Twitter的用户? If so, you may have tested out Twitterank to see how well received are you're tweets.如果是这样,您可能还Twitterank,看看如何得到测试的你鸣叫。 If so, you may have been the victim of a phishing expedition.如果是这样,你可能是一个钓鱼探险队的受害者。 This from这与 ZDNet零售网点 : :
Twitterrank has no apparent purpose beyond a sketchy numerical rating, and there are rumors circulating on Twitter this afternoon that it is basically a fishing [sic] expedition. Twitterrank没有超出粗略计算等级明显目的,也有谣言流传今天下午在Twitter,它基本上是一个捕鱼[原文]远征。
Time to remove the Twitterank script from any website on which you are displaying it and change your Twitter password ASAP.时间删除任何网站您正显示它并更改密码Twitter的信杰的Twitterank脚本。
Other sites reporting the possibility that Twitterank is nothing more than a scam include多骗局报告的可能性,Twitterank没有什么其它的站点包括 Mashable Mashable . 。 It's on这对 NowPublic NowPublic and和 AquariumDrinker AquariumDrinker has plenty to say about it.有很多问题需要说的。
However, I don't think Twitterank is a genuine scam, it's a name and shame system aimed at exposing just how easy social engineering is and also at shaming Twitter into releasing their API so that genuine applications of this kind can be developed properly without the security risk.不过,我不认为Twitterank是真正的骗局,这是一个点名批评制度是多么容易暴露社会工程,目的是在羞辱,并在空气污染指数为释放,使这种真正的应用开发Twitter的不正确安全风险。
Look at the internals of Twitterank and you'll see this disclaimer:看看Twitterank的内部,你会看到此声明:
Disclaimer I am about to ask you for your Twitter user ID and password. 声明我要问您的Twitter的用户名和密码。 You should be afraid. 您应该害怕。 This is where you ask yourself, “Do I really want to find out my twitterank badly enough to give some random dude on the interweb my account info?” And if that's not what you're asking yourself, shame on you. 这是你问自己:“我真的想知道我twitterank严重足以使一些关于interweb随机花花公子我的帐户信息?”如果这不是你问自己,可耻的是你。
Here's Twitterank's这里的Twitterank的 response反应 to the accusations: “No, I am not a phisher.对指控:“不,我不是一个仿冒。 I don't even store your password.我什至不储存您的密码。 Your password gets used once to calculate your Twitterank, and is never stored on disk or any other permanent storage device.您的密码被使用一次来计算您的Twitterank,并永远不会在磁盘上或任何其他永久储存装置。 Having said that, people do need to be more careful about giving away their account information.话虽如此,人们还需要得到更多关于赠送他们的帐户信息小心。 I'm not evil, but the next guy might be.”我不是邪恶的,但可能是下一个家伙。“
In some sense, Twitterank preys on user vanity and the viral effect of WordSpread(TM), whether or not it's a genuine scam or simply an attempt to expose insecurity issues.从某种意义上说,虚荣和用户的WordSpread病毒效果(商标),是否是一个真正的诈骗或只是为了揭露不安全问题Twitterank猎物。 Hear it as a wake-up call.听到唤醒调用它。 You have been warned.您已被警告。 If Twitterank isn'ta scam, the next site to ask for one of your social media passwords may well be.如果Twitterank不是一个骗局,在未来的网站要求你的密码的社会媒体之一可能。 Don't fall for it when other sites come bearing wonders and asking for passwords.不要被它当其他网站来轴承奇迹和索取密码。
It seems quite apt that the free download of看来很容易的免费下载 Vulnerability Management for Dummies漏洞管理傻瓜 is once again available through Sciencebase partner site.再次可以通过Sciencebase合作伙伴网站。
9 responses so far ↓ 9答复迄今↓
David Bradley 大卫布拉德利 // Nov 13, 2008 at 2:12 pm 下午/ / 08年11月13号在2:12
Twitterank creator, Ryo Chijiiwa, responds to the scam accusations on Twitterank创造者,亮Chijiiwa,回应了诈骗的指控 ZDnet零售网点 . 。
Kim Woodbridge 金伍德布里奇 // Nov 13, 2008 at 4:05 pm 下午/ / 08年11月13号在4:05
Interesting.有趣的。 I had seen all of this except for Ryo's response on ZDnet.我见过除了亮的在ZDNet回应这一切。 I think that overall people need to be more careful with their passwords and change them frequently.我认为,总的来说人们需要更符合他们的密码,改变他们经常小心。 And if they want to test a tool like this, change their password, test the app., and then change the password again.如果他们希望这样的测试工具,更改密码,测试应用程序。,然后更改密码。
I was amused that this happened the same day I posted an article asking if these ranking and grading systems even mattered.我很开心,这发生在同一天发表一篇文章,我问,如果这些排名和等级制度更加要紧。
David Bradley 大卫布拉德利 // Nov 13, 2008 at 4:24 pm 下午/ / 08年11月13号在4:24
I tried to get all this “out there” early on, as soon as I saw it this morning, but I guess a lot of people were trying to do that too.我试图走出去这一切“,”早期,当我今天早上看到它,但我想很多人试图这样做了。 You're right such a tool is just a bit of fun, nothing particularly relevant…just like Google toolbar PR, in fact你说得对这样一个工具,只是一点开玩笑的,其实没有什么特别重要,就像谷歌工具栏公关...,
Roger 罗杰 // Nov 13, 2008 at 5:08 pm 下午/ / 08年11月13号在5:08
The commonsense approach is simply not to use sites where you can't be sure of their intent or security protocols.合乎常理的做法是不使用网站,你不能对他们的意图或安全协议确定。
It's the downside of APIs that mashup data from secure sites, I suppose.它的API,从安全网站混搭数据,我想缺点。
Ari Herzog 阿里赫尔佐格 // Nov 13, 2008 at 5:20 pm 下午/ / 08年11月13号在17:20:00
I was on the road all day, using my BlackBerry – had seen a few tweets about this service but that's the extent of my involvement.我是整天在路上,用我的黑莓-看到了有关此服务的几个鸣叫但这是我参与的程度。
So, I sit back and watch the rumors and responses fly back and forth.所以,我坐视谣言与对策来回飞行。
You're right about password security and it raises the issue which can't be repeated enough: If you're not going to jump into a car with a stranger at the age of 7, don't give your passwords to strangers without checking them out.你说得对密码的安全,而且提高了,不能重复不够的问题:如果你不打算把汽车跳起来一个7岁的陌生人,不要给没有检查你的密码给陌生人他们。
Andy 安迪 // Nov 13, 2008 at 11:36 pm 下午/ / 08年11月13号在11:36
An exclusive Interview with Kyo taken by me:与我采取京独家专访:
http://www.phishmail.de/2008/11/twitterank-das-interview/ http://www.phishmail.de/2008/11/twitterank-das-interview/
David Bradley 大卫布拉德利 // Nov 14, 2008 at 7:35 am 上午/ / 08年11月14日在7:35
Andy, thanks for sharing your interview with “Ryo”.安迪分享您的“采访时感谢亮”。 I'm taking it on trust that it's genuine even though you typed his name wrong.我是在信任,它的真正即使你输入他的名字错了。 However, I don't think he really says anything more in your interview than he has elsewhere in the media.不过,我不认为他真的说什么你的采访更比他有其他地方媒体。 It certainly doesn't nail whether or not he's genuine or not…he's not going to admit in public to being a phisher of men (and women) in public after all.这当然不是钉与否,他的真正的或不...他不会公开承认后,所有被一男子(和妇女钓鱼公开)。
Andy 安迪 // Nov 17, 2008 at 9:53 am 上午/ /二零零八年十一月十七日在9:53
yes, you're right, typed the name wrong, sorry… Change it to “Ryo”, if you like.是的,你说得对,键入的名称错误,对不起...将其更改为“亮”,如果你喜欢。 At the End the Interview is no evidence or some really new Information, but I think it is worth watching this.在访谈结束,没有证据或一些真正的新信息,但我这是值得关注的这个想法。 I'm based in Germany and the Interview was taken to inform also only-german speakers and I don't wanted copy other pages.我设在德国和面试被告知也只有德国的发言者,我不想要复制的其他网页。
David Bradley 大卫布拉德利 // Nov 17, 2008 at 10:13 am 上午/ /二零零八年十一月十七日在10:13
Yeah, no worries about the typo, we all do it.是的,对错字不必担心,我们大家都这样做。 I think he's so much in the public eye now, that it will either make or break him.我认为他如此多的出现在公众面前,现在,它要么他的成败。 There seem to be 1000s of tweeters still bragging about their twitterank out there…似乎有1000的高音仍然关心他们twitterank那里吹牛...
Leave a Comment发表评论