Twitterank Phishing Scam Twitterank釣魚式攻擊
November 13th, 2008 · by David Bradley >>二○○八年十一月十三日·由大衛布拉德利“” 9 Comments 9評論
Are you a narcissistic Twitter user like me?你是自戀Twitter的用戶喜歡我? If so, you may have tested out Twitterank to see how well received are you're tweets.如果是這樣,您可能已經測試了Twitterank,看看是如何得到你鳴叫。 If so, you may have been the victim of a phishing expedition.如果是這樣,你可能是詐騙的受害者遠征。 This from這與 ZDNet零售網點 : :
Twitterrank has no apparent purpose beyond a sketchy numerical rating, and there are rumors circulating on Twitter this afternoon that it is basically a fishing [sic] expedition. Twitterrank沒有明顯的目的超出粗略數字評級,也有謠言流傳今天下午在Twitter,它基本上是一個捕魚[原文]遠征。
Time to remove the Twitterank script from any website on which you are displaying it and change your Twitter password ASAP.時間刪除Twitterank腳本的任何網站上顯示它你改變你的Twitter密碼ASAP項目。
Other sites reporting the possibility that Twitterank is nothing more than a scam include其他網站報導的可能性,Twitterank只不過是一個騙局包括: Mashable Mashable . 。 It's on這對 NowPublic NowPublic and和 AquariumDrinker AquariumDrinker has plenty to say about it.有很多問題需要說的。
However, I don't think Twitterank is a genuine scam, it's a name and shame system aimed at exposing just how easy social engineering is and also at shaming Twitter into releasing their API so that genuine applications of this kind can be developed properly without the security risk.不過,我不認為Twitterank是真正的騙局,這是一個點名批評制度旨在揭露多麼容易的社會工程,並在Twitter的羞辱在空氣污染指數將發布真正的應用,使這種可以發展正常,但無安全風險。
Look at the internals of Twitterank and you'll see this disclaimer:看看內部的Twitterank,你會看到本免責聲明:
Disclaimer I am about to ask you for your Twitter user ID and password. 聲明我要問您為Twitter的用戶名和密碼。 You should be afraid. 您應該害怕。 This is where you ask yourself, “Do I really want to find out my twitterank badly enough to give some random dude on the interweb my account info?” And if that's not what you're asking yourself, shame on you. 這是你問自己:“我真的想知道我twitterank嚴重足以讓一些隨機花花公子的interweb我的帳戶信息?”如果這不是你問自己,羞辱你。
Here's Twitterank's這裡的Twitterank的 response反應 to the accusations: “No, I am not a phisher.對指控:“不,我不是一個仿冒。 I don't even store your password.我什至不儲存您的密碼。 Your password gets used once to calculate your Twitterank, and is never stored on disk or any other permanent storage device.您的密碼被使用一次來計算您的Twitterank,並永遠不會存儲在磁盤上或任何其他永久存儲設備。 Having said that, people do need to be more careful about giving away their account information.話雖如此,人們需要更加小心贈送其戶口資料。 I'm not evil, but the next guy might be.”我不是邪惡的,但可能是下一個傢伙。“
In some sense, Twitterank preys on user vanity and the viral effect of WordSpread(TM), whether or not it's a genuine scam or simply an attempt to expose insecurity issues.從某種意義上說,Twitterank獵物用戶虛榮和病毒的影響WordSpread(商標),是否是一個真正的詐騙或只是為了揭露不安全的問題。 Hear it as a wake-up call.聽到它作為敲響了警鐘。 You have been warned.您已被警告。 If Twitterank isn'ta scam, the next site to ask for one of your social media passwords may well be.如果Twitterank不是一個騙局,在未來的網站要求您的一個社會媒體的密碼可能。 Don't fall for it when other sites come bearing wonders and asking for passwords.不要被它當其他網站來軸承奇蹟,並要求輸入密碼。
It seems quite apt that the free download of看來很容易的免費下載 Vulnerability Management for Dummies漏洞管理傻瓜 is once again available through Sciencebase partner site.再次可以通過Sciencebase合作夥伴網站。
9 responses so far ↓ 9答复迄今↓
David Bradley 大衛布拉德利 // Nov 13, 2008 at 2:12 pm / / 2008年11月13日在下午2時12分
Twitterank creator, Ryo Chijiiwa, responds to the scam accusations on Twitterank創造者,亮Chijiiwa,回應了詐騙的指控 ZDnet零售網點 . 。
Kim Woodbridge 金伍德布里奇 // Nov 13, 2008 at 4:05 pm / / 2008年11月13日在下午4時05分
Interesting.有趣的。 I had seen all of this except for Ryo's response on ZDnet.我見過所有這一切,除了亮的回應在ZDNet上。 I think that overall people need to be more careful with their passwords and change them frequently.我認為,總的來說人們需要更加注意自己的密碼,並經常更改它們。 And if they want to test a tool like this, change their password, test the app., and then change the password again.如果他們要測試這樣一個工具,更改密碼,測試應用程序。,然後更改密碼。
I was amused that this happened the same day I posted an article asking if these ranking and grading systems even mattered.我很開心,這發生在同一天發表一篇文章,我問,如果這些排名和等級制度更加要緊。
David Bradley 大衛布拉德利 // Nov 13, 2008 at 4:24 pm / / 2008年11月13日在下午4時24分
I tried to get all this “out there” early on, as soon as I saw it this morning, but I guess a lot of people were trying to do that too.我試圖讓這一切“在那裡”早期,當我今天早上看到它,但我想了很多人試圖這樣做了。 You're right such a tool is just a bit of fun, nothing particularly relevant…just like Google toolbar PR, in fact你說得對這樣一個工具,只是有點樂趣,沒有什麼特別相關的...就像谷歌工具欄公關,事實上
Roger 羅傑 // Nov 13, 2008 at 5:08 pm / / 2008年11月13日在下午5點08分
The commonsense approach is simply not to use sites where you can't be sure of their intent or security protocols.合乎常理的做法是不使用網站,你不能確定他們的意圖或安全協議。
It's the downside of APIs that mashup data from secure sites, I suppose.它的缺點是混搭的API數據的安全網站,我想。
Ari Herzog 阿里赫爾佐格 // Nov 13, 2008 at 5:20 pm / / 2008年11月13日在下午5點20
I was on the road all day, using my BlackBerry – had seen a few tweets about this service but that's the extent of my involvement.我是整天在路上,用我的黑莓-看到了一些有關此服務的鳴叫,但是這就是我的參與程度。
So, I sit back and watch the rumors and responses fly back and forth.所以,我坐視謠言與對策來回飛行。
You're right about password security and it raises the issue which can't be repeated enough: If you're not going to jump into a car with a stranger at the age of 7, don't give your passwords to strangers without checking them out.你說得對密碼的安全,並提出了問題,不能重複不夠的:如果你不打算跳進一輛汽車與一陌生人的年齡在7,不要給你的密碼給陌生人,而不檢查他們。
Andy 安迪 // Nov 13, 2008 at 11:36 pm / / 2008年11月13日在下午11時36分
An exclusive Interview with Kyo taken by me:獨家專訪京採取的我:
http://www.phishmail.de/2008/11/twitterank-das-interview/ http://www.phishmail.de/2008/11/twitterank-das-interview/
David Bradley 大衛布拉德利 // Nov 14, 2008 at 7:35 am / / 2008年11月14號在上午7點35分
Andy, thanks for sharing your interview with “Ryo”.安迪,感謝分享您接受“亮”。 I'm taking it on trust that it's genuine even though you typed his name wrong.我是在它相信,它的真正的,即使你輸入他的名字是錯誤的。 However, I don't think he really says anything more in your interview than he has elsewhere in the media.不過,我不認為他真的說什麼你的採訪更比他有其他地方媒體。 It certainly doesn't nail whether or not he's genuine or not…he's not going to admit in public to being a phisher of men (and women) in public after all.這當然不是釘與否,他的真正的或不...他不會承認的市民是一個釣魚的男子(和女性)在公共畢竟。
Andy 安迪 // Nov 17, 2008 at 9:53 am / / 08年11月17日在上午9時53分
yes, you're right, typed the name wrong, sorry… Change it to “Ryo”, if you like.是的,你說得對,鍵入的名稱錯誤,對不起...將其更改為“亮”,如果你喜歡。 At the End the Interview is no evidence or some really new Information, but I think it is worth watching this.在訪談結束,沒有證據或一些真正的新信息,但我認為這是值得關注的。 I'm based in Germany and the Interview was taken to inform also only-german speakers and I don't wanted copy other pages.我設在德國和面試被告知也只有德國的發言者,我不想要複製的其他網頁。
David Bradley 大衛布拉德利 // Nov 17, 2008 at 10:13 am / / 08年11月17日在上午10時13
Yeah, no worries about the typo, we all do it.是的,沒有擔心的錯字,大家都這樣做。 I think he's so much in the public eye now, that it will either make or break him.我認為他如此多的出現在公眾面前,現在,它要么他的成敗。 There seem to be 1000s of tweeters still bragging about their twitterank out there…似乎有1000的高音仍然吹噓自己twitterank那裡...
Leave a Comment發表評論