Cymraeg

How I got clickjacked

I’m an idiot.

Recently, I received a direct Twitter message from my one of my closest friends late one night. It said, “did you see this picture of you lol” and included a shortened web link. Considering that my friend is a photographer who I know has photos of me, it wasn’t strange to receive this message from her. So  I clicked on it. Why was this such an idiotic thing to do?

I got clickjacked. The bad guys tricked me, and I fell for it – hook, line and sinker. The message I received wasn’t from my friend; it was malicious spam, and the web link in it brought me to a fake Twitter site to steal my password. Even though I work at a security company and should know better, I still fell for it.

How did this happen?

When I clicked on the web link in the direct message from my iPad, it took me to what seemed to be the Twitter login page in a mobile browser (it wasn’t). I attempted to login anyway (bad idea), even though I thought it was strange that  the promised photo didn’t just pop-up within the Twitter app browser. (I was only half paying attention to what I was doing while watching Downton Abbey – Bad combination.  “Matthew”, why didn’t you warn me?!)

Each time I entered my login and password, “Fake Twitter” told me my password was incorrect. I was so frustrated; I gave up and went to bed. The gravity of my mistake didn’t hit me until several hours later.

Consequences of Clickjacking

Unable to sleep, I checked my phone:  4:30am Central Time. My phone notified me I received a direct Twitter message from my friend in London, asking, “Was your message to me spam, or do you really have a funny picture of me?” Oh no. What have I done?

By the end of the day, I had received dozens of messages, tweets, emails and Facebook posts telling me someone hacked my Twitter account, as well as a few security industry colleagues poking fun at me for getting clickjacked. That was fun. But most were messages of concern.

By logging into the “Fake Twitter” site, I gave the bad guys my Twitter password. They were then able to login to my real Twitter account and spam all of my followers with the same message and malicious web link, “did you see this picture of you lol,” thus perpetuating the cycle of crime. This is called clickjacking. It typically shows up in social media news feeds, wall posts, and direct messages (Facebook, Twitter, Google+ to name a few), leading unsuspecting clickers to websites that steal your password and data.

The consequences can be catastrophic if you use the same password for your banking and social media accounts. Thankfully, I don’t. The cybercriminals could have logged into my bank accounts and stolen money, my identity and perhaps racked up thousands of dollars in credit card debt within a matter of hours.

In my case, the damage was minimal, except to my ego and credibility as an employee of Trend Micro. If you follow me on Twitter @smccartcaplan, my sincerest apologies. There is nothing more humiliating in my security world than succumbing to the very malicious tactics we warn you about every day. This situation just goes to show you how easy it is for anyone to get clickjacked.

What to do if you’ve been Clickjacked

– If you suspect you’ve been clickjacked, change your password, immediately. Then, check to see if any new apps have permission to connect with your account, as they could be malicious and data stealing. (Twitter forces you to check all apps that have permission to your account as soon as you change your password.)
– If you use the compromised password in any other critical accounts, change all of them and do not use the same password.
– Send an apology tweet, post, email or call your friends and followers, begging for forgiveness. Let them know if they fell prey to clickjacking, follow these steps as well.
– Keep an eye on your bank and credit card statements and credit report, looking for suspicious activity or charges.

How to prevent Clickjacking

Here are some tips and tricks to try and prevent clickjacking humiliation or worse, identity theft, data loss, and financial ruin:

– If it’s too good to be true, it probably is. Don’t click on it.
– Be wary of clicking links posted on your Facebook, Twitter, Pinterest and Google+ feeds, within direct messages from those same social media sites, and email messages without subject lines and just a web link.
– Re-evaluate your privacy settings on your social media sites. Consider making your Facebook profile private and unsearchable – keeping criminals at bay.
– If you use the Internet, wear a seatbelt. Install security software on your PC, Mac and Smartphones with safe surfing functionality, warning you of malicious links before you click on them.  Make sure your connection to these sites is secured (https://) as this may help in blocking malicious posts or sites.
– Bookmark important sites you use frequently, like social media, news, banking sites, instead of relying on links from social sites.
– Proactively report or tag suspicious posts seen on social networking sites.

I work for Trend Micro and the opinions expressed here are my own.

In partnership with