Octopus Overlords

Hey, if anyone got a Steam message from me in the last day, please ignore it. I received a PM from an old member Koz asking to vote for his E-sports team. I said sure, but it required a Steam login to the Intel site. I thought it was strange, so i Googled the site and it came up as an Intel site. So i logged in and voted. Then I saw today that someone bought a Counterstrike gun for $27 on my Steam balance. I realized immediately what had happened. I got some PMs from other OO members that my account had reached out too.

I changed my Steam password and googled Steam phishing and saw that they could also create an API link, which they did. I deleted the API and I'm hoping my account is secure now. Sorry for anyone that got a message from me. Don't be a moron like I was. And thank the lord for 2FA. I probably would have lost my account if I didn't have it.

At least I still have the item they bought. I put in a ticket with Steam, but if they can't help me, I guess I'll sell it.

weird. Koz messaged me asking for a favor. I thought it was genuine. He never responded. Glad that he didn't

i think one good use of AI would be an agent on an elderly person's machine to strongly dissuade or prevent aged and addled brains from falling for phishing attempts.

hitbyambulance wrote: ↑Mon Nov 30, 2020 7:22 pm i think one good use of AI would be an agent on an elderly person's machine to strongly dissuade or prevent aged and addled brains from falling for phishing attempts.

Can I register as "addled"? Because I would appreciate such a service.

hitbyambulance wrote: ↑Mon Nov 30, 2020 7:22 pm i think one good use of AI would be an agent on an elderly person's machine to strongly dissuade or prevent aged and addled brains from falling for phishing attempts.

I guess I fall into the elderly category.

Does having Steam Guard help with this? I have Steam Guard

Lorini wrote: ↑Mon Nov 30, 2020 7:53 pm Does having Steam Guard help with this? I have Steam Guard

Yes. That's 2 factor authentication. It most likely saved my Steam account.

Thanks for sharing...I could see this being particularly effective for our group.

Indeed, two-factor authentication (2FA) is vastly superior than relying on passphrases alone. That's why I use a Yubikey wherever possible, as explained by Linus Sebastian below:

I got the message from Jag or fake Jag. Did a little research and thought the site was legit although it seemed weird. Should have went with my instinct... I've changed my Steam password.
Also had an API link that I deleted and unauthorized all devices except my computer.

Holman wrote: ↑Mon Nov 30, 2020 7:44 pm

hitbyambulance wrote: ↑Mon Nov 30, 2020 7:22 pm i think one good use of AI would be an agent on an elderly person's machine to strongly dissuade or prevent aged and addled brains from falling for phishing attempts.

Can I register as "addled"? Because I would appreciate such a service.

I worry about this happening to my wife as she isn't as computer savvy (and paranoid) as I am. Happily she has seen the light and now just deletes all messages she is the least suspicious about. Still, she gets a lot of emails and I worry one will slip through

About nine years ago she got socially hacked (I think that is the term) when right at the time of the William and Kate royal wedding she got an email from my sister who said she was in London for the wedding and got her purse stolen and she needed money. This happened after I went to bed so I didn't know about it. This was a perfect storm of coincidences as my sister had just come into some money and this was just the kind of flaky thing she would do, go to a foreign country and lose all her money.

So my wife contacted Western Union and sent some money. Early the next morning my wife was on the computer to see if my sister had received the money. She said she had but needed more and my wife sent some more just before I woke up and she told me about it. This all sounded fishy to me so I picked up the phone and called my sister's home in the States and of course she was home . Turns out someone had hacked her email account and like a twit she hadn't called her family to let us know. Someone was using her contacts list and trying to get someone to send them money.

The good news about the story is that my wife immediately filled out reports for the police and for Western Union, and two years later got all her money back because WU failed to check the id of the person who had picked up the money and were required to reimburse us. And of course, lesson learned.

hitbyambulance wrote: ↑Mon Nov 30, 2020 7:22 pm i think one good use of AI would be an agent on an elderly person's machine to strongly dissuade or prevent aged and addled brains from falling for phishing attempts.

Yeah, that'd be a great idea. I've got my Dad trained on using a program called Mailwasher. It acts as a sort of filter showing the headers, and you launch it before the mail client before, and it's done a pretty good job of keeping him out of trouble. You have to select everything manually to be deleted, but it's still better than nothing. And years ago, when this program was free, I'd actually introduced to posters on a forum where the demo was mostly older, and they'd loved it for the ease of use.

jztemple2 wrote: ↑Mon Nov 30, 2020 11:41 pm

About nine years ago she got socially hacked (I think that is the term)

"Social engineering" I believe.





Nice job by Jag letting everyone know, too.

LawBeefaroni wrote: ↑Tue Dec 01, 2020 12:50 am

jztemple2 wrote: ↑Mon Nov 30, 2020 11:41 pm

About nine years ago she got socially hacked (I think that is the term)

"Social engineering" I believe.

Thanks, that sounds better too.

jztemple2 wrote: ↑Mon Nov 30, 2020 11:41 pmThe good news about the story is that my wife immediately filled out reports for the police and for Western Union, and two years later got all her money back because WU failed to check the id of the person who had picked up the money and were required to reimburse us. And of course, lesson learned.

Wow. I've dealt with this issue for many years now and this is the first time I've ever heard anything like this. That is extremely lucky!

My recommendation to people is to never ever send log into anything without a "naked" HTTPS url. That means you can see it in the browser address bar and can hover over it, see the same address as is displayed on the clickable link, and more importantly you can click on the lock icon and see that the url matches. That is usually too complicated for many so the browsers have stepped up quite a bit to help out. In any case, this is easily the biggest problem we still see in the real world and every company in the world has ongoing phishing training as part of their security awareness compliance framework.

Even worse once they get one set of credentials they'll often add them to their attack dictionaries and try a technique called 'credential stuffing'. This technique involves taking the stolen credential and attempting to log into popular websites because people tend to reuse passwords. More sophisticated actors build libraries to try to profile people and even predict other 'unique' passwords. Anyway, bottom line - turn on 2-factor wherever you can and importantly *put a passcode* on your cell phone accounts. One way to break text based 2-factor is to port a phone number to another carrier and then 'steal' the texts. Some quick 10-minute things like setting protections up like that or freezing credit accounts can save you a lot of work in the future.

I get emails all the time saying "We see you're having trouble logging into your...I cant recall if its Imgur or some other one...I just laugh and move on.

Thanks for this thread. I got the Fake Jag chat today and just deleted it. Not sure what I would have done without the heads up.

Huh. I got the fake Jag chat yesterday. I hadn't seen this thread yet, so I (eventually) responded, but I never got more than the initial chat line.

Weird.

My MIL lives with us, and she is at least savvy enough to ask me about anything at all that looks unusual.

A couple of days ago she received a very Microsoft-looking notice apparently from Windows Defender, but she immediately realized that the website address didn't look Microsoft at all. I have taught her well.

The true lesson here is to not have any friends.

The real treasure is the friends we shunned along the way.

El Guapo wrote: ↑Tue Dec 01, 2020 11:12 am The true lesson here is to not have any friends.

Deleting all of you now!

As I said, I should have trusted my instinct but the Jag ID led back to his real account and I thought he surely was not hacked due to 2FA, that prevented my account from being totally taken. I started to ask him to PM me in OO or post it (since that usually is the protocol for us to ask for favors but didn't, DOH!) Then I researched the intel site and it seemed legit. It was a well done scam. First one I ever fell for.

Lassr wrote: ↑Tue Dec 01, 2020 11:30 am First one I ever fell for.

As far as you know.

You're just getting old.

Daehawk wrote: ↑Tue Dec 01, 2020 11:44 am You're just getting old.

No doubt, miss the days when technology issues was setting the clock on the VCR that my parents dealt with, not recognizing elaborate internet scams.

As a 11 or 12 year old I used to have to set the clock on our VCR lol. Dad was in his 50s...so my age now....and he just couldn't do it. I guess soon Ill be flubbing so much tech stuff up. Im sure a kid or teen could make fun of me for a smart phone use. I just use it for a couple pics and as an actual phone.

Lassr wrote: ↑Tue Dec 01, 2020 11:30 am

El Guapo wrote: ↑Tue Dec 01, 2020 11:12 am The true lesson here is to not have any friends.

Then I researched the intel site and it seemed legit. It was a well done scam. First one I ever fell for.

What puzzles me is the Intel part of it. I mean, unless Intel were actually known for a similar site, that would raise the red flag for me. I wonder if intel know of this scam, and if they don't they probably should.

Lassr wrote: ↑Tue Dec 01, 2020 11:30 am

El Guapo wrote: ↑Tue Dec 01, 2020 11:12 am The true lesson here is to not have any friends.

Deleting all of you now!

As I said, I should have trusted my instinct but the Jag ID led back to his real account and I thought he surely was not hacked due to 2FA, that prevented my account from being totally taken. I started to ask him to PM me in OO or post it (since that usually is the protocol for us to ask for favors but didn't, DOH!) Then I researched the intel site and it seemed legit. It was a well done scam. First one I ever fell for.

Yeah, first one I fell for as well.

I'm so sorry that I got you guys caught up in my idiocy. I'm hoping no one got a message from me after I made this thread (around 6pm Monday 11/30) because that's when I took all the measures to lock down my account again.

I don't trust anything on the internet so I am sure I have turned down legit friend requests and others on Steam. But it has protected me from things like this I guess.

Mine got hit too. I've changed my password but ignore any "favor" requests from me.

I just got one of these from [OO] Brian. I'm aware of the scam so I didn't fall for it. I'm not sure who that maps to here, but since the scam blocks friends on Steam I thought I'd mention it in case it helps.

EDIT: Oh... That's probably you, Brian, who posted right before me.

Was starting to think Id not get one..should have known. Just got this...

[5:20 PM]
[OO] Brian:
heyare you busy rn?

Ya I got a message from. Koz but no link and just replied with a ? As it was hours after it was sent to me. Shrug

dbt1949 wrote: ↑Tue Dec 01, 2020 7:53 pm BRIAN IS EVIL!

Well I mean, yeah....but not this kind of evil.

When you google search intelprocup now, a steam thread pops up saying it's a scam. I didn't get that the other day, I just got a site that said it was potentially legit but was too new

Almost got me. But having been off in the desert for so long, I found it very odd that Jag was reaching out. So I came back to OO to see if it was really him. He'd already caught it by that point.

Damn good scam if it's that easy to pull off.

Brian wrote: ↑Tue Dec 01, 2020 8:35 pm

dbt1949 wrote: ↑Tue Dec 01, 2020 7:53 pm BRIAN IS EVIL!

Well I mean, yeah....but not this kind of evil.

Brian seems kind of sus.

Jag wrote: ↑Mon Nov 30, 2020 7:51 pm

hitbyambulance wrote: ↑Mon Nov 30, 2020 7:22 pm i think one good use of AI would be an agent on an elderly person's machine to strongly dissuade or prevent aged and addled brains from falling for phishing attempts.

I guess I fall into the elderly category.

For what it's worth, I ignored it because I knew there was a zero percent chance that one us typed the phrase "Sup mate, can i shoot you with a question xd?"

gbasden wrote: ↑Tue Dec 01, 2020 10:24 pm

Brian wrote: ↑Tue Dec 01, 2020 8:35 pm

dbt1949 wrote: ↑Tue Dec 01, 2020 7:53 pm BRIAN IS EVIL!

Well I mean, yeah....but not this kind of evil.

Brian seems kind of sus.

It's *always* BlueBrawls.