The BBC reports that a phishing scam involving torrents has been uncovered. Their headline implies that it targets Twitter.
It doesn’t, not specifically. Twitter seems to have been responsible for revealing it.
The way it worked was really quite clever.
After “doing some digging” the firm (Twitter) found a network of compromised torrent sites that had been set up with the sole aim of stealing logon information.
“It appears that for a number of years, a person has been creating torrent sites that require a login and password as well as creating forums set up for torrent site usage and then selling these purportedly well-crafted sites and forums to other people innocently looking to start a download site of their very own,” said the firm.
The sites also contained security exploits allowing the person to steal usernames and passwords.
After a while, the malware would phone home with the list of usernames and passwords. The plan relied on the tendency of persons to use the same password for multiple sites; the phisher would then try the torrent passwords on other sites, such as Facebook and Twitter.
Now, I’m not a paragon of password purity. There are certain sites for which I don’t hesitate to use the same username and password, primarily news sites that want me to log in just so they can count users. If someone gets hold of my password for the Somewhere-or-other World Journal News Picayune Tribune Herald Times, what damage are they going to do? Post nasty comments to a news story under my name?
For anything that matters, such as anything financial, Facebook, or any other site that might have actual information about me, I follow the password guidelines Jeffrey set out a while ago, I think in this podcast, though I’m not sure. (I was already doing some of the things he described, but I picked up several good ideas from his discussion that were new to me).
And I don’t keep those passwords on my computer (if a bad guy is in my office reading my password list, I have other security problems that have nothing to do with computer security.)
Full Disclosure: I’ve used torrents only to download free and open source Linux distributions and wasn’t all that happy with its performance. As my download became part of the torrent and other downloaders began attaching to it, the speed decreased drastically and what would have been a 15-minute http or ftp download became something that went on for hours.
But downloading 700-megabyte *.ISO files is not the same as downloading three-minute songs.