Love may mean never having to say you're sorry, but not so with certain vicious kinds of spam that can lead to compromised online accounts, especially on social networking sites like Twitter and Facebook, where more and more of us are congregating these days.
After many years of an unbroken record of not biting on spam, viruses or phishing attempts, I was taken. I'm not proud to admit it, but there it is. Over the weekend, a direct message, or "DM" on Twitter from a work colleague caught my attention: "LOL — is this you?" with a link to click on.
What was he referring to? Something I'd written? A photo that shouldn't be online, but was? I couldn't imagine what it might be, but an irrational fear of something humiliating — and the fact it was sent on a weekend — propelled me to click on the link. And now, I truly am humiliated, apologizing to several people who are connected to me on Twitter who got the same bogus message, but from me — just like I got it from the work colleague who inadvertently clicked on the link.
Many of us live more and more of our lives online these days, from time to time "Googling" our own names to check any chatter, good or bad. We're told we can't be too careful about what we say or the photos we post. Perhaps that's why the "is this you?" question struck a nerve.
I've written about "phishing" expeditions many a time, and now I'd gone and helped propagate one. I've also received my fair share of "don't click on this link-my account was hijacked/hacked" e-mails from others via Facebook. Among the most recent was a Valentine's Day phishing attempt.
"Please do not open any valentine messages from me. although I do wish everyone a happy valentines day," was the message from the real Facebook friend who sent a warning.
'Too quick to click'
"People are too quick to click" on links, Mary Landesman, senior security researcher for ScanSafe, had told me last spring. And she was right. But how to right the wrong?
"Ack — just learned this: DMs (direct messages) to you w/link to Twitter is possible virus; DO NOT click on link and log in! Lks like accts r being hijacked," I tweeted Saturday, using the 140-character limit of Twitter, then sending this as a follow-up message":
"... If not virus, may be phishing effort to get your login. and lede-in will say: 'LOL..is this you?' or some such..."
Still, not everybody checks their Twitter account all the time, and messages do pile up. Mine got buried by Sunday, when I received some messages marked by irritation and concern asking whether I was aware I had sent this potentially dangerous link.
Another round of tweets from me went out Sunday: "Tweeted this yest, but will say again today, as I was 'bitten' — Do NOT click on links in DMs from me or anyone that start 'LOListhisyou?' " with a follow-up message from Twitter's own @safety account, saying "If you think your account has been phished, check out our help page for compromised accounts."
'ABCs' of spam etiquette
I contacted Landesman of ScanSafe, which provides Web security as a service to businesses, telling her my experience. She says there are "ABCs of proper etiquette" to follow when there's a social networking scam:
"Acknowledge the attack to anyone who might have been adversely impacted.
"Be detailed — tell them what message they might have received as a result of the malware/phishing and what might have happened as a result.
"Caution your contacts — use this as an opportunity to remind everyone that just because you think a message came from someone you know, there really is no way of telling for sure. If they ever do click a link that then leads to a login page or to a video codec install, they should close the page immediately and contact their friend via some other method to inquire (and possibly alert them) about the seemingly malicious link."
She acknowledges that Twitter, "with its 140 characters limitation, makes it a bit harder. For that medium, and specific to (last) weekend’s Twitter attack, your best bet would be a tweet saying something along the lines of:
" 'If you rcvd 'Lol — this is me/funny/you,' don’t click. It’s a phishing scam. If you fell for it too, change your pw. I’m very sorry. :-( ' "
"For more generic Twitter malware and phishing apologies, the gist of it should include enough details about the message sent so folks can identify it, ended with a brief 'I’m sorry,' " she said.
Don't include the link
One thing an apology should not include: The troublesome link itself.
"Don’t ever include a link in the apology," she says. "After all, it was clicking on a link that got folks in trouble in the first place."
Phishing attempts — which seek to get your log-in information as a way of trying to snoop around and get bank account numbers or any other personal information that can be used in identity theft — have been plentiful on Facebook as well as Twitter.
The "LOL — is that you?" attempt not only struck Twitter users last weekend, but those of social networking site Bebo.com, according to security firm Sophos.
The company noted on its blog that in its recent "Security Threat Report" covering the last year, there has been "an astonishing 70 percent rise in the number of users reporting spam and malware attacks via social networks."
Shortened link usage
The use of shortened Web links —for example: http://bit.ly/9HBegt — are especially helpful when using sites like Twitter, but are also more fraught with peril because they disguise what could be a bogus site. In this case, that link goes to a real story on msnbc.com.
"It would greatly help if people got out of the habit of sending very short messages with links," Landesman advises.
"Instead, get in the habit of including some identifying info so that the recipient can tell that you really did intend to send it. For example, instead of sending 'Check out this funny video,' always include more specifics like, 'Funny video — reminds me of that crazy guy we saw on the beach in the Bahamas.'
"If enough folks adopted this habit, it would become much easier to distinguish the really generic messages as being likely phishing or malware attacks."