Unless you live under a rock (and it is a rock that blocks wi-fi and cell signals), you’re probably aware of the concept of “phishing attacks.” These are the phony e-mails sent for no reason other than to convince you to provide some sensitive information (like usernames and passwords) to people who shouldn’t have it. Unfortunately for those who profit from such endeavors, people are getting wise to these attacks. (Though probably not as wise as you think. In case you missed it, I posted awhile back about social engineering and included a test to see how well you do at avoiding phishing attacks. Go ahead… see how you score.) This means that hackers are branching out into new and interesting ways to compromise your security.
Don’t be confused. These are not the lovable but misunderstood nerds who live in their mothers’ basements just having some fun.
That’s a Hollywood myth leftover from the 1980s. This is a multi-billion dollar business. On average, according to a study done by Kaspersky Labs, a hacker can make about $1,000 per PC. That means, if I am a hacker with a solid work ethic and it takes me four hours to crack your “secure” password (Password1), then I could make $2,000 per day or $500,000 per year. But, if I spend that same week building a sophisticated phishing attack and send it out to 1,000,000 e-mail addresses, then even a 1% success rate nets me $10,000,000. This is a sort of evil Klondike Bar test – what would you do for $10,000,000 a week? I’m sure you’re thinking to yourself… “It has to be harder than that.” Right? Well, you’re wrong.
A quick Google search on “How to create phishing page” shows over 9,000,000 results. In fact, as I was typing, Google suggested “how to create a phishing Facebook page.” A quick click on “I’m feeling lucky” and there are step-by-step instructions on how to “hack your friends” by creating a fake Facebook page. To paraphrase every toy ever produced whose manual contained the words “so easy a child can do it,” this is so easy that by following these directions, even you could do it. Seriously.
But, if you remember, I started this post out by talking about how more and more people are aware of potential phishing attacks. Rather than clicking on the link in e-mails they receive, users have wised up and point their browser to the site on their own. Thus, hackers are looking for the next big thing. (After all, we’re talking about huge paydays here.) But, what about when that link shows up in one of your social media feeds? After all, people just like me have been harping on a single lesson for years – “don’t open it if it isn’t from someone you know.” Eventually, as e-mail hacking became more sophisticated, the lesson became “don’t open it, even if you know the sender, unless you’re expecting it.” Well, don’t links in your Facebook and Twitter feeds meet both criteria? They’re from people you trust (ostensibly, otherwise you wouldn’t have friended or followed them) and you are expecting them, since that’s 90% of the point of using social media – to share and exchange information, thoughts, and, naturally, funny pictures of cats.
The truth is, however, that these social media outlets are becoming inundated with potential threats. Facebook has been suffering a rash of racy, funny, or horrific videos being advertised which are nothing more than an attempt to convince you to click on a link that takes you somewhere you shouldn’t be. (It’s the Internet equivalent of walking down a dark alley in a very bad neighborhood at midnight while yelling, “I have all this money in my pocket and no way to protect myself is someone tries to take it.”) All it takes is a single weak password somewhere in your chain of friends in order for an account to get hacked. Once they have an account, they can post whatever links they like. Do you know anyone in your circle of friends who might think that “Password1” is a good password because it is safe (it has a number *and* a capital letter in it) and it is easy to remember?
Even skipping the video links in Facebook (which can mean you miss all kinds of good stuff like, as a totally random example, funny pictures of cats), there is still a world of trouble waiting for you. In fact, the whole reason I am writing this post is because I just got spammed myself via Twitter. I logged into Twitter and noticed that I had a new “mention”.” If you don’t use Twitter, basically, that means someone used my name in their post. It looked like this:
This means that Felkinsblydn2 tweeted my name (SwamiofSuccess) and posted a link. Now, I could just click on that link and see where it takes me. Or…. I could be The Swami of Success and engage my brain before clicking on a link from someone I don’t know. (In this case, it’s a little harder to be safe using the “do you know them?” test, since part of the reason for being on Twitter as a businessperson is to acquaint myself with people I don’t already know.) Fortunately, there’s an easy way to deal with this in both Twitter and Facebook. Click on the person’s feed to see what they’ve been up to. In this case, Felkins has tweeted this same link to a plethora of people. And, the only “real” posts she has aren’t real at all:
You can see the same link posted over and over to different user names. And the only post there that has any real text in it is a fake, too. You can tell by the random characters at the end of the sentence. Spammers use this technique to avoid detection by automated spam-sniffing tools (if the text is different enough, then it doesn’t appear as the same thing being sent over and over from different accounts). So, I was savvy enough to avoid getting trapped. Of course, the very next thing I did was to see where the link went. LOL As it turns out, it is one of the “You have won a prize… click here” sites equipped with enough malware to make the most stalwart of anti-virus software run and hide.
My point in telling you all of this is not to scare you into hiding, but rather to get you to stop and think before you click…. especially if you happen to be on one of my social networks!