Posted by: Robert Westervelt
Password management, Phishing, Twitter flaws
Attacker steals torrent site account passwords and attempts to access Twitter, other social networks.
If you signed up for an account on a torrent forum or website and use similar passwords for other accounts, change your passwords now. A savvy attacker is skimming passwords from the users of a number of torrent sharing sites he created, using the credentials to try to break into Twitter and other third-party sites.
Torrent sites were made popular by people who wanted to share music files in the early 2000s. The file sharing protocol enables users to “seed” files and share small pieces of large amounts of data. In the early days it was difficult for a non technical user to tweak network settings and load a torrent file, but a set of new programs have automated that process. Today torrent files have grown more popular with users sharing files of popular movies and television shows, though the legality of this is in question.
Twitter said it detected anomalies in several Twitter accounts that had a surge in follower activity. A further investigation led to the discovery of the phishing scheme. As a precaution, Twitter anyone following the suspicious accounts were temporarily suspended until they reset their account credentials.
In a post on the Twitter Status Blog, Del Harvey, Twitter’s director of trust and safety, said the hacker is suspected of building a number of different torrent sharing forums and torrent websites that require users to sign up for an account. The sites were sold to other people, but they were riddled with holes – malicious code and backdoors that enabled the hacker to skim account credentials of users who signed up for the sites he built.
This person then waited for the forums and sites to get popular and then used those exploits to get access to the username, email address, and password of every person who had signed up. Additional exploits to gain admin root on forums that weren’t created by this person also appear to have been utilized; in some instances, the exploit involved redirecting attempts to access the forums to another site that would request log-in information.
Harvey warned users to change their passwords if they signed up for a torrent forum or torrent site.
Torrent sites aren’t exactly ‘new’; however, this is one of the first times that we’ve seen an attack that came from this vector. … We felt that it was important to put this knowledge out there so that users would know of the possibility of compromise of their data by a third party unrelated to their Twitter account.
The scary part of all this is that it appears that the hacker had been using the scheme for “a number of years,” according to Harvey. So if you think you may have signed up for a torrent site a number of years ago, go back and address your passwords now.
Another ongoing issue is that people use the same email address and password to multiple sites, Harvey said. Security experts have warned against doing this. A number of new password management programs are available including some smartphone applications that help users create a strong password and securely store it. While it may seem difficult, using them could alleviate any unnecessary headaches in the future.
Popular Password Management Programs:
Here are links to popular password management programs. I don’t advocate any one program. This is an area to be especially careful. Do a search for reviews to find the right one that meets your needs:
Sixipper: Firefox add-on.
Roboform: Windows-based but provides online access for Mac and Linux users.
1Password: Popular Mac-based password management.
KeePass: Open source light-weight password manager.
Aurora Password Manager: Windows-based with full encryption capabilities.
SplashID: Apple iPhone and RIM Blackberry password manager.
eWallet: iPhone password manager.
AsCendo DataVault: Supports RIM Blackberry, Apple iPhone and Windows desktops.