Twitter Hack Proof of Concept Released

They say twitter is one of the wonderful innovations in the web recently (or at least in the blogging world). And so I tried it out. I registered an account over the weekend. I posted my first twit update. I followed some bloggers. No one’s following me yet 🙂 . I installed twitterfox plugin. Set the privacy into high (Protect my updates). And then came upon this interesting news today:

A twitter proof of concept (POC) hack has been developed. The POC can change the twitter status of the user (what are you doing? feature) without the user knowing it. Following the developers blog, he introduced the readers (me included) the concept of clickjacking (hijacking the clicks of the user with malicious intent, this is the first time I’ve heard of this). Quoting the developers blog:

‘Clickjacking’, if you haven’t heard of it, is a method used by malicious individuals to trick users like you into clicking something without you knowing what you’ve clicked. It’s also known as UI-redressing and only works in browsers that support frames/CSS.

The idea is simple: An iframe is positioned above what looks like a clickable button on a website. This iframe is invisible to the user (opacity:0) and so the user unknowingly clicks on the iframe which may contain anything! This can be achieved through CSS alone, no JavaScript is required

Ouch! This one is familiar. Iframes with zero height zero width 🙁 . Can be used by bad guys to create malicious activities.

There seems to be no complete solution for this yet, but installing the NoScript firefox plugin will help Firefox users.

If you want to know more details, you can read the developers blog. The site has the POC link hosted there (WARNING: Twitter Kids: Try at your own risk, don’t blame me for any untoward events ok?). Clicking the button will add a new twit status “Yes, I did click the button!!! (WHAT!!??)

Or you can visit DarkReading Twitter article.

So will I gonna be forgetting about Twitter? No! I think not, but I will be keeping the protect my updates feature ON for now.

Hon Load Mo Ako Text Scam

I got this sms message from +639064579932

Send your own SMS with SMSCaster ! >hon d2 ka mag reply load mo ako 300pesos

One look and I know it’s a SMS TEXT scam. I asked Raven and some friends and they did receive such text messages before. Searching the internet, it seems this scam is rampant in the Philippines. The perpetrator is using different cellular phone numbers and requesting for different amounts of cellphone load ranging from 30 pesos to 300 pesos.

It uses a good social engineering technique: “Hon” is the shortened form of “Honey” a popular term of endearment among couples in the Philippines. One possible setup scenario is that the scammer pretends to be the sweetheart who may have lost his/her cellular phone and he/she is using a different number and then asks for phone prepaid load. Mobile phone prepaid loading business is very popular in the Philippines. Even the smallest neighborhood “sari-sari” store have this prepaid mobile phone loading system.

Digging further on the SMSCaster keyword, I found some information about their business. The site describes their software as:

a Bulk SMS text messaging software for businesses to send marketing & advertising SMS messages to customers with mobile phone from PC (personal computers)

I don’t know if they are legitimate company or not, but they are being used by scammers that’s for sure.

To the scammer: I will make your scheme known to the whole menardconnected world. I’ll make you (in)famous! 🙂
I might even collect the numbers you use and post it here and do more awareness posts on your shameless deeds.

To the readers of this blog: I know you are smart enough to know that this is a scam, but my advise is that you share this knowledge to others (especially to your not-so-techie-friendly folks, friends, relatives and so on). If you receive similar text scam, feel free to leave a message here. If you have blog post discussing the experience, we can even do link exchange if you like.

Lets expose all scammers ok?

Update 02.25.2009

Scammer’s Number:




Update: 2009.08.19
Another SMS Scam worth knowing:
SMS Scam: Marie Velasco