Beware of Friendly Emails from Social Media Contacts
I’m beginning to really hate Facebook these days. Their lack of privacy protection coupled with scum of the earth who prey on others is almost enough to make me delete all social media forever. Almost.
After getting a message telling me my account had been hacked (and knowing it hadn’t), I started investigating. It seems a lot of people have been getting messages purporting to be from myself and others in my contacts list, but the email address is different. You can quickly check to see if your account has truly been compromised by checking the “Sent” mail to see if mail has actually been sent out to others. If it has, you’re dealing with something different entirely. Most likely, though, it is just the contacts list that was compromised by someone you know on a social media site.
So, what usually happens is something like this:
Someone has their account compromised. Their friends list is obtained. Now, phishers send email to those contacts from a person’s name on their friends list, and often the email address is hidden (or folks just don’t notice it is a totally different email address because they see a person’s name with whom they are familiar, and they just skip over the email address). Then, the recipient clicks on the link from the brief message (which ALWAYS includes a link of some sort, be it a photo, video, or weblink). Now, the unsuspecting person has likely just come in contact with some spyware, malware, etc. If they have a Mac, they are probably ok. If they have a PC, it depends on their protection package.
The scammers generally have not accessed the account details of the folks on their list, it’s just a list of contact names, kind of like someone writing any name in the return address field of a letter to be mailed. I can choose any name from my address book to place in that field, then I can add any address to it as well.
Note that it often happens to those of us with friends in common. I suspect the spambots gather webs of common friends, then use them to send email phishing scams to targets.
This is typically what you’ll see in the resulting email:
1.Friend’s name (John Smith) in the “From” field, but with a different email address. These are frequently from a Yahoo or Hotmail address (gencobet@yahoo.co.id)
2.Subject is usually something like “Check this out” or “For ‘your name’”
3.Generally, the messages are very brief and always include links, saying something like “You’ve gotta see this” or “Look what I found” or (lately) “Saw this picture of you on (insert your social media site here)”
There are a few things you can do to protect yourself. If you don’t use a really good Password manager like 1Password (https://agilebits.com/onepassword) please start now. I can almost guarantee the safety of my accounts because I use 1Password with its random password generator. I don’t reuse passwords, I don’t use my spouse’s name or pet’s name or birthdays or words that are in the dictionary for passwords…all of those things that make some folks perfect targets to have their accounts compromised. You only have to remember your main (master) password, and the rest is automatic. It takes care of logging in to sites for you and does so much more, including protecting you from phishers by making sure the website you think you are viewing is the actual site, and not just pretending to be that site (a popular way many folks give up their passwords is to think they are on sites such as banks, PayPal, etc. but they really are not). Therefore, not only does 1Password securely store your passwords, logins, and other information, it also acts as your first line of defense against scammers, phishers, and other unscrupulous scum of the earth. It used to be Mac-only, but now there are versions for Windows, iOS, and Android, so virtually everyone is covered. The versions all sync, so you always have all your information where you need it. This is the one of the top three apps that I absolutely, positively could not be without.
Enable 2-factor authentication, also known as two-step verification, when possible. This means that in addition to logging in to a site with your user name and password (first step), you will be sent a code, often by SMS on your cell phone, to verify the account (second step). Several sites offer 2-step verification now, including Google, Facebook, Twitter, and others. Here is a link to a Gizmodo article telling you how to enable it on your other services: http://gizmodo.com/how-to-enable-two-factor-authentication-on-all-your-acc-510245714 I’ve been using 2-factor authentication with Facebook for awhile now, and, while it can occasionally be a pain, I have gotten used to it and feel much safer using it knowing that it would be very difficult for someone to access my account.
If you aren’t sure about a message you receive from someone, look at the return email address. Make sure it is actually the sender’s email address.
This should go without saying, but don’t EVER click on the links. Doing so will almost always invite trouble. It might look harmless, but a link can be named almost anything. I can send you a link to a site that will install really bad juju on your PC, yet I can title it, “Beautiful Sunset”.
Above all, be vigilant and use common sense. It’s always ok to send someone a message to ask them if they sent you something. Replying to the message will not send it back to your ‘friend’ in most cases, because it wasn’t from them anyway. It’s best to just ignore it. Still, one of the best things one can do to protect themselves online is to make good use of 1Password. Be safe out there.
Cynical One's Weblog 