phishing11_2 Learning a lesson about phishing scams seem to me to be a lot like the lessons learned about the likelihood of data loss on a computer, namely that there are those that have lost data, and then there are those who have not lost data… yet – *sigh*. 

I suppose it will happen to all of us at one time or another, but it still really bites… this was my turn I guess. 

I consider myself a pretty literate user of computer technology and to allow this to occur, for me, was a sign that I was just not paying attention to what is probably one of the most important elements of an online presence – securing my identity.

The fact that it happened to me on Facebook was disconcerting; Facebook is a relevant social network for me, Community site is more so and is coming up fast as a place for me to hangout lately (very nice B2B environment BTW, well worth a look-see if your are a small- to medium biz wanting to connect / sell to others).

On May 21st I get an email from the phiser, via Facebook, that looks like an email from a friend, Pat Kitano. I know Pat to be a pretty literate user as well, so I do not question the source of the message.  Little did I know what will come out of this message from a trusted friend. 

The message looked like other emails I’ve received from my community via Facebook, and says I should “Check <<insert URL here>>”, which looked like a legitimate link – I happily click thru to the site.  Still OK…

As the site comes up I fail to inspect the site closely.  It looks ‘Facebook-ish’ and I give up my Facebook login credentials – poof… almost immediately I begin getting tweets from friends telling me that I am spamming them.  As I hear from my friends, at first I am incredulous. I value my online community and I’d NEVER intentionally spam my friends, it just couldn’t happen!

…then suddenly the realization comes over me – I’ve been phished… dang… I think through the steps next to take –

  • Stop the spamming, if I can
  • Reset my credentials on Facebook ASAP 
  • Apologize to my network for the bad judgement / lack of presence that allowed it to happen
  • Move forward – not the end of the world…
  • Share the experience so others do not get caught too

I know how to do most of this, but unsure on other parts, so I tweet about my predicament.  I get back a series of responses on what to do next that range from deleting my Facebook account and restarting to simply changing the login credentials.  Another, very techy friend suggests I may have even been hit with a downloaded component that may have infected my local computer.  I’m working at home, so fortunately I have another computer nearby that will allow me to keep working. 

I get to work on establishing just what the phisher might have done to my laptop.  I make sure my WiFi is turned off and then reach around and disconnect the Ethernet cable and drop off the net on my laptop.  I start a virus scan; I use Avast AVG as my anti-virus provider and AVG updates almost everyday so I believe that it is current.  Click, click – I kick off the virus scan right away.

I get back to the web and keep checking replies from the community – the suggestion that I might have downloaded something by simply logging onto the phising site is clarified that it in order for it to have executed a download of anything, it requires that I be on IE.  I breath a sigh of relief – as much as I like Microsoft products, I rarely use IE as my browser; I’m usually in Google Chrome or Firefox for browsing, feeling like I might have dodged a bullet there, but still let the virus scan proceed.

I then look at the change of credentials.  I know I cannot delete my name, I want to still be ‘Steven Groves’ and while my community on Facebook is not large (362 as of today), I am in no way interested in trying to recreate the connections I have there.  Just changing my password will probably do what I need, which is to keep the phiser out of my account.  I think about password management and realize that I lack a robust capability to generate and manage passwords.  I have multiple computers, dozens of accounts and if I want to reduce or eliminate the likelihood of this happening again, I need a better solution.

I had come across a few weeks earlier and begin to explore it in earnest – I love what it does.  LastPass connects to FireFox as a plug in and can securely manage an identity online by generating wonderfully random characters for a password and by handling the fill-in for the login page.  As I implement LastPass, I’m feeling fairly secure but recognizing the weakness of counting on the solution to handle this critical capability of managing my online credentials. 

Paranoia and conspiracy theories only travel so far with me, so I make the plunge.  LastPass can generate a powerfully cryptic password, one a human would NEVER remember and one that, I hope, a hacker would never discover either.  As I work with LastPass on other accounts, I realize how powerful this kind of capability is, that is the ability to auto-generate a secure password for ALL my accounts.  I like it – a lot… I decide to also get the USB key, which turns a thumb drive into an authentication device so now you need my thumb drive, my password protected laptop, account access to LastPass and know where I have accounts to have an impact on my online presence.  Feeling significantly better now.

Finally, the virus scan completes – no known viruses found.  I breath a very big sigh of relief… definitely feel like I’ve dodged a bullet here and feel badly that I’ve spammed so many people.

Lessons Learned – consider using ‘non-industry standard’ web browsers more, pay attention to the links you click on, check into a password / single sign-on management product like  Will it make a difference?  Yes, I think so and the solutions out there make the implementation very easy and non intrusive once you’ve got things set up.

Image credit – The Tech Herald