As more businesses turn to social media for marketing, customer service and other purposes, hackers are also increasingly targeting social networks to launch attacks against companies.
In many cases, those attacks involve messages with malicious links, or the use of social media to find contacts to target in social engineering scams.
And in other cases, a company’s social networking profile itself is the target, as has been seen in several recent Twitter hacks.
In fact, Twitter attacks have become so widespread that the social network is reportedly working on plans to add two-factor authentication for accounts on the site.
Many experts say two-factor authentication is always preferable to just relying on a password for security. Stealing a password or getting around defenses using dictionary attacks is fairly easy for attackers, especially since accounts are often protected using simple, easy-to-guess passwords. With two-factor authentication, a user needs two pieces of information or objects to access a system — for example, a password and a key card.
Sites such as Google and Facebook offer two-factor authentication in the form of a password and an approval code sent to a user’s cell phone. If the option is enabled, to log in from a new machine, users must enter a code that gets sent to the phone associated with their account.
Some observers have criticized Twitter for failing to offer that option. For example, Harper Reed, who was the Chief Technology Officer of Obama’s reelection campaign, says that his team repeatedly asked Twitter to enable two-factor authentication though the social network wouldn’t budge.
What sorts of incidents may be prevented by stronger security measures? Possibly some of these, the seven worst Twitter hacks that have occurred since the site was launched:
1. Associated Press
In a recent Twitter hack — and the incident that has largely inspired the recent criticism of the social media site’s security — the official account of the Associated Press was hijacked to tweet a message reporting that the White House had been bombed and the President injured.
A Syrian group took responsibility for the hack, though that wasn’t corroborated. Whoever it was reportedly used spear phishing attacks to gain to access to the account. Several AP employees who had access to the Twitter page were sent emails using competitors’ news stories as bait to get them to click on malicious links. Presumably, that resulted in key logging software being installed on the victims’ machines, or the links led to a bogus site on which the victims entered the log-in credentials.
2. The Guardian
Shortly after the AP attack, the same Syrian group took credit for compromising several Twitter accounts run by the UK news organization Guardian.
Reportedly, the same phishing attacks were also used in this round of hacks.
3. Fox News
In 2011, organizations may not have paid as much attention to Twitter as they do now, which may partially explain how Fox News’ Twitter account was hacked without anyone in the organization realizing it or taking action for several hours.
Around 2 a.m., the hackers posted six alarming messages using the news agency’s Twitter handle reporting that Barack Obama had been assassinated — and the tweets stayed on the site until noon. The hackers gained access to the account by compromising an email account associated with the Twitter profile.
Sometimes a Twitter hack or other social media attack has political motivation, and other times an individual or group just wants to soil a company’s reputation.
The latter is what happened when PayPal’s UK Twitter account was hacked by an angry customer in 2011. The customer used the account to link to paypalsucks.com, a webpage complaining about PayPal’s practices and customer service.
5. Burger King
While hackers often have clear intentions when they target a Twitter account, sometimes things just get plain weird. That’s what happened in February of this year when an unknown group hacked into the official Burger Twitter account — and changed the title and logo on the page to those of the fast food company’s main competitor, McDonald’s.
The group managed to make an announcement that McDonald’s had bought burger and send out several lewd tweets before the account was shut down. While it was probably clear to most, officials from McDonald’s did come out and assure the public that, no, they were not responsible for the hack.
6. Rick Sanchez
Sometimes it isn’t an official corporate Twitter account that gets hacked, but that of a high profile member of an organization. That was the case in 2009, when someone hijacked the account of former CNN anchor Rich Sanchez and, among other things, claimed Sanchez would be missing work because of a crack cocaine binge.
Sanchez’s account, along with several others, was compromised when attackers got into Twitter’s own internal servers and stole the passwords.
7. Malware networks
Not at all Twitter security incidents involve high-profile people or organizations — attackers are also turning to the social network to spread malware to anyone they can reach. In one recent example, a Twitter virus has been making the rounds in the Netherlands, letting criminals hijack users’ accounts to tweet malicious links.
The tweets contain messages in Dutch saying things like, “Beyonce falls during the Super Bowl concert, very funny!!!!” along with links. Once the link is clicked, the users’ account is taken over.
The bottom line: For various reasons, hackers are trying to find ways into organizations’ Twitter accounts — and when they’re successful they can do quite a bit of damage.
That’s why it’s important for companies to train users with access to social media profiles on how to avoid those attacks. That includes being able to recognize and avoid suspicious links, as well as choose secure passwords.