Phishing trap in a more sophisticated form

February 25, 2008

Here’s what my daughter had to say yesterday:

I received an email from Ebay that said that a buyer was asking a question about a particular item. Having not sold any item, I got worried that my account had been broken into and someone had the password. I clicked on the link to the item and was quick to enter my information. Not only was I tired and not as vigilant, I was already worried that my account had been hijacked and was eager to see if my password actually worked.

Once I hit login, I got a genuine ebay page that said something about an error. So I had just made an attempt to login, but had gotten an error. Then it hit me and I knew what had happened. I had just given my information to the phishing email spam scammer. I immediately went to the real ebay page, logged in and changed my password.

The experience has left me quite shaken. I have a password formula that is website specific and not easy to crack even when looking at it, and my username for ebay is unique and not shared by any other site… but still, the spammer has one of my email addresses (spamgourmet), my ebay username and an old password, and now I feel vulnerable. And it means endless pains to check all my other accounts. AAARGH.

Never never never type information into a site that you’ve only clicked on a link to get to. Of course the email was formatted exactly like Ebay mails. And of course looking at the URL it pointed to should have been enough. But when I thought that something was already wrong, my aim was to go and fix it rather than to see that it was a trap.

A reminder to be careful!