Site Post » Phishing Awareness · 10:23pm Apr 23rd, 2022
Have you ever found yourself in a situation like this?
And then you magically find yourself in a suspiciously familiar site, except that you're not logged in, and it requires you to do so?
Well. Don't log in. This is a scam, and a cheap one at that.
There've been recent attempts to obtain Fimfiction users’ personal data, like passwords and/or emails through links like the one I'm making fun of above. And a distressing amount of people don't seem to know what phishing attempts are.
If you HAVE entered a site like this and put in your data, make sure to follow these basic steps at least.
These accounts are then used to further post fraudulent links to trick others. Bear in mind, "just because it's a fimfic account" doesn't mean that the data obtained cannot be used for worse things than simply posting more messages to gain access to more accounts. That's not their final objective.
Given that we're a community and communities should help their members when possible instead of simply leaning back and watching them suffer, I have decided to put up a handy little guide for y'all. Now, this is not a comprehensive guide on how to avoid BITB attacks or stuff like that, but a general familiarity with what is common out there can help.
So, D, you ask: "Besides questions about how you ended up being such a handsome SOB, my burning curiosity right now is focused on this word you used. Why is this scam named so similar to a sport that can be summarized as sitting on a bench or boat with a line and a hook waiting for oblivious swimming animals to bite and be lured out of the water so they can be butchered called... oh. Oooooooooh."
Yes. That is why it's called Phishing. The lure being a link, or a text message with a link, or an email that urges you to click on this link to save yourself from having your money vacuumed by pirates, etc. Usually there's "tells" for emails and such sent to companies with bad grammar and such, but in the comments here... that's, let's just say not unusual enough to raise eyebrows.
The idea is that by clicking that link you are providing these people with data that they can use against you. IP, possibly email, and even your password if they trick you into putting in your credentials.
THIS IS WHY TWO-FACTOR AUTHENTICATION IS YOUR FRIEND AND YOU SHOULD BE USING IT HERE AND EVERYWHERE ELSE IT IS IMPLEMENTED.
Yes that is optional but it's also stupid not to use it. There. I said it. Use that. The codes, phone numbers or text messages automatically required by 2FA could be your lifeline, especially if you're one of those people that use a single password for everything.
Which let me make clear: DON'T. HOLY CELESTIA, DISCORD, AND LUNA! DON'T DO THAT! If you do, make it your mission to fix that sh*t NOW.
Any one site can be spoofed. Any text message you receive can be clicked on if you're distracted. Any email can look legit unless you're paying attention.
This is for your safety. This is not a joke.
People are taking advantage of your lack of information. You've all heard the stories of old people getting duped by scammers from India to give them their money by convincing them to buy Apple Gift Cards. This doesn't only happen that way, and it's not just old people that are targeted.
Keep track of what's happening out there and remember to protect yourself. There are many ways to keep updated.
We can tighten up security in the site, but ultimately you are the last line of defense against scammers. These sad, bitter, less-than-human morons take advantage of ignorance. Don't let them win.
If you believe you have been a victim of a phishing scam here, please make sure to contact us.
i.kym-cdn.com/photos/images/original/000/754/681/ea4.jpg
I've seen these scams so many times, I instinctively avoid all links that beg me to click on them.
Yeah, i remember almost falling for one in discord a couple of years ago. The robotic way the user was answering my questions and how quickly responded should made it clear that I was speaking with a bot. Either way, when i asked the admins of the server I shared with the scammer I was informed of the ploy the scammer was using. Since then I’m more carful.
It’s amazing how you also took the time to create those first three screenshots.
Recently we’ve also been getting some weird blogs in foreign languages with very sus links as well.
Get all of thou a password manager and use a different thirty character randomized password for every site. I like 1Password.
Yeah it’s ridiculous who has ever logged out
I'm guessing whoever's doing the phishing is the one downvoting every comment here
if so, we know it's you m8 - you're not very good at this
...and some butthurt baby downvoted all the comments. I think you found your spammer, D.
5652796
Exactly.
Also, if you use a manager with browser integration it WILL usually tell you "Oh dear, I don't have ANY login+password for www,phishingsite,whatever" which is an excellent secondary fail-safe in case you fail to spot the scam and click on the link.
5652799
Good eye.
I mean, one should always check the URL. That screenshot clearly says "fimficton," like it's some kinda friendship weight measurement. And any popup message telling you about server errors (5xx errors) should be considered very sus. Most respectable server admin's will ensure those errors have a dedicated page.
Also, your "totallylegituser" screenshots are great!
It's worth mentioning that you can hover your mouse over a hypertext link and you'll get a preview of the link's address, so you can see where it'll actually take you. Most browsers display that preview in the bottom left corner of your browser, iirc.
5652796
Yup. It takes a lot of time to reset all of your account's passwords to a password manager but it's totally worth it. I like to use Bitwarden for my needs.
5652804
Doesn’t always help. Link shorteners like bit.ly (the use of which is yet another clue that a link should be treated with suspicion!) can obfuscate the actual URL until the link is clicked. That said, there are browser extensions that can unshorten such links for perusal without following them.
Thanks for letting us know. Was getting worried when that banner warning popped up. Will be on guard for sure.
Luckily I'm naturally suspicious/paranoid of links like that by default, but still, gonna be keeping my eyes open.
There’s an easy trick to deal with this. Check the site. Look for any inconsistencies in the layout, not just the URL (although that is usually the smoking gun, at a glance you may not notice). I know for a fact that AO3 mirrors often feature strange details that give them away, like missing interface options and weird bugs. I wouldn’t be shocked if the same goes for stuff like this.
Yes to everything above and below. And one of the most important things is to always be aware of what you might be clicking on.
True story: just the other day I got a text that my Wells Fargo credit card had been frozen due to suspicious activity, please click the link to correct the issue.
Two small issues with the text.
1. It directed me to a tiny url link which I don't think any legitimate vendor would ever use.
2. I do not have, and never have had, a Wells Fargo credit card.
Things like this are why I never even open any text messages unless I'm fairly confident that it's legit. Don't want to accidentally send a read receipt to the potential fisherman.
oh, come on. they could at least try a less obvious trick.
like i would ever log out
or close my site window
or respond to a comment
I've been the victim of two scams, one of which fits this description. You may feel like you'd never fall for this, like I did, but the attempts never stop and eventually in a moment of weakness where I was overwhelmed by life coming at me all at once, my mind was busy with other problems and I didn't think twice. I have two-factor authentication everywhere that I can get one now. This was a very expensive life lesson.
I've been noticing some of those myself, though I didn't think to consider what exactly it was they were trying to accomplish. As a result, in the process of reporting some of those accounts, I — in immediate hindsight, really stupidly — clicked on two or three links to be 100% sure they were from bots. (I was operating under the erroneous assumption that they were "only" adbots trying to sell me things.)
With a singular exception (a fake login page I immediately exited out of), they all led to "404 error" messages, though I'm not entirely convinced that's what they truly were. I never entered any personal/account information, but would you suggest I change my password — or anything of the sort — just in case?
Either way, thanks for the heads up.
5652815 Yes. Change your password. And make sure that if you use it for any other site, you also change the ones there. Like 5652796 said, a password manager is a good idea.
Oh dear 😳
I got one a few days ago, but luckily my antivirus blocked it when I clicked it (I know, I know, I still beat myself over it) and I didn't enter any information, just got a heart attack for a second and understood what SpongeBob felt when he got hooked.
Followed the steps and learned a good lesson that day.
I had a feeling something was up when I saw that banner.
5652816
I just went and preemptively changed my password anyway.
Me who passed Computer exam: *prepared everything*
Sincerely appreciate the heads-up.
5652816
Got it. Thank you.
At last, a look into Wanderer’s internet tabs…
Thanks for the heads up.
My question is why do they even want to phish brony information lmao
This should be part of the decade of schooling most developed countries force you to have. I mean, it's actually part of the curriculum now (or it was when I went to school up here in Canada, but I can't speak for the Uneducated States of America), but you might be shocked how old some of the people here are.
Honestly, someone leaves me a comment like that, I'm probably either ignoring or reporting it.
Of course, I also have a tendency not to respond to "Hi! How are you?" PMs, even when they look legit. I'm not exactly the most social...
--Sweetie Belle
5652828
The email, password, etcetera — especially if they're being used across sites — can be the phishers' gateway to more "valuable" information.
I wish Google would let me disable the simple 2FA "prompts" sent to Android in favor of using only the more complicated options. I'm terrified of accidentally accepting a fraudulent one.
I’ve seen enough from my email. Never thought I’d get one from this site too.
I saw that banner and I was like
“What happened?”
5652830
Well, that explains it.
Least I know why, I won't bother ya again.
Thankyou for providing information on this. A lot of times from what I've experienced a tell tale sign of a scam is that someone is insisting that they're not scamming you. The fact that the guy said this was a totally legit website should cue people in that it's a scam.
What I find funny is even the website URL says, 'totallylegit' in it! LOL
But either way I think this is good that you're taking steps to inform people of what's going on. The fact that comments on this post are being downvoted means somebody doesn't like that you're calling them out on their shit. I love immature people, don't you?
I hate scammers and hackers a like. They need to get off their butts, get a job and stop stealing from people. I don't like scammers and hackers because they're the worst kind of thieves.
I was confused on why I wasn’t signed into this site so I just left that sight and focused on my writing. Glad I did that.
Dang that’s scary, feel like it’s best for me to not log in till it’s over. Or at least only log in to write a story I’m writing...
I do have a question, are embedded links safe or should we be careful of them too?
Also, if someone were to press the link on accident would they and their account/data be safe if they quickly close the tab? Or would they need to do more?
Must be getting really bad if this site has to make a post like this.
SMS 2FA has flaws of it's own, but it's better than nothing.
I actually liked the authenticator keychains that some places like The Old Republic tried to popularize a while back.
5652832
You cannot have a google account and have any expectation of security. Every word of their "Privacy policy" and account security pages is a lie.
Use FreeOTP+
Google is trash.
Oh, dear underage scammers that needs a binky. sayingimages.com/wp-content/uploads/my-little-pony-i-dont-lnow-who-you-are-meme.jpg
in the words of Dante
5652823
Oh? Which one?
Pretty much anyone can get an A+ Cert.
CCNA is where the fun is... That's what I'd say if Cisco weren't stool pigeons for the NSA pigs.
What a bunch of A-holes! For trying to do that to us, or anybody else. Thanks for that nice warning.
5652844
Got a 50/50 on my last Computer exam. That's all I have to say.
5652838
Are you referring to embed links such as YouTube videos?