I woke up this morning to discover my Twitter box was filled with identical messages, all touting the same software package. Someone had worked out how to spam Twitter in a very effective way: through social engineering. Instead of hacking the system or the API, the company behind the spam had offered people a substantial discount on its software if they cut-and-pasted a message about it into their feed.
My hat is off to MacHeist for its ingenuity, but I won’t be buying its products, ever. There are two reasons for that: firstly I do not buy anything from spammers, ever, and I encourage you to follow me in this; and secondly because MacHeist only sells Mac software.
If you’re a PC user like me, you will be sick of Mac-owners telling you that their computers are safe from viruses and trojans, and yours aren’t. That may or may not be trueâ€”recent evidence suggests the latterâ€”but what this Twitter exploit proves is that while OS X may be secure, Mac users aren’t. All it took was a modest bribe and they were happy to compromise their online identity and turn themselves into spam-vectors.
I’ve just unfollowed 5% of my Twitter list. Given that most estimates put Macintosh/OSX at just 10% of the total computer base, that means that in a 12-hour period 50% of the Mac users in my immediate circle were happy to take a bribe to tarnish their online reputation. And MacHeist didn’t pay them, it just gave them a discount on a product. Ultimately, they paid MacHeist to let them spam for it.
In other words the majority of Mac users, smug behind the perceived impermeability of their shiny machines, are clueless about internet security and best-practice. In Â hacking, social engineering has always been the best way to break into a machine. The weakest point in most computers’ security is the user. If your computer is secure, all that means is the chances of you becoming the target for scammers and opportunists is much higher. But if you believe your set-up is safe, that lowers your defences and increases your chances of getting pwned. You, not your machine.
Be alert. There’s a war on, and the battlefield is your silicon.
Sometimes a little known vulnerability can be a valuable thing.