London, England (CNN) — Twitter this week endured a number of “phishing” attacks, in which some users unwittingly gave out their passwords to malicious sites. Haven’t we all learned to keep our passwords to ourselves, you ask_?_ Perhaps. But the truth is we’re all vulnerable to social engineering, and two major Web trends are creating further confusion for new Internet users.
The anatomy of these attacks is simple: You receive a message, seemingly from a friend on a social network. The message contains a link and some strong incentive to click it — in the case of the most recent Twitter attack, the note simply asks “This You????.” When you click the link, you’re prompted to log in again to view the page.
Except that entering your details here will not log you in to Twitter. Instead, it will send your password to the attackers, permitting them access to your account. Shortly after, your friends receive the same message, which will look like it was sent out by you.
Such tricks are effective because we tend to trust private messages from friends. We’re less wary when a link appears to be from a trusted contact. Twitter users, meanwhile, are not alone in being fooled by the ploy. Identical attacks caught Facebook users off guard last year.
But two other trends make may be making us more vulnerable to phishing sites.
The first is the short URL boom.
The length limitations of SMS messages mean that Twitter updates are limited to a mere 140 characters. This restriction gave birth to the “URL shortener” craze: long links converted to a short string of letters and numbers to save space. Except that these links obscure the destination site. The casual Web user has no idea whether the short link goes to Facebook or a phishing site. Market leader bit.ly has systems in place to deactivate malicious links as soon as they’re found, but the short URL trend has trained us to unthinkingly click all manner of short links, often without knowing where they lead. Browser extensions are available to expand these links before clicking, but do we really expect the majority of Web users to go to such lengths?
A second Web trend adds further confusion. Facebook, Twitter, Google and others are pushing users to log in to third party services using their existing accounts. Facebook Connect lets you log in to thousands of sites — from the Wall Street Journal to social news site Digg — by clicking a button that passes along your profile information. Likewise, “Sign in with Twitter” buttons let you skip the sign-up process for Twitter-related applications. Google’s Friend Connect achieves much the same thing.
There’s one big difference with federated logins: You don’t have to enter your password to access a third-party site. A click of a button is all that’s required to use Facebook Connect and its ilk — but to the untrained eye, is there really much difference between a “Sign In with Twitter” button and a “Sign In with Twitter” form? Clearly there’s room for confusion.
While advanced users have learned to be wary of phishing schemes, should we really be surprised by their effectiveness?