How I got phished


31 Responses to “How I got phished”

  1. Anonymous says:

    in many cases its not that they get you via shortened URL, a link, an attachment. they get you through lack of attention. In the haste of the day, most people, are barely attentive. Add to that the fact the email was from someone “familiar” so your attention will be even less.

  2. Anonymous says:

    You should follow @spam they warned of the “is this you” phishing attack months and months ago.

  3. standard says:

    That’s why I only interact with Twitter via Tweetdeck. Click on a shortened URL and you get a popup showing the full address, page title, how many clicks it’s gotten, etc. THEN you decide whether to click through.

  4. Lobster says:

    I got fished on Steam in an almost identical way and felt really bad about it. If it can happen to Cory, though, then maybe it’s not so shameful anyway.

    Or maybe Cory should be horribly ashamed! ;)

    Thanks for posting this.

  5. Notary Sojac says:

    This is why I don’t use any social networking sites. Want to send a message to my PC? It’s email or nothing, Bunky.

    Want to send me a message on my phone (a four year old bare bones Motorola)? It’s voice or nothing. I’m that guy the president of Sprint is making the snarky comment about in the commercial.

    And get off my lawn this instant!

  6. sparkdale says:

    I guess you could call it “phishing with dynamite.”


  7. Grey Devil says:

    The shortened URLs that are so prevalent in Twitter and Facebook are exactly the sort of things that keep me from really liking the services. I’m sure there are addons, sites, or whatever that might check these shortened URLs to make sure one doesn’t fall victim to a malicious link. But honestly it starts to become a hassle in the long run.

    Anyways live and learn i suppose, thanks for spreading the word on this. No one is ever really protected when online.

  8. Antinous / Moderator says:

    I hate to say ‘you told you so’, but…

  9. Anonymous says:

    May not be new info to you, but everyone should know too, I use 1Password on Mac, and there’s plenty of other apps around like it for both systems, which stores all my passwords for my computer browser OR on my iPhone (the later of which is browser based using javascript so I imagine has some compatibility with things like the Nexus One et al) and it’s saved my ass a few times as it runs off a master password. If I need to login to a page, I hit a quick key which brings up my master password prompt, I enter it in and whammy, inserts my details (or brings up a drop down if I have multiple accounts for that domain) and then logs me in. Because it runs off the domain, it doesn’t work in the event of phishing and has stopped me from logging in to 4 or 5 pages made to look identical to various sites I use eg: Twitter, Gmail etc. I can’t remember the cost of it but it’s worth it’s wait in GOLD and I insist anyone who uses a computer more than 30 mins a day use something like it.

  10. funkadelic73 says:


  11. tzaraat says:

    For me, ‘s website is currently timing out with a 503 error.

    You can get to the article via google’s cache thusly:

    • watchout5 says:

      hey thanks for that, I was getting the same error

    • Donald Petersen says:

      Huh. And now the Google cache version is taking a suspiciously long time to load. I bailed.

      Has someone somewhere taken offense at what Mr Doctorow had to say? Is there some new devilry afoot?

  12. DonBoy says:

    I note that the link in comment #2 — which is only 13 months old — has someone asking sincerely “Wait, what’s ‘twitter’?”

  13. Paul Turnbull says:

    Funny I just watched SE2EP4 of Castle: “Fool Me Once”, tonight. The social engineered phish is the Internet grift. We can spend hours and days hardening our systems but the real cons go for the weak link: the human at the centre of the system.

    I make sure all my passwords are different so that when I eventually screw up (and I will), the damage is limited. Do your best to eliminate the single point failures and the hacker will find they didn’t really get much at all.

  14. theLadyfingers says:

    If I see multiple punctuation marks I ignore immediately and send a message – not a reply – to the person to let them know they are likely the victim of a hack.

  15. RebeccaCaroe says:

    TheLadyFingers – that’s all very well if you don’t have real friends who use that sort of punctuation as a matter of course! LOL. Actually, I don’t. But you may do.

  16. redstarr says:

    If you use Firefox, there are some add-ons that will show the long version of the links. I use one called “Longer URL please” and it works great. It took only a second or two to install and now I always know where I’m really going to be going when I click on something.

  17. ADavies says:

    Funny thing is that I sent you (Cory) an email with almost the exact same subject line, “fact check – is this really you?” after someone claiming to be you posted something to my site.

    Turned out it was you (thanks for posting). But I bet you get a lot of messages like this. And you’re motivated to check them out (you don’t want people spoofing your identity).

  18. bat21 says:

    Another reason why I hate Twitter.

    Firefox + Greasemonkey + TinyURL Decoder = :)

  19. Todd Knarr says:

    I’m not surprised. That’s one reason I don’t trust URL shorteners at all, nor do I trust login pages unless I used one of *my* bookmarks to get there or typed the URL into the browser myself. And it’s been a long time since you could trust messages from people you know more than those from complete strangers (ever since the first viruses started scanning e-mail address books).

    It’s a sad commentary on the state of things when this becomes a realistic evaluation: “The question isn’t whether I’m paranoid, it’s whether I’m paranoid enough.”.

  20. Zadaz says:

    Reminds me of a similar conjunction of events that ended up getting my computer infected with the one virus I ever got. For a brief time I was expecting attached spreadsheets from semi-unknown people (I had put a bid out to a number of companies) I had just changed email clients and didn’t quite know how it handled attachments, I had expected it to save attachments when clicking on them rather than opening them. And I was in a hurry. And I had my AV set to update definitions later in the day. (The update that detected that virus was 2 hours late.)

    Had any one of those things not been true I never would have run the masquerading spreadsheet and got infected.

    Up until then I thought it would never happen to me. Now I hope it never happens again, but 100% vigilance just isn’t possible.

  21. automaton_be says:

    A very nice perspective. We ‘in the know’ often look down on those simple souls who fall for scams like this.
    Yet, we are all one distraction away from becoming a ‘simple soul’.
    On a vaguely related note, this is also the reason why usability and accessibility are not just important for handicapped people. We’re all functionally impaired at some point or other.

  22. numcrun says:

    Wow if you can be phished I guess pretty much anyone can. Both my hotmail and yahoo email accounts have been hijacked in the last 6 months. No-one else knows the passwords, and both computers I use are clean of viruses and spyware etc. I can only assume that the weak passwords cracked. Also I was phished by clicking a false ebay link, and was shocked at myself that I fell for it.

  23. Irene Delse says:

    “Here’s the thing: I thought that phishers set their sights on a certain kind of naive person, someone who hadn’t heard all the warnings, hadn’t learned to be wary of their attacks.”

    Which brings irresistibly to mind the wisdom of con-man extraordinaire Moist von Lipvig, in Terry Pratchett’s Going Postal: the best way to hoodwink a smart man is to let him believe he has you figured.

  24. WalterBillington says:

    Umm … caught out by a classic!

  25. Anonymous says:

    Great column! I strongly believe that tiered defence is a part of the answer. We are used to the user/root level on our computers. We need to extend that model to access on twitter, gmail and so on. 99% of my gmail use (answering/sending one or a few emails at a time) could be done with limited access rights. Changing filters, mass forwarding/exporting, mass emailing, changing password and so on would need root. I’d gladly pay for that as a premium service.

  26. Mister Ian says:

    A similaer thing happened to me on Twitter. I logged into Twitter properly immediately and changed my password. It was a shock to be suckered so easily!

  27. Anonymous says:

    “All complex ecosystems have parasites.”

    Socialists take note.

Leave a Reply