Ishaan sent you a message.
Subject: Hello
“www vingers(enter dot)ru”
Sharma sent you a message.
(no subject)
“tinyurl[dot]com/pofb3m/, 937824”
Raghav sent you a message.
(no subject)
“tinyurl[dot]com/pofb3m/, 974785”
Ujwal sent you a message.
Subject: ilikez.ru
“Look at this”
Rob sent you a message.
Subject: ilikez.ru
“Look at this”
If you are a decently networked Facebook user, you too must’ve received lots of messages like above from your Facebook friends. It’s really surprising(and disturbing) how much people have fallen for these attacks. I am particularly intrigued by a lot of my friends falling for it. Call me what ever but falling for attacks like these shows lack of some basic understanding about websites and security.
Here are a few pointers to be kept in mind to avoid such phishing incidents
1) Always check the target URL of the hyperlink in emails/messages etc.
This can be done by simply hovering/pointing mouse at the hyperlink. For ex: “Hey check out my new blog” might look like a genuine message from a friend but you can make out(mostly) if it’s real or fake by checking out the target url, which in this case is http://phishyblog.com i.e fake.
2) Always check the URL of the site before entering your credentials.
It’s naive to assume that the site that you were pointed to from an email/message which looks like your favorite site is that site indeed. By virtue of your experience and hunch you can mostly make out if the site is real or fake but checking the URL before entering your credentials is still the safest way to avoid being phished.
3) Always look out for context
I know it’s the hardest one to implement but you need to learn to be cautious about any message containing a hyperlink that doesn’t have a context. In case you’ve noticed all the messages posted above don’t have any context what so ever and thus should be approached with caution.
This list could go on and on but lets keep it simple so that it’s easy to remember and share.
Did you too get phished ? If not, what saved you ?
3 really simple checks to avoid being phished http://bit.ly/4Inyr
This comment was originally posted on Twitter
Even the target URL showing up in the browser’s status bar can be faked by javascript.
Something like onmouseover=’status.message=’myblog.com”
Any thoughts on how to get around that?
Great blog post, Mayank. Yes, it is surprising how many people fall for this. It also does not help that, compared to MySpace or Friendster, Facebook was really good about keeping these phishing attacks out so people got very trusting of any messages sent within the facebook domain.
@Gaurav: Firstly, thanks for sharing that piece of info with me, i didn’t know about it and secondly we needn’t worry about them in current context as neither FB messages or email lets you use javascript.
@Harold: Thanks , yes FB has been doing well so far but such attacks are meant to explore people more than systems
@Netra and what led to all this ? read this, it might be helpful in future http://bit.ly/cvRTd
This comment was originally posted on Twitter
Pingback: Tax Refund Phishing Alert and 5 Tips to avoid being Phished | Conversations on Conversations