Sophos Cloud Optix
A Facebook page set up to chronicle the extremely short life of a baby with the rare, terminal condition of anencephaly was hijacked within days of the infant’s death and set to display lewd images.
The child, Shane Haley, was born on Thursday and lived a brief but intensely celebrated life of less than four hours.
Because of his parents, by the time he died, Shane was already an internet celebrity.
The couple, Gassew and Dan Haley from the US city of Philadelphia, had made a “bucket list” for their unborn child after he was diagnosed in utero with the birth defect that would give him only a few hours to live after being born.
They also created a Facebook page, Prayers for Shane, earlier this year to store the memories they created for the unborn child as they took him, while still in the womb, to places and events they would have taken him if he had lived: football games, the beach, museums, the country, on a ride on an old train.
#shanesbucketlist went viral. The Facebook page has nearly 1 million Likes.
That must have been too tempting for scumbags to pass up.
According to NBC, the Haleys received a message on Saturday, around 1:30 p.m.
The message asked them to verify the Prayers for Shane account, Gassew said, and looked just like one they’d received from Facebook previously:
The email looked very, very similar to one we got before.
Thinking it was legitimate, Gassew typed in Dan’s name and password.
Unfortunately, it wasn’t from Facebook. It was from somebody who yanked control of Shane’s page away from his parents.
The explicit photos posted by the con artist quickly met with the condemnation of the page’s many followers.
Gassew immediately reached out to Facebook to wrestle the page back, and NBC threw its weight behind her to try to expedite the process.
Their efforts paid off. Facebook might sometimes react slowly, but not this time.
Within hours, Facebook yanked the offending posts and handed control of the site back to Shane’s parents.
We report on vile acts by cyber fraudsters all the time, but a phisher who goes after a mother who just lost her baby? That’s stunningly inhumane.
But phishers will do that. They’ll exploit whatever chink they can find to crack open people’s online lives.
Take, for example, Heartbleed. Legitimate businesses were so eager to protect users and reassure them that their data would be safe that they just couldn’t resist sending reset links to customers.
Unfortunately, as Naked Security’s Paul Ducklin pointed out when Heartbleed data leakage revelations were all over the news, this is the wrong way to tell people how much you care about their security.
Reset links that ask for user login details are used too often to cajole logins out of victims – just like was done to Shane’s parents.
It would be nice to think we’re all too savvy to fall for scams like that, or, say, from the Apple phishing duo who were jailed in July after phishing bank account details out of over 150 Apple users by sending them scary messages about their accounts having been compromised.
Unfortunately, many of us aren’t smart suspicious enough to see through phishing come-ons – true even for security pros!
Or, to get statistical about it, we fail about 37% of the time, according to an in-house awareness test run late last year that managed to persuade 1,850 of the Canadian Justice Department’s 5,000 staff to click on scammy links.
If you’re curious about your own gullibility or lack thereof, you might want to check out an article we wrote to not only help businesses avoid crafting phishy sounding emails but also to help recipients sniff out the difference between phish and real: Phish or legit – Can you tell the difference?
That article is by John Shier – Senior Security Expert at Sophos – and picks apart two real emails from his inbox, both containing links and requests to click on them for fill-in-the-blank goodies, be they yummy Apple rewards, or you-better-do-this-or-you’ll-rot-in-hell-and-lose-your-bank-account threats.
Were they a phish? Or were they real? Read it to find out, and also to understand how to dissect a phish.
After you dissect a phish, you well might understand how these poor people got reeled in.
I teach computer and Internet security classes to the public, for free! The last time I gave the class, no one showed up. I think it’s the ostrich syndrome, or people just don’t get it. Just mouse over the link, then look at the status bar, does that address look phishy? BTW thank you Sophos and “Scantily Clad Security” for all the great security tips.
I’m not sure why I’m surprised. Criminals are simply awful creatures. They steal credit cards and plant malware on networks to swipe private data, so why wouldn’t they do something so awful. But the fact is, this is quite simply, the lowest level of human scum. Whoever did this has no integrity, no character, and surely, no soul.
Predators love to abuse vulnerable people. The predator in this case is probably a psychopath and you cannot reason with or change people who have that personality type.
I doubt the boy’s parents were able to think straight when they received the phish.
Rest in peace, Shane.
Hmmm. I have been a member of one of the largest credit unions (like a member-owned bank) in the US for 30 years. Just recently I received a very realistic-appearing email welcoming me as a new member and inviting me to click some links for information on services available to me.
Naturally I assumed it was a phishing scam and moved the pointer over the links. My credit union’s domain is identified here as abc.com, but these links were all to cprpt.com (real address). Even more evidence that it was phishing, yes? I wrote the credit union to inform them of the apparent phishing scam. A big pain, too. They have no public email addresses. You have to use a secure web page to contact them. The silly page only accepts text so I couldn’t paste the entire suspect email with images. And it’s limited to 2000 characters, so I couldn’t even include the entire email.
Digging a bit deeper, I did a WHOIS lookup on cprpt.com and found out that it is owned by NCR. I know the credit union procures hardware from NCR, so it’s reasonable to assume they also procure other services.
At about this time I received a broadcast email from the credit union apologizing for their error. They had sent a new advertisement to the wrong mailing list, the one from last week’s campaign instead of the current one.
I wrote again pointing out that sources like Naked Security have stated over and over again to check links in emails, and that their emails were training users to trust emails with links to third-party domains. I pointed out that they could use a domain name alias like campaign.abc.com, aliased to cprpt.com to avoid this problem. They didn’t get it and sent me another letter apologizing for using the wrong email list.
I finally just asked them for forward my comments to the IT department and have them respond to me. No answer yet.
My question to Lisa and Duck: How do you expect to train users when you cannot even train financial institutions? This is not a rinky-dink outfit. As of 2011, “abc” had $2.01 billion in assets and more than 191,000 members.
Lots of (lawful, opted-in) advertising emails include links that go via a third party – usually an electronic direct mail (eDM) company. The eDM company does all the work of recoring who got what, who clicked where, who asked to unsubscribe, and so on, so the company hiring the eDM company doesn’t have to.
In other words, they use a lot of phishy-looking links that later redirect to the real place, after the eDM company has done its job of tracking you.
As long as they don’t try to disguise it (e.g. by having a link where the *text* of the link is something explicit-looking but bogus, such as “http://example.com/freestuff”) and they only ever redirect you to plain old pages that don’t try to get you to login, I suppose it’s about OK and we simply have to learn to live with it.
It’s when the links try to give you the impression that they go directly to the real site, but then never actually end up there that you should make sure your alarmbells go off.
Sadly, if they make no bones about redirecting via some eDM company’s servers but then do end up at the real place, and don’t take you to a login page…that’s become acceptable practice. I don’t much like it but I have taken a deep breath and decided I can deal with it 🙂
Some companies seem to have a true phobia about providing a way to contact them. If they are trying to avoid spam, set up a form. Also, in the early days of bank phishing when I received a phishing attempt, I’d forward the message to the bank, which was sometimes easy and sometimes impossible, once I even got a “thank you” reply. But if a company is going to have a web presence, at least give users a way to contact. And of course, don’t send verifications in e-mails.