Apparently the YM phish from our previous
advisories is much more widespread than we thought. I’ve a few
friends asking me if I knew about the ‘YM link that steals your
password’. So of course I said yes. I also have a friend from China
who asked me about this. Seems like the phisher-from-Japan is quite
succesful, since most of my friends entered their user name and
password.
I also have quite a few security-minded friends who fell victim to
this. Although they had a much more faster
reaction time than most: meaning 1-3 (hey, 3 seconds is a looong
time!) seconds after entering their password, they quickly
realized it was a phish and immediately changed their passwords,
they still fell for the phish. Their reasons? “It was from a
friend/sister/relative/whatever! And I trust them!”, and one of
them thought that it was a link to porn so he clicked and entered
his credentials.
Well what can we do about this? The existence of Phishing kits out
there make phishing very easy and very realistic since they rip-off
the original sites. One way would be to verify if the friend did
indeed send out the link, although that would be too tedious. As
for me, i’ve sort of established a certain “feel” when i chat with
my friends. So when one of my friends popped me the link, i
immediately thought “heeeey, so-and-so does not chat like this!” so
i ignored it and went on my merry way (quite busy to ask “hey did
you send the link?”. excused. hehehehe). And the usual
be-educated-and-learn-the-ways-of-the-dark-side-of-the-phish thing.
Well at least that’s what I said to my friends (who changed their
passwords minutes/hours after the incident).
advisories is much more widespread than we thought. I’ve a few
friends asking me if I knew about the ‘YM link that steals your
password’. So of course I said yes. I also have a friend from China
who asked me about this. Seems like the phisher-from-Japan is quite
succesful, since most of my friends entered their user name and
password.
I also have quite a few security-minded friends who fell victim to
this. Although they had a much more faster
reaction time than most: meaning 1-3 (hey, 3 seconds is a looong
time!) seconds after entering their password, they quickly
realized it was a phish and immediately changed their passwords,
they still fell for the phish. Their reasons? “It was from a
friend/sister/relative/whatever! And I trust them!”, and one of
them thought that it was a link to porn so he clicked and entered
his credentials.
Well what can we do about this? The existence of Phishing kits out
there make phishing very easy and very realistic since they rip-off
the original sites. One way would be to verify if the friend did
indeed send out the link, although that would be too tedious. As
for me, i’ve sort of established a certain “feel” when i chat with
my friends. So when one of my friends popped me the link, i
immediately thought “heeeey, so-and-so does not chat like this!” so
i ignored it and went on my merry way (quite busy to ask “hey did
you send the link?”. excused. hehehehe). And the usual
be-educated-and-learn-the-ways-of-the-dark-side-of-the-phish thing.
Well at least that’s what I said to my friends (who changed their
passwords minutes/hours after the incident).