TECHNOLOGY Why phishing isn’t funny

Hook, line and sinker

Protecting yourself online can be a pain, but it’s so much worse when one of your accounts is compromised

Fergus Kelly

Those of you who follow @themayonews on Twitter will have noticed that there wasn’t a single tweet this week. It’s very embarrassing for an IT professional to admit, but Twitter reckons we were phished. I may have unsuspectingly signed up for a dodgy third-party Twitter tool, or, more likely, a useful tool that Twitter doesn’t like.
No big deal in itself, but ... I can’t remember what phone number I used for the account, or even if I gave Twitter a phone number - I’m very wary of giving away any information online that does not appear to be necessary. I can’t change the password or access the account. I hadn’t realised that Twitter used this information in the password reset process. We’re in a bind. And it's all down to identity theft.

So, what exactly is phishing?
Attempting to obtain sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity is commonly called phishing. Social networks, auction sites and online payment services are frequently used to lure the unsuspecting.
I assume that most people will have seen an email that appeared to come from a bank that asks you to confirm your details online. This is the most common phishing attack. When you click the link the website that you see may appear to be your bank but it’s a fake designed to steal your personal information. It may look and feel almost identical to the real site but there are usually a few clues to it’s illegitimacy.
I looked through just one of our accounts and found an email from last Thursday from "Paypal Inc.", with a subject line saying “Urgent Notice: Paypal Limited Form.” There is no PayPal account linked to the address. It says:

“We recently have determined that different computers have logged into your account, and multiple password failures were present before the login. Therefore your account has been limited.
“Please download the form attached to this email and open it in a web browser. Once opened, you will be provided with steps to restore your access. We appreciate your understanding as we work to ensure account safety.”

On the surface it looks genuine enough. But, looking more closely, the sender is cust_serv@paypalsecurity.com, not paypal.com and the form to download is called 'Paypal_Limited_From.pdf.html'. Note the mis-spelling of “Form”. The .pdf.html extension is another giveaway - this looks like a pdf but it’s not - it’s a website designed to trick you into giving your login information to someone who WILL rob you.
A further problem is that most people use the same username and password for multiple sites. Once the bad guys have your information they can easily and automatically try hundreds of sites with that username and password, leaving you open to attack anywhere.

How do I protect myself?
Trust no-one!
Don’t use the same password on all the sites you visit. Believe me, I know this is a pain – I manage usernames and passwords for 30 people on two servers and dozens of websites,  you’re lucky you only have to manage yourself. However, it’s the safest way to surf. Make a new, secure password – at least eight characters, include symbols (eg *), numbers and capital letters – for every site you join and consider changing it regularly. Make sure you give all the information you need to to retrieve your password if you lose it (like the phone number on Twitter). Make sure you take a note of every password – a text document will do but there are alternatives specifically designed for this purpose.
If you get an email that appears to be from a trusted source, don’t click on the link unless you are 100 per cent positive that the mail is real. Look for  tell-tale signs and if you have any doubts at all, type the web address into your web browser or search for it in Google or Bing. The real site will be at or near the top of the results. If you log in on the real site, any problem that may exist will be highlighted to you there. Change your password if you are concerned. Check that the login page is secure (https rather than http will appear inthe address bar).

So, where does that leave @themayonews?
In a word, stuck. We can’t access the account until Twitter support fixes it, and they don’t appear to be in a rush. I wonder if they’d get a move on if lots of Mayo people complained about the loss of their favourite local news source in tweets to @twitter… Not that I’m suggesting anything…

Useful links
Phishing on Twitter
Phishing on Facebook
Sophos' guide to protecting against phishing attacks