Security & Privacy

Cory Doctorow, author and BoingBoing editor, is not fresh off the boat onto the Internet. Yet it turns out that he fell for a Twitter phishing scam. Cory writes:

I just fell for a Twitter phishing scam — it took the form of a direct message from one of my contacts, with the message “This you????” and a link to a site that prompted me for my Twitter password (which, like an idiot, I entered before noticing that the URL was twitter.scammysite.com; blame it on browsing with a tiny mobile-phone screen while in line at the coffee shop). You have been warned — stay away from anything that reads “This you????” or “This you in this video????” Hell, I think that a good rule of thumb is to ignore anything that uses multiple question marks for emphasis. Even if it’s not a scam, it’s probably too dumb to read.

The message was most likely not sent by one of his contacts, but that contact’s account was hacked (or that contact fell for the same scam, allowing the phisher to use his contact to trap others).

Doctorow is no neophyte, and this shows just how easy it is to fall for phishing scams. A moment of inattention, a bit too much multi-tasking, and you find yourself mechanically entering your password somewhere you shouldn’t.

It also explains why so many people fall for social engineering tricks like installing Trojan horses on their computers. They just get in a mindset where no red flags pop up, and they go ahead and enter the password that allows the malware to act.

Perhaps the best lesson here is that it is less knowledge of risks than inattention that can lead to successful phishing attacks. Be forewarned; every time a password request pops up on a web site, think carefully.