Comments on: How I got phished

By: Anonymous

Anonymous — Wed, 30 Nov -0001 00:00:00 +0000

in many cases its not that they get you via shortened URL, a link, an attachment. they get you through lack of attention. In the haste of the day, most people, are barely attentive. Add to that the fact the email was from someone “familiar” so your attention will be even less.

By: Anonymous

Anonymous — Wed, 30 Nov -0001 00:00:00 +0000

You should follow @spam they warned of the “is this you” phishing attack months and months ago.

By: standard

standard — Wed, 30 Nov -0001 00:00:00 +0000

That’s why I only interact with Twitter via Tweetdeck. Click on a shortened URL and you get a popup showing the full address, page title, how many clicks it’s gotten, etc. THEN you decide whether to click through.

By: Lobster

Lobster — Wed, 30 Nov -0001 00:00:00 +0000

I got fished on Steam in an almost identical way and felt really bad about it. If it can happen to Cory, though, then maybe it’s not so shameful anyway.

Or maybe Cory should be horribly ashamed! ;)

Thanks for posting this.

By: Notary Sojac

Notary Sojac — Wed, 30 Nov -0001 00:00:00 +0000

This is why I don’t use any social networking sites. Want to send a message to my PC? It’s email or nothing, Bunky.

Want to send me a message on my phone (a four year old bare bones Motorola)? It’s voice or nothing. I’m that guy the president of Sprint is making the snarky comment about in the commercial.

And get off my lawn this instant!

By: sparkdale

sparkdale — Wed, 30 Nov -0001 00:00:00 +0000

I guess you could call it “phishing with dynamite.”

(Sorry.)

By: Grey Devil

Grey Devil — Wed, 30 Nov -0001 00:00:00 +0000

The shortened URLs that are so prevalent in Twitter and Facebook are exactly the sort of things that keep me from really liking the services. I’m sure there are addons, sites, or whatever that might check these shortened URLs to make sure one doesn’t fall victim to a malicious link. But honestly it starts to become a hassle in the long run.

Anyways live and learn i suppose, thanks for spreading the word on this. No one is ever really protected when online.

By: Antinous / Moderator

Antinous / Moderator — Wed, 30 Nov -0001 00:00:00 +0000

I hate to say ‘you told you so’, but… http://boingboing.net/2009/04/04/why-url-shorteners-s.html

By: Anonymous

Anonymous — Wed, 30 Nov -0001 00:00:00 +0000

May not be new info to you, but everyone should know too, I use 1Password on Mac, and there’s plenty of other apps around like it for both systems, which stores all my passwords for my computer browser OR on my iPhone (the later of which is browser based using javascript so I imagine has some compatibility with things like the Nexus One et al) and it’s saved my ass a few times as it runs off a master password. If I need to login to a page, I hit a quick key which brings up my master password prompt, I enter it in and whammy, inserts my details (or brings up a drop down if I have multiple accounts for that domain) and then logs me in. Because it runs off the domain, it doesn’t work in the event of phishing and has stopped me from logging in to 4 or 5 pages made to look identical to various sites I use eg: Twitter, Gmail etc. I can’t remember the cost of it but it’s worth it’s wait in GOLD and I insist anyone who uses a computer more than 30 mins a day use something like it.

By: funkadelic73

funkadelic73 — Wed, 30 Nov -0001 00:00:00 +0000

PWNED.

By: tzaraat

tzaraat — Wed, 30 Nov -0001 00:00:00 +0000

For me, Locusmag.com ‘s website is currently timing out with a 503 error.

You can get to the article via google’s cache thusly: http://webcache.googleusercontent.com/search?q=cache:http://www.locusmag.com/Perspectives/2010/05/cory-doctorow-persistence-pays-parasites/

By: DonBoy

DonBoy — Wed, 30 Nov -0001 00:00:00 +0000

I note that the link in comment #2 — which is only 13 months old — has someone asking sincerely “Wait, what’s ‘twitter’?”

By: watchout5

watchout5 — Wed, 30 Nov -0001 00:00:00 +0000

hey thanks for that, I was getting the same error

By: Paul Turnbull

Paul Turnbull — Wed, 30 Nov -0001 00:00:00 +0000

Funny I just watched SE2EP4 of Castle: “Fool Me Once”, tonight. The social engineered phish is the Internet grift. We can spend hours and days hardening our systems but the real cons go for the weak link: the human at the centre of the system.

I make sure all my passwords are different so that when I eventually screw up (and I will), the damage is limited. Do your best to eliminate the single point failures and the hacker will find they didn’t really get much at all.

By: theLadyfingers

theLadyfingers — Wed, 30 Nov -0001 00:00:00 +0000

If I see multiple punctuation marks I ignore immediately and send a message – not a reply – to the person to let them know they are likely the victim of a hack.

By: RebeccaCaroe

RebeccaCaroe — Wed, 30 Nov -0001 00:00:00 +0000

TheLadyFingers – that’s all very well if you don’t have real friends who use that sort of punctuation as a matter of course! LOL. Actually, I don’t. But you may do.

By: proletariat

proletariat — Wed, 30 Nov -0001 00:00:00 +0000

Who the hell uses multiple punctuation marks!?!?!?

By: Donald Petersen

Donald Petersen — Wed, 30 Nov -0001 00:00:00 +0000

Huh. And now the Google cache version is taking a suspiciously long time to load. I bailed.

Has someone somewhere taken offense at what Mr Doctorow had to say? Is there some new devilry afoot?

By: redstarr

redstarr — Wed, 30 Nov -0001 00:00:00 +0000

If you use Firefox, there are some add-ons that will show the long version of the links. I use one called “Longer URL please” and it works great. It took only a second or two to install and now I always know where I’m really going to be going when I click on something.

By: ADavies

ADavies — Wed, 30 Nov -0001 00:00:00 +0000

Funny thing is that I sent you (Cory) an email with almost the exact same subject line, “fact check – is this really you?” after someone claiming to be you posted something to my site.

Turned out it was you (thanks for posting). But I bet you get a lot of messages like this. And you’re motivated to check them out (you don’t want people spoofing your identity).

By: bat21

bat21 — Wed, 30 Nov -0001 00:00:00 +0000

Another reason why I hate Twitter.

Firefox + Greasemonkey + TinyURL Decoder = :)

By: Todd Knarr

Todd Knarr — Wed, 30 Nov -0001 00:00:00 +0000

I’m not surprised. That’s one reason I don’t trust URL shorteners at all, nor do I trust login pages unless I used one of *my* bookmarks to get there or typed the URL into the browser myself. And it’s been a long time since you could trust messages from people you know more than those from complete strangers (ever since the first viruses started scanning e-mail address books).

It’s a sad commentary on the state of things when this becomes a realistic evaluation: “The question isn’t whether I’m paranoid, it’s whether I’m paranoid enough.”.

By: Zadaz

Zadaz — Wed, 30 Nov -0001 00:00:00 +0000

Reminds me of a similar conjunction of events that ended up getting my computer infected with the one virus I ever got. For a brief time I was expecting attached spreadsheets from semi-unknown people (I had put a bid out to a number of companies) I had just changed email clients and didn’t quite know how it handled attachments, I had expected it to save attachments when clicking on them rather than opening them. And I was in a hurry. And I had my AV set to update definitions later in the day. (The update that detected that virus was 2 hours late.)

Had any one of those things not been true I never would have run the masquerading spreadsheet and got infected.

Up until then I thought it would never happen to me. Now I hope it never happens again, but 100% vigilance just isn’t possible.

By: automaton_be

automaton_be — Wed, 30 Nov -0001 00:00:00 +0000

A very nice perspective. We ‘in the know’ often look down on those simple souls who fall for scams like this.
Yet, we are all one distraction away from becoming a ‘simple soul’.
On a vaguely related note, this is also the reason why usability and accessibility are not just important for handicapped people. We’re all functionally impaired at some point or other.

By: numcrun

numcrun — Wed, 30 Nov -0001 00:00:00 +0000

Wow if you can be phished I guess pretty much anyone can. Both my hotmail and yahoo email accounts have been hijacked in the last 6 months. No-one else knows the passwords, and both computers I use are clean of viruses and spyware etc. I can only assume that the weak passwords cracked. Also I was phished by clicking a false ebay link, and was shocked at myself that I fell for it.

By: Irene Delse

Irene Delse — Wed, 30 Nov -0001 00:00:00 +0000

"Hereâ€™s the thing: I thought that phishers set their sights on a certain kind of naive person, someone who hadnâ€™t heard all the warnings, hadnâ€™t learned to be wary of their attacks." Which brings irresistibly to mind the wisdom of con-man extraordinaire Moist von Lipvig, in Terry Pratchett's Going Postal: the best way to hoodwink a smart man is to let him believe he has you figured.

By: WalterBillington

WalterBillington — Wed, 30 Nov -0001 00:00:00 +0000

Umm … caught out by a classic!

By: Anonymous

Anonymous — Wed, 30 Nov -0001 00:00:00 +0000

Great column! I strongly believe that tiered defence is a part of the answer. We are used to the user/root level on our computers. We need to extend that model to access on twitter, gmail and so on. 99% of my gmail use (answering/sending one or a few emails at a time) could be done with limited access rights. Changing filters, mass forwarding/exporting, mass emailing, changing password and so on would need root. I’d gladly pay for that as a premium service.

By: Mister Ian

Mister Ian — Wed, 30 Nov -0001 00:00:00 +0000

A similaer thing happened to me on Twitter. I logged into Twitter properly immediately and changed my password. It was a shock to be suckered so easily!

By: Anonymous

Anonymous — Wed, 30 Nov -0001 00:00:00 +0000

â€œAll complex ecosystems have parasites.â€

Socialists take note.