An Architect's View

CFML, Clojure, Software Design, Frameworks and more...

An Architect's View

I think I got phished

September 15, 2006 · 12 Comments

Wow! I have been so careful and so suspicious of URLs over the years and I've really tried hard to avoid anything that doesn't look right in terms of web pages etc. Tonight I got an IM from a colleague with a link that looked interesting that lead me to a sign-in page for a service I've used for years. I signed in and was presented with another sign-in page. Uh-oh! Sure enough, looking at the first link it really didn't look right but I hadn't noticed. A frantic round of password changing and I think I'm relatively safe but it's made me even more paranoid than I was before. It's made me realize just how many online services I've signed up for and how many passwords I have out there. After years of happy online shopping, I've suddenly become very, very nervous about entering my password...
View count: 362

Tags: personal

12 responses so far ↓

  • 1 Al Davidson // Sep 15, 2006 at 2:27 AM

    After my Mum almost fell for the same thing, I got her to promise never to actually click on links in emails. Instead she always copy-and-pastes urls in to the browser. Takes an extra second or two, of course, but it's a good defence against the simple <a href="(somewhere dodgy)">click here to update your (reputable service) account</a> phish, and just the act of pasting it into the address bar and then pressing enter makes you mentally check the address you're going to, even if it's subconsciously.

    I hope your details are OK!

  • 2 Gus // Sep 15, 2006 at 2:50 AM

    Some of these phishers are very good at what they do.

    My rule of thumb is I never enter login credentials unless I've typed in a URL.

  • 3 todd // Sep 15, 2006 at 5:21 AM

    My wife once clicked on an authentic looking email from eBay and tried to log in as me - luckily she didn't have the right password, but just like you I spent the next few hours changing every password for every site that I use. It's the kick in the gut feeling that just scares the hell out of you.

  • 4 TJ Downes // Sep 15, 2006 at 6:52 AM

    Sean, don't feel too bad, it has happened to me as well. I got had with an Ebay phishing email. I was not in a good mood that day and although I reviewed the email and it looked ok, I failed to verify the link was Ebay's. I signed in and was asked to verify my SS #. I knew that was wrong, Ebay never does that. I immediately and frantically went on a password changing frenzy and fortunately did not lose my Ebay account or anything else.

    Just a good hubling experience that no matter how much you think you know or are aware of scams and other security risks ANYONE can be caught offf guard.

  • 5 Andy J // Sep 15, 2006 at 6:58 AM

    I nearly did this not long ago. I think the problem is that after a while we become accustom to looking for the URL's in emails that we forget that phising attacks can come from anywhere. I try and make a point of always checking the URL's doesnt matter how I got there nowadays.

  • 6 Sean Corfield // Sep 15, 2006 at 7:17 AM

    This was not a URL in an email and it was a genuine URL, not a fake. The trick is that it uses a known domain name (where people can create accounts) to phish for credentials for another domain name - where both domains are owned by the same company. In other words, it looks like a service promotion from the company themselves. Looking back at it, I should certainly have been more suspicious than I was but we're used to IMs coming from people we know (and trust) containing valid information.

  • 7 Rey Bango // Sep 15, 2006 at 8:05 AM

    That stinks Sean. It can happen to anyone. I get those non-stop via email and luckily my AV catches quite a number of them.

    BTW, Rob Gonda says you're a nice guy. ;o)

    Rey...

  • 8 Jacob // Sep 15, 2006 at 11:24 AM

    These phishing attempts shouldn't be as much of an issue if you keep separate passwords for everything, like you're supposed to (according to the "experts"). I have a different password for nearly every account that I have online (probably 100+ or so). This way, if any one of them ever gets broken into or phished, I'm at less of a risk.

  • 9 Sean Corfield // Sep 15, 2006 at 12:11 PM

    @Rey, don't believe Rob! :)

    @Jacob, yes, I now have a lot more variety in my choice of usernames and passwords! :)

  • 10 todd // Sep 15, 2006 at 12:36 PM

    @Jacob:

    To quote Wil Ferrel in Old School:

    "You're CRAZY MAN! I like you, but you're CRAZY"

  • 11 ErikG // Sep 15, 2006 at 11:54 PM

    I have been using the following for several years now:
    http://labs.zarate.org/passwd/

    It's a bookmarklet that generates passwords specific to each domain by encrypting the domain name with a single 'master password'.

    There are pros and cons that I wont go into, but it works for me. I like knowing that no two web sites share the same password.

    If I understand correctly, it would have generated a different password for the phishing site as well, so nothing would have ever been compromised.

  • 12 Toby Reiter // Sep 21, 2006 at 4:36 PM

    Along the same lines as Jacob, I use different passwords for each site. The way I do this is to use a common "key" for each site, and then use part of the site's name for the rest, aka, for this site, I might use the password %42corfield% if (%42 was my key), and %42adobe% for Adobe's site. You end up having to drop the punctuation on sites that don't support it (which can be a drag to remember) but, in general, this works well for me.

    By the way, this isn't at all a secure way to make passwords -- theoretically easy for a social engineering hack. But it's good enough for most everyday passwords - I use this on my bank site, which I probably shouldn't. However, IMHO, it offers a better option than a hard-to-crack password that you use on every single site.

Leave a Comment

Leave this field empty: