I will read this! But I’m preemptively happy about any reportage that moves attention away from phishing to spear phishing.
posted by Going To Maine at 10:12 PM on April 25, 2017

And, I, for one, celebrate any media helping to show that, generally, people are the weakest link in any sort of cybersecurity setup.
posted by Samizdata at 10:32 PM on April 25, 2017 [14 favorites]

One of the benefits of being a stubborn old stick-in-the-mud is that when html is automatically converted to 80-column plain ASCII, scam attempts become laughably obvious.

Sorry, spammer pretending to be someone I know, I'm not going to cut and paste that link to fake-microsoft-domain.local-business.tl into a browser.
posted by madajb at 10:49 PM on April 25, 2017 [16 favorites]

If you're interested in hearing more about intelligence gathering and how it can be used, the Social Engineer Podcast Episode 80 has a good description about what can be gathered about targets with relatively little difficulty.

Also as a reminder, turn on two factor authentication for services that offer it like Google. It's not bulletproof, but it raises the bar substantially.
posted by Candleman at 11:34 PM on April 25, 2017 [5 favorites]

Ok, it's scary enough thinking about the threat to my own accounts.
But orders of maginitude more scary when you think: spearfishing -> DNC hack -> Comey -> Pres. Trump
posted by superelastic at 4:23 AM on April 26, 2017 [5 favorites]

Little thing I heard today: prizes for spotting phishing emails. Congratulations! You found our spearphishing email! Collect your prize hamper at reception.

I'd certainly pay more attention if the prize was nice enough.
posted by Wrinkled Stumpskin at 9:31 AM on April 26, 2017

For this reason my company is just now taking the step of blocking personal email access. (I am assuming this is webmail access to the large providers: Gmail, Outlook.com, Yahoo, and *shudder* AOL, but not ssh-mutt weirdos like yours truly.) Our Cybersecurity department is one of the best in the world, and for good reason. But alas, it's not enough to keep someone from clicking on a cleverly-crafted URL with lots of Unicode and whitespace.
posted by endotoxin at 10:46 AM on April 26, 2017

Ok, it's scary enough thinking about the threat to my own accounts.
But orders of maginitude more scary when you think: spearfishing -> DNC hack -> Comey -> Pres. Trump

Scarier is that there is no reason to believe that the same thing didn't happen to the RNC email server, just without the public release of emails...
posted by Zalzidrax at 11:44 AM on April 26, 2017

It just dawned on me that if Podesta had enabled two-factor authentication we'd have a different president.
posted by bdk3clash at 12:28 PM on April 26, 2017 [6 favorites]

It just dawned on me that if Podesta had enabled two-factor authentication we'd have a different president.

People used to talk about the “privacy Exxon Valdez”, but ninety percent of the time big corporate hacks barely get a ripple because you just change your password and tracking individual cases of identity theft. Perhaps the privacy Exxon Valdez is Donald Trump.
posted by Going To Maine at 12:32 PM on April 26, 2017

I think the Privacy Exxon Valdez is something more like the Target or OPM hacks
posted by rhizome at 12:41 PM on April 26, 2017

I thought if anything could be the Privacy Exxon Valdez, it would be the Ashley Madison hack. But a year and a half later, it's mostly forgotten and companies still don't really care about security your data.
posted by mbrubeck at 3:33 PM on April 26, 2017

That's a solid article.

It just dawned on me that if Podesta had enabled two-factor authentication we'd have a different president.

Shit. I think you're right. (There were other failed links in the chain, where things were deemed okay when they weren't, but... yeah.)
posted by rmd1023 at 7:34 PM on April 26, 2017