Graham Cluley's blog

Hundreds of Twitter users have been hit by another attack, with messages being sent from compromised accounts trying to drive traffic to a pornographic website.

The messages which say "hey! 23/Female. Come chat with me on my webcam thingy here www.chatwebcamfree.com" are being spammed out as Tweets.

However, the index page of that website serves up obfuscated JavaScript that loads a variety of adult X-rated adverts.

Any Twitter users who find that they have unwittingly posted the message would be wise to change their Twitter password immediately. Furthermore, if you use that password on any other non-Twitter account then you must also change those passwords too (please *don't* make it the same as your new Twitter password.

Much more information, including images of the offending messages and the adult webcam website, can be found on Graham Cluley's blog on the Sophos website.

A friend of mine yesterday announced on Twitter that he was now 34.

You can view an image of his Tweet here.

Which means he's just told the entire world his full date of birth is 19 February 1975. Congratulation to him, and also congratulations to any criminal identity thieves who might have been reading.

I've had a word with him, and he's deleted the Tweet now.. so don't bother looking for it. There are, after all, plenty of other people revealing their full date of birth each and every day on Twitter who you can go and check out.. :-(

People who carelessly Twitter could be making life easier for identity thieves.

Read more about the implications of celebrating your birthday on Twitter in a post on Graham Cluley's blog on the Sophos website.

A man who helped steal €12,000 from Irish bank accounts through a phishing email campaign has managed to avoid being sent to jail.

Dublin Circuit Criminal Court imposed a three year suspended sentence on 38-year-old Eghosa Aigbe after he was found guilty of transferring €12,000 from a woman's Bank of Ireland account without authorisation in August 2006.

When staff at the Kilkenny Bank of Ireland contacted their customer she confirmed that she had not transferred the money, but had recently responded to a bogus phishing email purporting to be from her bank, which had asked her to verify her account details.

Aigbe was identified by police from CCTV footage of him at another branch of Bank of Ireland, opening an account in the false name of Nosa Peter.

What's particularly interesting about this case is that police agreed with Aigbe's defence team that he was not aware of the phishing email, and was not its creator.

In other words, Aigbe was a money mule - used by a phishing gang to move money from a phished account into another. Although Aigbe was obviously not the brains behind the phishing operation, he did still open the account and withdraw the money.

It is increasingly common for criminal gangs to hire mules to do their dirty work from them. Mules are sometimes even fooled into believing they are working for a legitimate organisation, moving money out of one account to put it in another. Of course, there are also mules who undoubtedly realise that what they are involved in is shady to say the least..

To stay out of jail, Aigbe will have to perform 240 hours of community service.

You can learn more about the case on Graham Cluley's blog on the Sophos website.

Last year, candid photographs of Hannah Montana star Miley Cyrus were posted on the internet after a hacker broke into her email. Now it seems she's been hacked again - but this time it's her Twitter account that has been compromised.

It appears that Miley, daughter of "Achy breaky heart" legend Billy Ray Cyrus, wasn't taking enough care over her password security as someone was able to break into her Twitter account and peppered the page with a number of poorly-spelt offensive messages, such as:

"IM NOT A F**CKING ROLE MODLE I HATE LITTLE KIDS I ONLY DO HANNAH MONTANNA FOR DA $$$$$$$$"

and

"I HATE SELENA GOMEZ AND WHEN HER AND NICK WERE TOGETHER I SENT HIM PICS OF MY C**T!"

The staff at Twitter appear to have responded quickly to the defacement, and shut down Miley Cyrus's Twitter page.

It's great that Twitter took prompt action - but wouldn't it be good if Twitter did more to secure their growing millions of users? If they forced users to use more sensible passwords, for instance, that could make it harder for hackers to break in.

Of course, Miley Cyrus is far from the first celebrity to have had her Twitter updates hacked by cybercriminals. Last month we detailed how Britney Spears, Barack Obama and others had their Twitter accounts compromised after a lapse in security by Twitter staff.

Maybe the teenage singing star's Twitter activities will resume once she's learnt some basic rules of computer security. That's after she's learnt the lyrics to her latest single of course...

Learn more about this story on Graham Cluley's blog on the Sophos website.

Arguments are raging about a change Facebook has made to its terms of service (TOS).

On one side, privacy protestors who claim that the changes mean that Facebook "Can Do Anything [it wants] With Your Content. Forever."

On the other, Facebook founder Mark Zuckerberg who blogged that users should trust the company "not to share [the users'] information in a way [they] wouldn't want."

Hmm.. "trust" is all very well, but accidents can happen with data - even to a company like Facebook.

The Facebook terms of service currently say the following:

"You hereby grant Facebook an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to (a) use, copy, publish, stream, store, retain, publicly perform or display, transmit, scan, reformat, modify, edit, frame, translate, excerpt, adapt, create derivative works and distribute (through multiple tiers), any User Content you (i) Post on or in connection with the Facebook Service or the promotion thereof subject only to your privacy settings or (ii) enable a user to Post, including by offering a Share Link on your website and (b) to use your name, likeness and image for any purpose, including commercial or advertising, each of (a) and (b) on or in connection with the Facebook Service or the promotion thereof."

However, they used to also say the following (which is now missing):

"You may remove your User Content from the Site at any time. If you choose to remove your User Content, the license granted above will automatically expire, however you acknowledge that the Company may retain archived copies of your User Content."

Zuckerberg gives the example of a message sent between two Facebook users - one who has left the service, and one who has remained. He argues that the company shouldn't wipe all records of the message, because the Facebook user who hasn't jumped ship would expect to still have a record of your message. After all, that's what happens with email, right? You don't get an opportunity to erase records of old emails you sent from their recipients' inboxes (however much you might sometimes want to..)

Whoever is right or wrong in this debate, I suggest you think very carefully about what you post on Facebook, on other social networking websites, and on the internet generally. If you wouldn't shout it out through a megaphone in the middle of Piccadilly Circus don't post it on Facebook.

But it's worse than that. Stuff you post on the internet might last forever, always having the potential to haunt you. At least stuff you shout out in the middle of the city is only temporary, and will fade away and be forgotten.

Read more about this on Graham Cluley's blog on the Sophos website.