Would you fall for this Twitter phishing attack?


Journalist Dave Lee pointed out a disturbing new spear-phishing attack on Twitter.

The phony account looks for people who are Tweeting their dissatisfaction with Lloyds Bank - one of the largest and oldest banks in the UK - and sends them messages urging them to log in to a fraudulent site.

bank fraud-fs8

The tweets have some realistic touches - such as ending with "^LY" to signal the initials of who is using the account. As you can see, in some cases, customers interact with the account believing it to be legitimate.

Anyone clicking on that link would find themselves at a (thankfully) somewhat unconvincing login page.

Lloyds fake-fs8

But how easy is it for the average Twitter user to tell that the account tweeting them is illegitimate? After all, we're all used to brands tweeting us when we have problems. Let's take a look at the real account and fake account.

LloydsBank_Help-fs8

AskLloydsBank-fs8

Both use the same logo, header image, and account description / links. Only one has the blue "verified" tick. The fake one only has a single follower and barely any tweets. All these are only visible is the user chooses to visit the account's page.

So, how many people did fall for this? When I looked, 19 people had clicked through on the Bit.ly link before the site was marked as suspicious.

Bitly Stats-fs8

What can be done about this? Users bear some responsibility for checking the links they click, but there are some lessons for both Twitter and Lloyds here.

Lloyds need to:

  • Stop using bit.ly links in their description. It just trains users not to expect to see a normal URL.
  • In fact, all their links should be direct. Using link shortners like this may be good for tracking metrics, but it's not good for customers.
  • Regain control of @LloydsBank - which has been suspended by Twitter. With such a proliferation of usernames already in use (@LloydsBankNews, @LloydsBank_EA, @LloydsBankBiz) customers don't really have a chance of knowing which ones are authentic.

Twitter needs to:

  • Find a way to stop people using duplicate avatars and header images. It wouldn't be a perfect solution, but would make the scammers work harder and, hopeful, reduce how accurate their fake accounts were.
  • Suspend accounts which regularly share links which are marked as dangerous.
  • Improve the t.co service to block dangerous links. At the time of writing, bitly have marked the link as suspect, and browsers are blocking it - but Twitter still allows access. What's the point of Twitter forcing people to use their shortner if Twitter won't use it to protect their users?

Remember, the next time a brand tweets you saying "Oh no! That doesn't sound good. Could you try visiting http://..." - think twice and check their account carefully.

Leave a Reply

Your email address will not be published. Required fields are marked *