Obama’s Organizing for Action leaking personal details of supporters

Yesterday I received an email fundraising pitch from Obama’s new Organizing for America:

Email from OFA

Looks safe … click to enlarge

At the bottom of the email is a link to click to :

Looks innocent!

Nothing there to worry about, right?

But the text you see is not the actual link that is in the email.  That link is really:

Doesn't look like much

Doesn’t look like humans can read it, does it?

There’s a lot of information in that link, most of which does not appear to be human readable.  It turns out that it is encoded using a very common system known as “Base 64”, which is a way to take a bunch of data and put it into a URL like this.  But there’s no magic to Base 64, and when you decode it you see:

A little bit clearer now!

Hey, that’s me!

I’ve replaced my email address (to @secret.com) and zip code (with 99999), however if you are sufficiently energetic you can type in the base 64 text and see what it really is…

Anyone else I share that link with, when they click it, will be taken to the Organizing for Action page and shown my email address and zip code.

Other people appear to have their email address and zip codes exposed clearly in the links they’ve shared on Twitter:

Identifying information blurred by me...

Identifying information blurred by me…

It’s not a terrible security breach, and I’ve only found about 30 or so people who’ve accidentally done this in the past week.  But given that the OFA web site holds credit card information, the leaked data represents two pieces of personally identifiable information that could theoretically be used to assist in identity theft.  And if you share such links on Twitter you may find that people who oppose your views find it an opportune time to start up an email conversation you did not solicit…

Regardless of the risk, I am fairly certain (just about all of) the people involved did not intend to publicize their email addresses and home zip codes on Twitter.

DoS Twitter Spam in MSNBC’s Education Nation Student Town Hall #EdNatSTH

Well, after writing in my previous post that Twitter spam always includes URLs, I was proven almost immediately wrong during MSNBC’s Education Nation Student Town Hall hosted by Melissa Harris-Perry.  In the middle of the show, approximately 1140 tweets like these flew by:

Click to enlarge

Note: If you don’t like seeing spam in your Twitter feed, please give my free Social TV Twitter client at http://tweetwatch.tv a try! It will catch these kinds of spam tweets, so even if Twitter’s getting deluged you’ll be sheltered from them.

Mind you, that wasn’t the only spam during the show.  The “normal” spam that tries to get you to click on the spammer’s URL was omnipresent throughout the show.  But this was different: it was severely disruptive and totally pointless: it aimed to kill the conversation on the hashtag altogether.

How was this spam done? All of these tweets were sent using the twitterfeed.com service.  It’s a tool that allows you to automate sending tweets based upon data you feed it. Virtually no other non-spam tweets were sent with these service.  Interestingly, twitterfeed.com is often used in “Silencing” attacks, where a huge number of critical tweets are sent to a person to try to chase them off twitter. (See this as an example).

Why was it done? That’s hard to say.  Maybe it was a misconfiguration of spam program that ended up with garbage messages.  If so, the person doing the configuration is horribly inept.  All their twitter accounts were sending the same set of messages to a variety of feeds, and all of the messages are garbage:

Notice the same spam accounts hit Up with Chris Hayes (#uppers) earlier this morning.

Is this a deliberate attempt to undermine the MHP Show?  That seems not to be the case, insofar as the spam tweets seem only focused on trending topics.  When the Education Nation Student Town Hall #EdNatSTH hashtag was trending, this attack was launched.

Is this a deliberate attempt to perform a “Denial of Service” attack against trending topics (by flooding them with tweets, it basically kills the conversation)?  That seems to be the goal.  It is basically just behaving badly for the sake of behaving badly. 

Could you just block the user and report them for spam and be done with it? Not really — so many fake accounts were used that it would be like whack-a-mole with a hyperactive mole.

One thing is for sure: Twitter should shut down the twitterfeed.com service immediately until it can better control the spam its users generate.  And Twitter should shut down these spam accounts: there are 1140 fake accounts out there that have spammed hundreds of times each and are continuing to spam as of this (9/23) evening.  Why doesn’t Twitter do anything?  They can’t expect people to return each and every one of the 1140 accounts.  We’re on the cusp of a breakdown in Twitter if they don’t do something.

One more plug: If you don’t like seeing spam in your Twitter feed, please give my free Social TV Twitter client at http://tweetwatch.tv a try! It’s spam free  🙂 and ad free. It’s your best defense against these spam attacks for now.

Twitter Hashtag Spam on #nerdland (Melissa Harris-Perry Show) and What to Do About It

For an update on this topic, please also see my more recent post.

If you like to watch shows such as Up With Chris Hayes or The Melissa Harris-Perry Show and also tweet along with them, you’ve probably been plagued with spam.  Whenever a show’s hashtag starts to trend, spammers will begin to swamp the tag with messages like:

What can you do about this?

Pretending it doesn’t exist is impossible. During today’s (Saturday 9/22) MHP show, roughly 20% of all Tweets using the #nerdland hashtag were spam.  But because the #nerdland hashtag popped in and out of the trending topics list throughout the show, at #nerdland’s peak somewhere between one-third and one-half of all Tweets were spam — and started to crowd out the real tweets.

The normal Twitter spam tools are mostly useless.  You could block each user and report them for spamming.  But when you see spam messages, on average, every 20 seconds, there is no way to keep up with them.  Because the accounts are frequently different, blocking one still allows most of the other spam to show up:

Click to enlarge

(The SPAM SPAM is not part of the original tweet, but is a flag my Twitter client puts in when it detects spam tweets — see more later in this post).

Clearly, you can try to ignore the spam.  It isn’t too hard to identify spam tweets yourself:

  • Twitter spam almost always has a URL click. In the case of today’s attack, it ultimately took you to an AOL job listing site where, presumably, the spammer gets paid if you use the site.
  • The text of the spam is usually unrelated to the show.  And often it’s not particularly gramatical.  This is because spammers use sentence generators — one popular one is called “spintext” — that generate sufficiently random sentences to avoid immediate shutdown by Twitter.

A word of warning: you should never click the spammer’s URL.  Today’s spam was fairly innocuous, but there are moments like just this week where hackers find a new weakness in a browser and may be able to infect your computer if you visit their web site, even if you have an up-to-date anti-virus and browser.  (By the way, there is an update to Internet Explorer just released yesterday, 9/21 — make sure you get it!).

But even if you avoid clicking on spam, you still have the annoyance of seeing it in your Twitter feed.  Until Twitter takes it upon itself to stop this, you will need a Twitter client that filters the spam for you.  And that’s where I can help you…

The above screen shot is of a Twitter client I built that detects and hides spam (normally, that is: I had it just tag spam tweets with SPAM SPAM for this article).  The client is free to use.  It does not have advertising that gets in your way.  The spam detection is evolving, but it basically looks for patterns in tweets that identify spammers with a very high probability and then prevents the client from showing them to you.  It won’t catch the first couple of spam tweets, but after a few of them it detects the pattern and kicks in.

In addition to deflecting spam, the application specially designed for tweeting along with shows like the MHP Show or Up With Chris Hayes.  I built it because I am a #nerdland fan and was frustrated with all the other ways to live tweet the show and was annoyed by spam and trolls.

Give it a try, if you like.  You can go to its web site at http://www.tweetwatch.tv/, or if you just want to launch the application to give it a whirl, you can start it here: http://apps.tweetwatch.tv/app/index.html.  It’s easy to select all the MSNBC shows, as well as all the other cable news shows:

Click to enlarge

In addition to blocking spam, there are a bunch of other things my Twitter client does to make live tweeting a show more pleasant.  It allows you to flag people as “trolls” and hide their tweets (which does not report them to Twitter, as most trolling is not really a violation of Twitter’s terms).  It allows you to hide retweets if you wish (you’ve probably already seen the original tweet).  And it highlights Twitter users who are connected with the show (e.g., @MHPShow) so it’s easy to spot their tweets in the stream.

I’ll continue to evolve the program to block spammers (as well as other improvements that are unrelated). Give it a try, and give me feedback — my focus is on making it the best possible Twitter client for following along with a show.  And if you really hate Danish Modern, I apologize for my theming: I’m also a fan of mid-century modern.

Melissa Harris-Perry, Risky Comments, and the Attack of the Misogynist Twitter Clones

On Saturday’s (9/1) Melissa Harris-Perry show, the host made an animated defense of poor people, arguing that being poor was riskier than being wealthy.  It’s not surprising that her comments got a strong response from viewers, and it’s not surprising they were almost uniformly positive in their comments on Twitter.  What is surprising, however, is that 24 hours later the tone of the comments on Twitter had changed from positive to negative.  What happened? Were these real comments by people reacting to the video? Or was Melissa the victim of an orchestrated “attack of the clones” — a large number of  identical tweets that sought to change the public’s perception of events?

Continue reading

Criminals Target Innocent Pinterest Users Based Upon What They Like To Pin

Pinterest has taken off like wildfire, reportedly reaching 10 million unique visitors faster than any other website.  And on the surface, Pinterest is a blissfully spam free environment.  Just lovely pictures.

(See the List of Suspicious Pinterest URLs that spam sites use for the latest)

Nonetheless, the spammers have moved into Pinterest big time.  And users are starting to notice.

The first generation of spam involves the spammer posting hundreds of items that go to a spammer’s page which offers an item for sale.  When the user clicks to order, it takes them to Amazon for purchase, and the spammer picks up an affiliate payment for bringing the buyer in.  This kind of spam has gotten a lot of attention lately.

But there’s novel approach that targets people based upon what they pin.

Let’s say you pin a Gucci purse to your board.   You are inadvertently advertising yourself as someone who owns or aspires to own a Gucci purse.  And the criminals notice this.

All of a sudden, you pick up a follower like this:

That looks pretty innocent (although Tandy doesn’t say a lot about herself — that’s a tip off).  So you think, those star things look good, what are they?  You click on the picture and see:

Still not a lot of information.  But there’s a clue — I’ve added the red arrow pointing to the tip off that something’s amiss with the page.  The URL pinleresl.com is clearly meant to look like pinterest.com.

And so you click the image and are led to a page like this:

They want to sell you fake Guccis. This is illegal.

A page full of fake Guccis for sale.  Why? Because you like luxury purses, and this is targeted to you.

Sometimes the page leads to something that fakes not just the products, but Pinterest’s sponsorship as well:

Click on Image to Enlarge and See the Fake URL

It looks like Pinterest is sponsoring a give-away of L’oreal products — but of course it is not.  What is more likely is either that (a) it will try to pry enough personal information out of you to steal your identity or (b) it will try to convince you to install some sort of malware (I played along with one long enough to discover it wanted to install a tool bar in Google Chrome for me), or (c) all of the above.  This kind of stuff is bad news if you fall for it.

All the usual scams are out there on Pinterest — phishing, fake contests,  malware.  Everything on the Internet that is bad is just one click away.

Again, the worrying thing about this is that the spammers aren’t just passively posting catalogs of products they want to sell like has been observed before.  They are actively looking for users who express interests in certain brands or products, and targeting with focused content for knock-offs or phishing. You are being targeted by what you pin on Pinterest.  This makes it much more likely that you’ll fall for the scam when it is about something you’re interested in.

There are many other examples like this with fictitious Pinterest users whose pins all lead to bad things.  Probably nobody knows how much of this is going on, but it is a problem that the brand owners and Pinterest are going to have to grapple with.  The availability of spam-bots makes this sort of thing quick and easy to set up.

My wife (the active pinner of the two of us) first alerted me to this problem, and so I sat down and ran through all her followers. I discovered that 50% of her followers are spammers/phishers/pirates.  And she’s not unusual.  I looked at several of her (real) Pinterest friends and found pretty much that everybody was starting to attract a large collection of spam followers.

What’s especially pernicious is that unknowing Pinterest users are re-pinning spam.  Let’s say you see a photo on Pinterest you like.  If you don’t click through it, you don’t know where it goes.  And so when you re-pin it, all your followers will see it — and if your friends click through (maybe just because you re-pinned it?), they could be infected with a virus because of your repin.  Is it your fault? No, you’re a victim too.  But it’s insidious how this can spread from user to user like … a virus.

How do you detect it these spammers? Right now, there’s a couple things I see …

  • The spammers have lots of boards, but only one pin per board:
    Click to enlarge
    You might have a couple boards with one pin, but every single board with one pin?  Not real typical for a Pinterest user.  And the description of a lot of these folks is blank.  Just a name.  So if the user looks unusual — lots of boards, but about the same number of pins as boards — it’s a reason to be suspicious.
  • The URLs don’t go to a real web site, they go to a URL shortener like bit.ly or goo.gl:

    Not all of these people do this, but if you see a link shortener being used it’s a bright red flag.  There’s a fair number of link shorteners out there, but if the web site doesn’t look real to you, it’s worth thinking about.  As a note, Pinterest should disallow the use of link shorters like this that hide what the real web site is.
  • The URL is trying to fool you by looking like a real site, but is just trying to confuse you — see the second picture in this blog post for the “pinleresl.com” example.
  • You click through and see something like this:

Google says “Stay away!”

You know that’s bad news.

  • You see some sort of spoof or phishing site like:

It looks official and real, but it’s totally fake and totally going to rip you off if you “Participate Now”.  Again, the URL is the big give-away.

Unfortunately, the problem with giving any specific advice is that the spammers are going to adapt quickly to any patterns we detect.  So your best protection is to be wary, know that not everything is as it seems, and if it doesn’t pass the sniff test, get out.  If I notice changes in their behavior, I’ll post updates as time goes on.  You can follow me on Twitter (socialseercom), sign up for this web site (there’s a link somewhere around here to get notifications of updates), or just check in now and then.

Caveat Pinner — and pass this along to anyone you know who uses Pinterest.

Further reading:

Globe & Mail: Social networking site Pinterest in battle against spammers

Time: Pinterest Easiest Site to Spam Says Man Making $1,000 a Day Doing It