I fell for the oldest social engineering trick in the book
I’ve written countless stories about social engineering, with security experts far and wide telling our readers never to open a link from someone we don’t know. We’ve also published advice about making sure a message from a friend is for real before opening. That didn’t stop me from falling for one of the oldest tricks in the book.
It came in as a direct message on Twitter Friday, from Network World writer Brandon Butler, who sits in the next cube over from me at the office. He’s a nice, mild-mannered chap, so when I got a tweet in his name, I opened the link without thought. Well, that’s actually not true. I did have thoughts –based on his tweet:
“Hello somebody is saying very bad rumors about you… (URL removed)”
I’ve been in this profession for a long time, and have found myself on the receiving end of blistering criticism plenty of times. It’s a simple byproduct of the job. And yet I had to know who was spreading bad rumors about me. And I had to know right that second!
I clicked the link and got a slow-loading site that ended in a request for my Twitter username and password. Another huge red flag. But someone was out there spreading rumors about me, you see, and I had to know what it was. So I plugged in my credentials.
As the screen of my Android froze up, I got the sinking feeling that I had just committed an act of supreme dumbness. By then, it was too late.
Soon after that, a friend on Twitter sent me this message:
“Guessing you didn’t mean to post that…”
It turns out the bad guys started using my Twitter account to send out a variety of spam messages to friends, including the one I fell for.
I changed all my passwords for everything, and the Twitter madness ceased.
This morning, Brandon came in and apologized profusely. It turns out he fell for the same trick as me, and the tweet I got from him was the result.
I laughed pretty hard over that. Sometimes, when you do something stupid, all you can do is laugh, fix what you’ve done and move on.
But Brandon hasn’t been writing about security for the past eight years like me. I should know better by now.
Go ahead and have a good laugh at my expense. I deserve it.