The University of Sheffield
Corporate Information and Computing Services

 Protect University Social Media Accounts

It is highly possible that University twitter or facebook accounts will be targeted by hackers at some stage. If such an account is compromised and used to send spam to hundreds or thousands of followers then our social media reputation will be significantly damaged.

This web page outlines the strategies used by hackers to try to obtain login details. Please ensure all staff who contribute to your social media presense are familiar with these.  It may even be worth revisiting your processes to minimise the number of staff who know the credentials of corporate social media accounts.

If you need further information or advice please contact the CiCS Helpdesk.

Phishing

Staff and student twitter accounts have recently been targeted in a spate of online fraud ‘phishing’ tweets. The scam worked in the following way:

  1. A hijacked account was used to send direct messages to all followers.
  2. These messages suggested that someone had been spreading unpleasant rumours on twitter and provided a shortened link.
  3. When the link was clicked a copy of the twitter website was loaded and people were invited to log in.
  4. However, anyone who logged into the fake twitter site had their username and passwords captured and their twitter account was used to spread even more fraudulent direct messages.

Please make sure that all staff who contribute to your social media service understand the concept of online fraud and know never to provide usernames and passwords in response to a tweet. 

Keyloggers

A second technique used to capture the login details of corporate social media accounts is to trick people into downloading and installing a keylogger. This will record all keystrokes typed in and send them to the hacker. Keystrokes will then be studied to detect usernames and passwords.

Keyloggers are usually installed inadvertantly simply by somebody following a shortened link that has been sent to them. The link goes to a web page that automatically installs the keylogging software.

All people involved in University social media accounts should know not to click any suspicious links sent via social media. Only links sent by trusted followers in legitimate sounding updates should be clicked.

Examples

Below are some examples of Corporate Social Media accounts that have been compromised.