How I got phished

My latest Locus column, "Persistence Pays Parasites," describes the process by which I fell prey to a phishing attack on Twitter, and how I learned (the hard way) that my threat-model for this kind of attack was flawed:
Here's how I got fooled. On Monday, I unlocked my Nexus One phone, installing a new and more powerful version of the Android operating system that allowed me to do some neat tricks, like using the phone as a wireless modem on my laptop. In the process of reinstallation, I deleted all my stored passwords from the phone. I also had a couple of editorials come out that day, and did a couple of interviews, and generally emitted a pretty fair whack of information.

The next day, Tuesday, we were ten minutes late getting out of the house. My wife and I dropped my daughter off at the daycare, then hurried to our regular coffee shop to get take-outs before parting ways to go to our respective offices. Because we were a little late arriving, the line was longer than usual. My wife went off to read the free newspapers, I stood in the line. Bored, I opened up my phone fired up my freshly reinstalled Twitter client and saw that I had a direct message from an old friend in Seattle, someone I know through fandom. The message read "Is this you????" and was followed by one of those ubiquitous shortened URLs that consist of a domain and a short code, like this:

Cory Doctorow: Persistence Pays Parasites


  1. The shortened URLs that are so prevalent in Twitter and Facebook are exactly the sort of things that keep me from really liking the services. I’m sure there are addons, sites, or whatever that might check these shortened URLs to make sure one doesn’t fall victim to a malicious link. But honestly it starts to become a hassle in the long run.

    Anyways live and learn i suppose, thanks for spreading the word on this. No one is ever really protected when online.

  2. May not be new info to you, but everyone should know too, I use 1Password on Mac, and there’s plenty of other apps around like it for both systems, which stores all my passwords for my computer browser OR on my iPhone (the later of which is browser based using javascript so I imagine has some compatibility with things like the Nexus One et al) and it’s saved my ass a few times as it runs off a master password. If I need to login to a page, I hit a quick key which brings up my master password prompt, I enter it in and whammy, inserts my details (or brings up a drop down if I have multiple accounts for that domain) and then logs me in. Because it runs off the domain, it doesn’t work in the event of phishing and has stopped me from logging in to 4 or 5 pages made to look identical to various sites I use eg: Twitter, Gmail etc. I can’t remember the cost of it but it’s worth it’s wait in GOLD and I insist anyone who uses a computer more than 30 mins a day use something like it.

    1. Huh. And now the Google cache version is taking a suspiciously long time to load. I bailed.

      Has someone somewhere taken offense at what Mr Doctorow had to say? Is there some new devilry afoot?

  3. Funny I just watched SE2EP4 of Castle: “Fool Me Once”, tonight. The social engineered phish is the Internet grift. We can spend hours and days hardening our systems but the real cons go for the weak link: the human at the centre of the system.

    I make sure all my passwords are different so that when I eventually screw up (and I will), the damage is limited. Do your best to eliminate the single point failures and the hacker will find they didn’t really get much at all.

  4. If I see multiple punctuation marks I ignore immediately and send a message – not a reply – to the person to let them know they are likely the victim of a hack.

  5. TheLadyFingers – that’s all very well if you don’t have real friends who use that sort of punctuation as a matter of course! LOL. Actually, I don’t. But you may do.

  6. Funny thing is that I sent you (Cory) an email with almost the exact same subject line, “fact check – is this really you?” after someone claiming to be you posted something to my site.

    Turned out it was you (thanks for posting). But I bet you get a lot of messages like this. And you’re motivated to check them out (you don’t want people spoofing your identity).

  7. I’m not surprised. That’s one reason I don’t trust URL shorteners at all, nor do I trust login pages unless I used one of *my* bookmarks to get there or typed the URL into the browser myself. And it’s been a long time since you could trust messages from people you know more than those from complete strangers (ever since the first viruses started scanning e-mail address books).

    It’s a sad commentary on the state of things when this becomes a realistic evaluation: “The question isn’t whether I’m paranoid, it’s whether I’m paranoid enough.”.

  8. Reminds me of a similar conjunction of events that ended up getting my computer infected with the one virus I ever got. For a brief time I was expecting attached spreadsheets from semi-unknown people (I had put a bid out to a number of companies) I had just changed email clients and didn’t quite know how it handled attachments, I had expected it to save attachments when clicking on them rather than opening them. And I was in a hurry. And I had my AV set to update definitions later in the day. (The update that detected that virus was 2 hours late.)

    Had any one of those things not been true I never would have run the masquerading spreadsheet and got infected.

    Up until then I thought it would never happen to me. Now I hope it never happens again, but 100% vigilance just isn’t possible.

  9. A very nice perspective. We ‘in the know’ often look down on those simple souls who fall for scams like this.
    Yet, we are all one distraction away from becoming a ‘simple soul’.
    On a vaguely related note, this is also the reason why usability and accessibility are not just important for handicapped people. We’re all functionally impaired at some point or other.

  10. Wow if you can be phished I guess pretty much anyone can. Both my hotmail and yahoo email accounts have been hijacked in the last 6 months. No-one else knows the passwords, and both computers I use are clean of viruses and spyware etc. I can only assume that the weak passwords cracked. Also I was phished by clicking a false ebay link, and was shocked at myself that I fell for it.

  11. Great column! I strongly believe that tiered defence is a part of the answer. We are used to the user/root level on our computers. We need to extend that model to access on twitter, gmail and so on. 99% of my gmail use (answering/sending one or a few emails at a time) could be done with limited access rights. Changing filters, mass forwarding/exporting, mass emailing, changing password and so on would need root. I’d gladly pay for that as a premium service.

  12. in many cases its not that they get you via shortened URL, a link, an attachment. they get you through lack of attention. In the haste of the day, most people, are barely attentive. Add to that the fact the email was from someone “familiar” so your attention will be even less.

  13. You should follow @spam they warned of the “is this you” phishing attack months and months ago.

  14. That’s why I only interact with Twitter via Tweetdeck. Click on a shortened URL and you get a popup showing the full address, page title, how many clicks it’s gotten, etc. THEN you decide whether to click through.

  15. I got fished on Steam in an almost identical way and felt really bad about it. If it can happen to Cory, though, then maybe it’s not so shameful anyway.

    Or maybe Cory should be horribly ashamed! ;)

    Thanks for posting this.

  16. This is why I don’t use any social networking sites. Want to send a message to my PC? It’s email or nothing, Bunky.

    Want to send me a message on my phone (a four year old bare bones Motorola)? It’s voice or nothing. I’m that guy the president of Sprint is making the snarky comment about in the commercial.

    And get off my lawn this instant!

  17. I note that the link in comment #2 — which is only 13 months old — has someone asking sincerely “Wait, what’s ‘twitter’?”

  18. If you use Firefox, there are some add-ons that will show the long version of the links. I use one called “Longer URL please” and it works great. It took only a second or two to install and now I always know where I’m really going to be going when I click on something.

    1. I suspect that browsers will race to add that as a feature in the near future.

  19. “Here’s the thing: I thought that phishers set their sights on a certain kind of naive person, someone who hadn’t heard all the warnings, hadn’t learned to be wary of their attacks.”

    Which brings irresistibly to mind the wisdom of con-man extraordinaire Moist von Lipvig, in Terry Pratchett’s Going Postal: the best way to hoodwink a smart man is to let him believe he has you figured.

  20. A similaer thing happened to me on Twitter. I logged into Twitter properly immediately and changed my password. It was a shock to be suckered so easily!

Comments are closed.