Don't buy anything with a phishy smell
Summary: Basic internet security hygene says if you get email asking you to provide or change personal email it's almost certainly from a criminal who's trying to steal something from you.
According to Wikipedia, phishing is
---
When emails about the latest round of site hacking first circulated it seemed both odd and ominous when people mentioned having just changed their passwords. It sounded like maybe there was a security breach at Blogger/BlogSpot. That would have been a very big deal, since Blogger is owned by Google and they're generally pretty security savvy even if they're a little laissez faire about what happens to the services they provide.
Instead it sounds like one or more individuals have figured out a new Phishing scheme. It explains how people were saying “right after I changed my password...” He’s been using a social-engineering/phishing exploit where he sends you email claiming to be from this or that company saying you need to update some kind of personal information. As a "courtesy" the message contains a link.
Instead of taking you to the company's site, however, The provided link actually goes to a page on the hacker's website that's mocked up to look like the company’s site. You dutifully enter type your name and password, and maybe your credit card numbers, address, social security info and mother's maiden name, and then he’s got it to do whatever he wants.
It’s very, very common to get these from identity thieves, who typically imitate eBay, Amazon, your ISP, or your bank or stock broker. This is just a new twist.
I'm not surprised this has turned out to be a pornography link-pumping scam. Unlike censorious types (who tend to be less subtle and more public) there’s money in it. Sometimes lots of money. This guy was hijacking blogs to make money. Targeting your traffick to make money. Depending on your good name to make money.
Doh!
The good news? It sounds like he wasn’t hacking people’s passwords directly, probably not even trying to guess them. Instead he used a very old-fashioned way that seems to work fabulously well: he puts on a policeman’s uniform and asks us politely “for your own security, sir-or-mam” and we tend to comply reflexively.
Key defense: If someone claims to be representing a vendor and via email or phone asks for personal information such as account information and, especially passwords, don’t provide it. If there are links in the email don’t click them. If they provide phone numbers don’t call them.
Instead go to the phone book or to Google. Look up the company’s official phone number or website and navigate to the appropriate departments and/or web pages that way.
Phishing has become such a problem that very few if any institutions request information via email any more. They haven’t asked for information over the phone for several decades. Chances are extremely high, therefore, that all messages that include a solicitation for personal information come from criminals who are trying to steal something from you. Just don’t go there.
---
The other good news, by the way, is that it's safe to change your passwords *IF* you do it via the official Blogger website. And if you've got an easy-to-guess password (security experts say an unbelievable number of people use either "sex," "golf," or "score") then it's *always* a good idea to change it to something a little tougher to guess.
According to Wikipedia, phishing is
In computing, phishing is a form of social engineering, characterised by attempts to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an apparently official electronic communication, such as an email or an instant message. The term phishing arises from the use of increasingly sophisticated lures to "fish" for users' financial information and passwords.
See the entire entry on Phishing here
---
When emails about the latest round of site hacking first circulated it seemed both odd and ominous when people mentioned having just changed their passwords. It sounded like maybe there was a security breach at Blogger/BlogSpot. That would have been a very big deal, since Blogger is owned by Google and they're generally pretty security savvy even if they're a little laissez faire about what happens to the services they provide.
Instead it sounds like one or more individuals have figured out a new Phishing scheme. It explains how people were saying “right after I changed my password...” He’s been using a social-engineering/phishing exploit where he sends you email claiming to be from this or that company saying you need to update some kind of personal information. As a "courtesy" the message contains a link.
Instead of taking you to the company's site, however, The provided link actually goes to a page on the hacker's website that's mocked up to look like the company’s site. You dutifully enter type your name and password, and maybe your credit card numbers, address, social security info and mother's maiden name, and then he’s got it to do whatever he wants.
It’s very, very common to get these from identity thieves, who typically imitate eBay, Amazon, your ISP, or your bank or stock broker. This is just a new twist.
I'm not surprised this has turned out to be a pornography link-pumping scam. Unlike censorious types (who tend to be less subtle and more public) there’s money in it. Sometimes lots of money. This guy was hijacking blogs to make money. Targeting your traffick to make money. Depending on your good name to make money.
Doh!
The good news? It sounds like he wasn’t hacking people’s passwords directly, probably not even trying to guess them. Instead he used a very old-fashioned way that seems to work fabulously well: he puts on a policeman’s uniform and asks us politely “for your own security, sir-or-mam” and we tend to comply reflexively.
Key defense: If someone claims to be representing a vendor and via email or phone asks for personal information such as account information and, especially passwords, don’t provide it. If there are links in the email don’t click them. If they provide phone numbers don’t call them.
Instead go to the phone book or to Google. Look up the company’s official phone number or website and navigate to the appropriate departments and/or web pages that way.
Phishing has become such a problem that very few if any institutions request information via email any more. They haven’t asked for information over the phone for several decades. Chances are extremely high, therefore, that all messages that include a solicitation for personal information come from criminals who are trying to steal something from you. Just don’t go there.
---
The other good news, by the way, is that it's safe to change your passwords *IF* you do it via the official Blogger website. And if you've got an easy-to-guess password (security experts say an unbelievable number of people use either "sex," "golf," or "score") then it's *always* a good idea to change it to something a little tougher to guess.
3 Comments:
I'm with you part of the way Fig, and I can't speak to everyone only my own situation, but that isn't exactly how it happened. I've been aware of phishing for some time, only a few months ago a friend was the victum of an eBay scheme and lost his bank account. But the way this happened to me is a little more concerning as regards Blogger security.
I received the email only AFTER I had requested a new password. Almost immediately after. It looked offcial and took me to an official looking "blogger change password" site. Somehow, the request for password change was intercepted in route.
I still believe Hotmail may have been involved somehow, since my hotmail account was also lost the same day, and was the basis of this communication. But I don't know that for a fact.
Anyway, just some subtle differences that I believe are or could be important.
I have changed my password successfully since I was hacked, without problems.
thanks for the tips...I'm really hoping this crap doesn't continue happening.
Thanks Fig--this saga gets stranger and stranger. And what Wendy says makes it exremely nervewracking.
An aside: 'golf'??? Wow, I'd never have guessed that. ;)
Post a Comment
<< Home