Happy April Fools to me!
Recently, I received a direct Twitter message from my one of my closest friends late one night. It said, “did you see this picture of you lol” and included a shortened web link. Considering that my friend is a photographer who I know has photos of me, it wasn’t strange to receive this message from her. So I clicked on it. Why was this such an idiotic thing to do?
I got phished. The bad guys tricked me, and I fell for it – hook, line and sinker. The message I received wasn’t from my friend; it was malicious spam, and the web link in it brought me to a spoofed Twitter site to steal my password. Even though I work at a security company and should know better, I still fell for it.
How did this happen?
When I clicked on the web link in the direct message from my iPad, it took me to what seemed to be the Twitter login page in a mobile browser (it wasn’t). I attempted to login anyway (bad idea), even though I thought it was strange that the promised photo didn’t just pop-up within the Twitter app browser. (I was only half paying attention to what I was doing while watching Downton Abbey reruns– Bad combination. “Matthew”, why didn’t you warn me?!)
Each time I entered my login and password, “Fake Twitter” told me my password was incorrect. I was so frustrated; I gave up and went to bed. The gravity of my mistake didn’t hit me until several hours later.
Consequences of Clickjacking
Unable to sleep, I checked my phone: 4:30am Central Time. My phone notified me I received a direct Twitter message from my friend in London, asking, “Was your message to me spam, or do you really have a funny picture of me?” Oh no. What have I done?
By the end of the day, I had received dozens of messages, tweets, emails and Facebook posts telling me someone hacked my Twitter account, as well as a few security industry colleagues poking fun at me for getting phished and spoofed. That was fun. But most were messages of concern.
By logging into the “Fake Twitter” site, I gave the bad guys my Twitter password. They were then able to login to my real Twitter account and spam all of my followers with the same message and malicious web link, “did you see this picture of you lol,” thus perpetuating the cycle of crime. This is called phishing (the message with the original link) and spoofing (the fake website). Phishing typically shows up in emails, social media news feeds, wall posts, and direct messages (Facebook, Twitter, Google+ to name a few), leading unsuspecting clickers to spoofed websites that steal your password and data.
The consequences can be catastrophic if you use the same password for your banking and social media accounts. Thankfully, I don’t. The cybercriminals could have logged into my bank accounts and stolen money, my identity and perhaps racked up thousands of dollars in credit card debt within a matter of hours.
In my case, the damage was minimal, except to my ego and credibility as an employee of Trend Micro. If you follow me on Twitter @smccartcaplan,my sincerest apologies. There is nothing more humiliating in my security world than succumbing to the very malicious tactics we warn you about every day. This situation just goes to show you how easy it is for anyone to get phished and spoofed.
What to do if you’ve been Phished and Spoofed
How to prevent Clickjacking
Here are some tips and tricks to try and prevent the humiliation caused by phishing and spoofing– or worse, identity theft, data loss, and financial ruin:
Tools To Help You Stay Safe
I work for Trend Micro and the opinions expressed here are my own.
Please add your thoughts in the comments below or follow me on Twitter; @smccartycaplan.
For more tips and advice regarding Internet, mobile security and more, just “Like” Trend Micro Fearless Web Internet Security on Facebook at https://www.facebook.com/Trendmicro.