I wanted to get this out there quickly–I just got hit with a new Gmail phishing attempt. Basically, a bot took over my friend’s account, messaged me asking if I could login to a particular page. Below is a screenshot of our conversation, and of what the page she asked me to login to was:
As you can see, the hacker/bot was able to respond with about the same level of believability as cleverbot. The only external factor I could blame my lapse of judgement on was
- Gmail’s visceral redesign confused me so much that I had trouble distinguishing between a scam and real Google product site (though I should have examined the URL more closely),
- I’m utterly unfamiliar with Picasa and so less able to tell a scam from a normal landing page (see below)
- I trust that particular friend a great deal, and had been missing her lately.
Below is what the scam page looked like. I took a screenshot when I signed in for “my friend” so I could confirm I was seeing what she was seeing, because I was assuming I was helping her with a technical issue (which I do for friends often).
The lesson is: unlike the 2009 GChat spam epidemic, the one asks for phone numbers as well. I’ll be expecting some scam phone calls soon. Also, my friends are great. From the first message where I handed my password over to a spammer to when my friend GChat-ed me in horror saying:
At which point I logged out, hopefully forcing any intruders out with me, logged in and changed my password. I can’t think of any way to fix the fact I gave out my phone number, but they shouldn’t be able to use my Gmail account to scam my friends now. Lesson learned.
“Arguing with anonymous strangers on the Internet is a sucker’s game because they almost always turn out to be—or to be indistinguishable from—self-righteous sixteen-year-olds possessing infinite amounts of free time.”― Neal Stephenson, Cryptonomicon