In social-networking pool, we fall hack, line and sinker for phishers

I got a prompt recently from Twitter, the micro-blogging Web site, that said I could start receiving updates from Britney Spears' very own Twitter page.

And would you look at that: She wished me (and the rest of the world) "Happy Holidays" on Dec. 24. A week before that, it seemed like I was touring Asia with the pop star herself when she tweeted to let me know, "I love Japan! I think all the tiny cars are so cute."


At least I think it was the unsinkable Ms. Spears.

Now, I can't be so sure.


On Jan. 5, someone hacked into Twitter and added crude or strange messages to 33 high-profile accounts belonging to, among others, Spears, Barack Obama, CNN correspondent Rick Sanchez and the official feeds for Facebook, CBS News and Fox News.

The Twitter incursion happened a few weeks after someone added a weird icon resembling a jet flying into the twin towers onto Google Trends, part of the search engine giant that measures the popularity of various search terms. It was the third time Google Trends had been compromised in recent months; swastikas appeared twice last summer.

The current fighting in the Middle East has spurred other cases of "hacktivism," in which hundreds of Israeli Web sites were defaced with anti-Israeli and anti-U.S. messages.

The various incidents attracted some media attention, and most were seen as foolish pranks. But they raise the question of how much damage someone or some group could cause for a society ever more reliant on the Internet.

An 18-year-old later took responsibility for hacking into Twitter after he was implicated by other hackers. The hacker, who goes by "GMZ," told writers for blog Threat Level that he gained entry to Twitter's control panel by running an automated password-guessing tool on the account of a woman named "Crystal," who happened to be part of Twitter's administrative staff.

He ran the detector overnight. It eventually stopped on the word "happiness," which Crystal had apparently used as a password and which enabled him to breach the system. Using a real word without numbers or symbols as a password is widely discouraged.

He told Threat Level he was surprised that the site didn't lock him out after numerous failed attempts to enter a password. He said he hadn't expected such a pivotal strike and posted a message to a forum for hackers called Digital Gangster, offering his ill-gotten discovery. GMZ apparently used a similar dictionary attack last year to crack the YouTube account of teen singer Miley Cyrus. That led to the short-lived but frantic rumor that she'd died in a car accident after a fake video memorial was posted on her account.

Some researchers during the past year have also discovered bogus profiles of celebrities on the professional networking site LinkedIn that were apparently intended to lead unsuspecting users to malicious "malware" that could steal personal information. There have also been reports of phony e-invitations to someone's Facebook page that are really traps to divert someone to spyware to track their computer keystrokes.


"We used to say the Internet was the wild, wild West. Now it's more like Prohibition Chicago in the 1920s," said David Perry, global director of education for Trend Micro, a Web security company.

One paradox, he said, is that with the rise in social-networking sites, people have become much more comfortable and proficient about putting personal information online, such as posting a family photograph that could help a hacker discover someone's "mother's maiden name" or the name of a pet or an elementary school, the types of information used to gain access to an online account.

Moreover, social networking sites require little verification that a person is who they say they are. Basketball star Shaquille O'Neal just last week launched a Twitter account called "The_Real_Shaq." A consulting firm that works with O'Neal discovered that someone else had registered as "ShaquilleONeal" on Twitter and was posing as him, The New York Times reported.

One of the fastest-spreading computer viruses a few years ago, known as the Samy worm after the hacker prosecuted for it, specifically targeted And in 2007, a computer virus called the Zlob Trojan infected the MySpace page of singer Alicia Keys and then spread to fans who visited her site, said Jaime Lyndon "Jamz" Yaneza, threat research manager for Trend Micro.

"We used to say don't go to porn sites or don't go to gambling sites, but if you add up all the Web pages and social-networking sites, they add up to 85,000 new unique threats a day," Perry said. "It's like the famous cartoon in The New Yorker of a dog who says, 'On the Internet, nobody knows you're a dog.' "