Sunday, August 26, 2012

Abundant Caution Is Never Enough : Beware of StalkTrak

My apologies to the folks who got a DM from my Twitter account for about an hour this afternoon. 

Here is how I think this happened. I have a strict password policy for myself and change it frequently. I test new tools regularly and make sure if the new tool asks for a Twitter login it is through the Twitter API and not asking me to login with username and password.

 Today I got a DM with this text "I saw that you viewed my profiler earlier :D want to know how i found out? http://bit.ly/XXXXX" ( Purposely added Xs so that link is not clicked by mistake. I ignored it as it seems sneaky anyway for a few hours. I went back to this tweet a few hours later and curious if this was a feature to check out like Linkedin's "Who viewed your profile".  I am not sure if I was on a mobile device or my personal laptop so I did not notice that the link actually goes to a phishing page.
It is always good practice to watch the address bar on your browser to make sure you are entering the link in a legitimate website and that was the simple precaution that I did not take this time. I signed in on this page thinking it was a Twitter login. ( Kicking myself now)

 If you want to see the phishing page the link is http://hri.stalktrak.com/authorize_app_1/function.api.stalktrak.html( Please be careful if you click this page) . The correct URl to look for when using a Twitter auth is "https://api.twitter.com/oauth/authenticate?oauth_token="  followed by a string of characters comprising of a token. Anyway I appreciate the fact that Twitter has a mechanism to stop the DMs when it sees a pattern or the account exceeds a daily DM limit.

I am also thankful to be warned by a few of my friends as well. I managed to get to a computer and change my Twitter password quickly . Luckily I use different passwords so I won't have to change passwords at other places. It seems like this scam has been around for some time. Here is a post from July 2011. I reported the link to the US Computer Emergency Reradiness Team phishing page.

Lesson learned that you can never be too careful and I hope this helps you be cautious as well.
Post a Comment