Don't get hooked by a Phishing scam. Actual steps you can take to protect yourself.
Here fishy, fishy, fishy.
DON'T GET HOOKED.
Today I had planned to post a nice simple how-to #introduceyourself post, after all, I only just wrote a post about security, however....
Early yesterday morning my wife @insideoutlet and I woke to the news that a series of new phishing scams had compromised a few accounts, the @qustodian bot included, as the day progressed news of further fall out came to light and to tell the truth there is a high probability of more to come unless the word is spread really well.
I'm going to start with the simple and move on to the only slightly less simple steps of protection.
Sorry this might be a little long.
What the Hell is Phishing scam?
Ok, before I get into the steps to help protect you I want to give you a quick overview on phishing scams.
Phishing is not the Phat of fishing, Phishing is not hacking, Phishing is social engineering.
This particular type of social engineering is so common that almost anyone with an internet presence has seen it and hopefully successfully avoided it, most people can tell that Nigerian Prince that can't correctly spell the name of their own country probably isn't really interested in sending you $50 million for your help kind sir.
Where it gets harder to avoid is when they become a little more sophisticated, when the emails that come in look like they come from a legitimate source, look just like your bank, or even email provider with threats that you have already been compromised or that your account will be deleted if you don't confirm your details, then bang compromised.
Steemit Version.
Before anyone says that those compromised just should have been more careful let me show you something, all these images are phone versions but I can tell you that the pc version is no less convincing.
Now imagine for a second, its late at night you're a little tired and browsing good and faithful steemit, you click on a link in an innocent looking comment and are redirected to one of those sites and prompted to enter your password, you do and its Bang, Compromised.
Protecting yourself: The obvious.
Aside from those phishing attempts that use fear to solicit your user credentials some of the most successful will leverage your greed, an old saying goes.
You'll never con an honest John.
While it's probably not truly accurate, its something to bear in mind that if you come across a page that promises you some sneaky little glitch that will let you "hack" steemit for whale upvotes that clicking like on that post is a bad idea.
I'm sure your mother taught you that is it seems to good to be true it probably is.
Protecting yourself the basics.
DON'T LOG IN WITH YOUR MASTER KEY.
Power up
Seriously, just banking any steem or sbd that you don't need to be liquid buys you 3 days extra to act and recover your account, and the powering down process is significantly longer.
Check the link.
PC
Hover your mouse over a link before you click if you're suspicious in the bottom corner of your screen you will see the link.
Mobile
Both Android and ios a press and hold on the given link will open an option box showing the link address.
DON"T LOG IN WITH YOUR MASTER KEY.
Check the link again.
Before you enter your keys on any site even if you're sure it's the right one check the address bar and make sure.
Protect yourself, get an alarm system.
Since Steemit is lacking Two Factor Authentication in order to change your password (which is just mad) the next best step you can take to protect your account is to be aware of a breach as soon as possible.
Yes, I know I have used the old pic of Gina but I'm a sucker for a redhead just ask my wife @insideoutlet.
Gina is just about the only alarm system I can think of for the steem platforms designed by @neander-squirrel, Gina can give you tons of handy information, someone comments on your post, replies to your comment, upvotes you, resteems you Gina can let you know.
Why she makes a useful alarm system is that you can also set her to let you know when you make comments, or upvotes, etc, granted 99% of the time you know when you have commented but getting the alert that you have just made a comment like this should definitely sound that alarm.
For the record that's not a comment from @grumpycat that post comes from the @qustodian after it has been compromised in fact, all compromised accounts have been making this comment and every link in the comment is designed to take you to the phishing site.
DON'T LOG IN WITH YOUR MASTER KEY
Protecting yourself with a tiny bit of effort.
Until someone claims the bounty on a steem specific anti-phishing bounty there are some steps you can take the can protect you, unfortunately, they are pretty manual and require effort on your part to ensure that they are kept up to date.
PC Windows
Blocking specific web pages regardless of the browser without accessing the router.
I'm going to assume you're comfortable navigating windows.
Step 1: Navigate to \windows\system32\drivers\ect
Step 2: Find Hosts, right click and open with notepad, if your running windows 10 you may need to run notepad as administrator, it's going to look like this.
By editing the file and placing 127.0.0.1 followed by the blacklisted address and saving the file you can clock the phishing links from redirecting you.
DON'T LOG IN WITH YOUR MASTER KEY
On Phone
Ok, so blocking websites on the phone is actually a pretty crappy process, its really easy to block specific sites if you're prepared to severely lock down your browsers and limit adult content at the same time and lets face it since the internet is for porn many of you aren't going to want to do that.
So I'm not going to spend the time trying to teach you how to root your Android Phone to edit the host file, I'm not going to show you the step by step of turning on adult content restrictions so you can block specific website at the expense of your browsing convenience.
All I'm going to suggest here is Trend Micro's mobile security even if you don't use some of their features it is really straightforward to block a website and yes, unfortunately, it's not free but if you don't take steps to protect yourself you could pay with your Steem.
DON'T LOG IN WITH YOUR MASTER KEY.
Did I mention don't log in with your master key?
Don't forget to follow @shai-hulud for more lessons from the Knowledge Bank, Adventures in the Alphabet or exploring the Myths of Man.
Knowledge Bank posts.
The Learning Curve and the FAQ
Secutiry: Why lock an empty house
My Wife is also a great Steemian worth a follow, check her out @insideoutlet. Below are some of her:
The Woman Who Moved | Part 6
Third times a charm – This plankton’s giving back!
Paradise or Death III - Where Sci-Fi Collides
Kind Regards
Peter
One last thing! @asapers a new curation team has started a profit-sharing curation post promotion, follow @asapers to check it and more out!
Other than not logging in with your master key...
Another good tip would be to use a password manager (with your posting key preferably!) A password manager will let you know right away that something is phishy when it fails to auto fill the login information. That’s when you’ll know you’ve been redirected to another site that’s not being recognized. I’ve used LastPass and OnePassword and like them both.
Thanks mate, I appreciate the feedback
Will edit and update shortly.
What about those using google chrome to save their passwords? i believe it will not show automatically when you're redirected, right?
Yeah, that is correct although leaving your master key with google is still not something that I recomend there are more secure options for password managment.
Whenever prompted with a password input, I always double check to ensure that the site I am on is the correct one. It is way too easy to set up a phishing scam site as you just need to copy and paste the relevant code and it would work.
Especially when handling anything that translates into money.. Better safe than sorry.
I mean you can never be too safe. When it comes to phishing you are fighting your nature as well. How tired are, how curious are you, how concentrated. I mean thats the scary part. When someone hacks you, what can you do, but phishing is simply preying on a moment of weakness.
Editing the hosts' file is the best idea I've heard all week, we should have a disclaimer that gets people to edit this file any time there is a warning. Steemit should then have a big red light warning on the main page.
Prevention is so much better than a cure.
Excellent advice! Keep spreading the word- phishers are the worst!
Great advice! Thank you.
Congratulations! This exceptional post has been featured in Episode 13 of The STEEM Engine Express Podcast. Click the link to hear what I had to say, and keep up the good work!
So, just to be clear, are you saying I should not login with my master key? Heehee. But seriously, I love the repetition. I also kind of prefer the old ginabot image. I'm really two minds about it. Thanks for the helpful reminders.