We Got Hacked AGAIN 

The “they caught me at exactly the wrong moment” part is crucial. No one is “too smart” to not fall for something like this if they’re caught in just the wrong moment-usually when they’re under some sort of other time pressure and stress and therefore aren’t thinking clearly. It happened to me with my Apple account on one particularly hectic morning when I was late for work, and I’m a 30 year veteran of “using computers on the Internet”. It only takes one perfect situation to catch you off your game to leave you with a mess to clean up. The good news is if you’re using a password manager and unique passwords for every service (including your password manager), it’s less likely something like this will totally ruin you.

There was a CEO of a cybersecurity company who got caught by their own internal Phishing testing and had to go for internal company phishing training. It can happen to anyone when their alertness drops. We have to be vigillent everytime, the hackers only have to be successful once.

If it makes anyone else feel better, my wife is now (today) the type of person to click on a text message link because "USPS" was unable to deliver a package and then proceed to enter our credit card information 😤 She told me to check the mail for a package that she was having an issue with and I asked her if she clicked on any links... Our cards are now cancelled 😂

You guys should start a tradition of yearly pentesting, hire a company that does all the stuff, lockpicking, phishing, hacking, social engineering etc, and let them pick a time and date without telling anyone they don't need to, and have a separate crew to follow them (or have them carry bodycams or whatever and be interviewed later or whatever format works), to get an infosec documentary video as a bonus :)

one of my family members was part of a cyber test at their workplace and they clicked the phishing mail link. somehow the site didn't load and later the cyber security team congratulated them on not falling for the phishing attempt.

For the first time in history, the grill has become an element of a hacker attack ))))

NOTE: Password resets should NEVER ask for old password.

Phishing can happen to anyone, its just human error. Glad to see its back!

This is among the reasons you use a password manager. Even if you know your password, your password manager will validate the URL.

Don't even google the number to your bank. Check the back of your bank card.

It's important to mention that even if you try to navigate to the website manually, to never click on the "sponsored" result for whatever website you are searching for. I cant remember which company it was, I think it was MSI, but a phishing site was getting the top search result whenever people looked up a gaming peripheral company to download their application to control their peripherals and the site had almost exactly the same url and copy and pasted the real MSI api download site so it was virtually indistinguishable.

15:00 Also be careful that you're looking at the actual site for whatever business you're interacting with and *not* an ad placed by a bad actor nor an AI generated summary containing bad data.

I've been getting realistic paypal emails lately. They skip my junk mail folder and everything. Pretty much do what they say. I log in to paypal not using the link in the email, see there's nothing there, and forget about it. I could definitely see how someone could fall for it though.

Luke teaches internet security for 25:44 haha. This is really nice to hear from the channel, as this is advice that we need to give to so many people who aren't as tech literate or knowledgeable as we are. Having a video to say that even the greats fall short sometimes, and then teach ways that many people can protect themselves would be brilliant!!

Got a text message 2 years ago from the NHS saying I’d come into contact with someone with COVID and I’d need to test myself, I could have the test for free but would have to pay postage and packing . I got to the point of entering my card details when I suddenly fell. why would the NHS Charge shipping on a public heath issue. They still got my address and phone number and I’ve been getting scam calls ever since.

Moral of the story is anyone can get caught if they catch you at the right time (wrong time). I almost got nabbed by one when I was at a party...it is so easy to have it happen if your distracted by something going on around you.

Really great that you guys were so open about this. Anytime this happens and people hide it we lose valuable information. I have not been fished yet but I know that's mostly because of training and hearing about stories like this.

Another thing is to ask the caller about the information they have on you, don't trust what they *are* who they say they are, but as you start looking for correct numbers to the bank or similar such, you might as well see what else they have on you, asking them to verify your social security number and name is correct, your bank number and whatever else you could think of that the caller might be able to supply, if nothing else, you'd learn what info they gathered/have about you.

Some people say I’m silly for storing 2FA in a manager which can autofill it. But… it won’t offer to fill my 2FA automatically on a spoof site… Source: accidentally been there done that, wondered why the 2FA wasn’t offering to fill, realised the site was subtly not the right site.

Its hard when most scam email detection tricks dont work on a touchscreen when your on your phone. You dont always see where the email came from, if you could recognize the fake look alike address. its incredibly hard, if you can at all, see where a link goes before clicking it. On iphone you get a page preview if you click and hold but I don't recall ever seeing the address. And when was the last time you interacted with the footer buttons on a web page? You would have to scroll to even see them on your phone. And with the state of twiterX, wouldn't you believe part of the site is broken?

I work in IT, some people are completely clueless. Once had a lady call me, not because she thinks she got a phishing email, but because the link in the phishing email wasn't working and she wanted me to make it work. /faceslap What makes it even more egregious, our internal email server automatically places a tag of [EXTERNAL] to the front of all email topics from email addresses that are from an external to the network address, and everyone is taught to never click links in external email addresses unless you know 100% it is legit, because you just requested that person to email it to you.

Theory: Linus subconsciously fell for the phishing attack because his drive to create content and teach people runs that deep, as well as knowing it was an account that was sacrificable, especially for the sake of the videos.

It's rough getting tagged with a phish. Thankfully, I've never taken the bait in the real. Internally, within our enterprise partner phish testing, I have absolutely clicked on two of our internal tests. It's super hard with the newer AI generated phishing tools. They're so GD official looking. Even hover checking links or exposing the full address is incredibly difficult unless you know absolutely every domain your company owns and which ones it doesn't.

>Linus: I was rushin... (russia pun) Me: If you're not rushin, you're goin' too slow. So quit stallin. lol

You should take a burner phone to Defcon.

8:30 lmao "fool me twice, shame on you" pie

Just goes to show, YOU ARE NOT BETTER. You are not smarter than hackers, you are not better, you do not know better. You may be those things most of the time, but confidence is gonna shoot you in your foot if the stars align. Just be careful and take threats seriously. Don’t be rash. Live by those rules and you can hopefully avoid some scams that would have otherwise caught you off guard or tricked you

24:01 Brings back memories of all those popular RU-vid people back then, that we never see anymore. It was so different back then.

Hats off to Linus for falling on his sword, admitting that he done F-ed up and turning it into a learning experience for not him but his audience too.

In case anyone doesn’t know or doesn’t see these types of attacks much: these happen all of the time and are the biggest security risk in any organization. Poor memory management in code and phishing emails are the two most common attack vectors for attackers. Linus shouldn’t feel bad about this. It happens to everyone.

Got fished once, actually checked the DNS record of the site I was at, which seemed somewhat plausible.What got we was a perfect recreation of a Steamlogin in a emulated windows/chrome browser window.... Turns out that was not enough to do any serious damage so they tried to contact me to get more access, so I reset my password while stalling them sucessfully...

Linus' privacy might be so dead, but he's done an ADMIRABLE job with his kids' privacy. Not even having their names shared on any video, repeatedly referring to his eldest as "boy" or "son" rather than by name, things like that. Can't even 100% say for sure I know the order they were born in, honestly. I think that's admirable.

16:04 "don't trust that the caller ID is valid" I have gotten caller ID as my own number. I was in class and couldn't answer, called it back later and got my voicemail inbox. I was very confused for a minute

“a whale is not a fish” unless you classify all vertebrates as fish, a there’s a very good argument for doing so.

I am genuinely surprised Linus fell for this. That's rule #1 never follow links through emails.

Timing is a huge part. The only phishing scam i hade ever fallen for was for a toll network that i had hone through the day before and was going to pay it off that day.

I think the wale not actually being a fish (but rather a "fake fish") is extra funny in the context of phishing

Its always funny how fast it is to reset 2FA yet everyone enforces it to give you a false sense of security.

"wE gOt hAcKed!" Literally gives his password to someone.

It happens, man. I've worked in IT security for almost a decade now and have seen some phishing emails where I'm just like, "damn...I probably woulda clicked that, too." Seen some REALLY good Apple imitations, but the best, by far, was a USPS "sorry we missed your delivery" one...not only did it look SPOT ON, they also sent it, no joke, to a shipping manager.

Use password managers, people. On phishing websites, password managers won't autofill because the domains don't match. If it doesn’t autofill when you expect it to, that's a huge red flag.

Unless you are signed into a site it they will NEVER ask for your old or existing password Enter old or existing password for absolutely everything ive even changed a password on is only ever shown when signed in and going to change the password from inside the account settings Also resetting a password never asks for 2FA, 2FA is for signing in not for changing a password they are separated for this exact reason

Something I have been learning recently: Confusion means something isn't lining up with your mental model of the world. Yes that is the definition, but if you can recognize when you are confused, then you can start looking for what isn't lining up.

Strangely enough, I've been stuck in a similar situation. End of a 16-hour shift, was expecting an important parcel, picked up an unknown number and typed the OTP. Spent the better half of the next day with the bank

If you receive an email like this never touch it. Always go to your account yourself and reset the password that way. Never just trust an email like this. Give every email the attention and respect it deserves.

A good point that I've learned about computer security: it's like a machine's efficiency. It can never be 100%, you'll always need at least one hole, which is the legit one, the one where you get in. You can always have due diligence and you can have extra steps for your internet security, but remember it can never be air tight.

Dan's humor is the most under appreciated. I love his dry sense of humor!

In the Bundeswehr, the S2 would send an email from an obfuscated account to everybody, telling them they were chosen to win an Amazon gift card. You're not supposed to click the link, obviously. Still, there will always be people afterwards with an appointment with the unit's S2 because they *did*. Me, personally? I'd just forward the link to one of our S2 officers with whom I was pretty friendly, telling them I didn't click the link and if that qualified me for actually receiving their Amazon gift card. "You're not supposed to forward the mail, and no." Every year.

It would be really nice on clips like this where LL&|D are referring to and telling us to check out another video if it were linked in the description.

The only time I got scammed in a MMO very long time ago was a day where I was doing 3 things in parallel. When you multitask things, your usual safety check and 'this is fishy' detector falls apart very quickly.

Phishing scams are obvious on the surface, but given life coincidences and timings, anyone can fall for them

Password reset emails seem to be training people to click email links. Usually that's the only way to reset as they send you the email when you request a reset. You're expecting a reset email during a narrow window of time so it's unlikely that a phishing one will fool you, but generally you are being trained to trust links in email. So when you get an email to reset your password outside this context, you'll be primed to not think twice.

I know its not common but search engines can be manipulated in terms of contact info. For banks specifically, if youre called or emailed by someone who claims your account is at risk for whatever reason you should ask for their name and extension, then call the number listed on your physical bank card.

another justification for not using email on my phone except in an emergency. I always highlight the link to see the URL before clicking, on top of the server and thunderbird's own spam checker. and then PW manager is like "I have no memory of this place". This is also why I HATE that companies will use 500 domains. Is this microsoft? i have no idea. edit: OH, and you load a site and it's like "lol, here's 20 other services we use that you've never heard of before" so you can't implement a good domain whitelist without breaking EVERYTHING

I deleted my Twitter account, back when the site was falling apart after the acquisition, and I do not miss it.

The amount of bots in the comments wtf...

It reminded me of a Blizzard story told by Thor The Almighty Gobling King about security training... *everyone* should do regular security training...

missed opportunity to make the merch "got phished?"

10:01 I feel like the stupid name change is an underrated player here. Because, "well, I guess they could be using multiple random domains" is pretty valid when the website is LITERALLY JUST A LETTER and has changed multiple times

I like how they list future steps ignoring the most crucial. Stop, breath, think. if it is a breach 5 extra minutes won't make a noticeable difference.

Never Google a customer service number. Somehow Google also can give out fake numbers. Always use the official website for customer service contact.

At least we won't have to worry about in-person phishing yet. (If the building is inconsistent with its surroundings, has no stains or markings on the walls, or ones that don't reflect a realistic pattern of use, or the dishes or appliances don't make sense together, or the person you're talking to reacts to near infrared light, does not sweat, or has duplicated patterns anywhere on their body, make any excuse and then leave immediately)

In Australia we have a lot of calls where they claim we owe a tax bill and that there is a warrant out for our arrest. The first time I had that call I nearly fell for it. But I did ask for their name, the place they work at, and how I can contact them back. They refused to give me a return phone number. That was what made me truly believe it was a scammer.

Rule of thumb. Ignore X. Otherwise you'll be wondering Y 😋.

Humble pie just seems like an extremely delicious regular pie that was pre-warmed no less

It keeps happening to my Dad, I've no idea how to help him stop it. He's an old guy and just doesn't "get it", but yeah, it can and does happen to anyone. Thanks for the video

The mail hiding thing totally sounds like an Apple design choice that catched on.

"I wanna go home..." Yeah.... "...and start filming this immediately." WHAT?

This is an informative case study. The only reason I knew about any of this before this video is that my employer takes phishing very seriously. Most people don't know what phishing is, how to identify it, or what to do about it.

I usually check the sender of the email, that's the first most important thing to me, as usually it will be from an email tied to their domain. Additionally, I keep a few different emails for different accounts. There's the "important" ones, and the actually important ones. Then there's an email I sign up to random stuff with, scammers often spam that one, and it's funny reading things there.

Something that almost convinced me was email spoofing. I knew that an email could be made to look like it was sent from a similar account, but what I didn't know is that spammers can use your actual email adres in the 'from' field without having access to your account..

One of the reasons why I prefer watching waveform instead of the wan show is because even though they are similar I feel like they keep interrupting each other like 5 times a second

Just pointing it out as it wasn't discussed in this video but I ALWAYS check the domain in the browser address bar before entering any sensitive information into a website, 100% of the time - it really doesn't take any extra time.

The part of me says: "This is so obvious, even that IP is not possible..." The other part who knows Cybetsecurity realizes: "I'd have fallen for that given few beers and time pressure." 😬

Since using a password manager (stored on my local network since cloud services constantly get hacked), I'm immediately made aware of phishing when the password manager doesn't filled the field its supposed to, meaning the url is somewhat fishy. But I can't predict what would happened if it was "at a bad time" (very busy, intoxicated, etc.).

I feel you. I also like to think I'm above this, but I had a slip up once. I got a work email that sounded like it was actually related to an IT support ticket I opened the day before (total coincidence). The login page looked legit (even the url, which was actually a real Sharepoint url, I checked even that). A major red flag should have been that my password manager failed to get the right credcentials automatically (because the login url didn't match), but I thought it was just a hickup. Luckily it wasn't a real phishing attack, but just a test by the company to see who would fall for it. And they did something quite clever: once you entered your real credentials, the system would use them to automatically sign you up for a cyber security awareness seminar.

The only sure fire way to avoid this is just take up the practice of never clicking links no matter how legit it looks. If you get any email like that, just ignore that and go directly to the real website you know of and try to login and/or reset your password there, if it requires doing it in an email, trigger the reset email yourself and wait for that new one to come in. Emails are never a place to click links unless you were expecting that email from someone you know or its a 2 factor or rest thing you KNOW you triggered. Its just not worth taking that risk. I wish companies would default to not including links like that and just send the email to tell people to go to the website to reset their password, it would be more inconvenient but would have a huge impact on account security if people were required to manually trigger the reset themselves. Edit: Really though, very glad how transparent Linus and the whole LTT team is about stuff like this. Great teachable moment for everyone and the humble pie is great. I typed up the above early and Linus did eventually briefly mention navigating to the website manually to reset passwords, I wish he would talk more about that so more people can hear about it. The part describing how to tell if something is real is great but I'd just recommend these days to always assume its fake right from the beginning.

This really shows that NO ONE is completely immune to being taken in. Probably one of the worst things you can do for your own Internet security is to let yourself think you wouldn't fall for obvious tricks. (Not saying Linus was guilty of this, to be clear.) Atomic Shrimp has made videos in his scam-baiting series talking about exactly this. It's a constant cat-and-mouse game out there.

i could listen luke ramble for hours

It can be easy to be phished if the URL looks a lot like the real one.

Important note as well, a password change screen will usually never ask you to enter your old password

I want a hubleberry pie shirt with the text "It's ok, my mouth does that anyway"

4:20 I actually learn about most of LTT's happenings via Twitter. Not everything is ROI.

It really does feel like LTT is just starting a new peak era if not THE peak era

Uh, where's the link to guy's video about it? You said it would be below...

"just caught me at the wrong moment" sounds like something i might say to cover up my inebriation.

The first thing I do is check headers on e-mail when I get something like this. Headers are your friend. The other thing is that in order to log into your account, they would have had to have known your password as well as your TFA code. That said, I appreciate you were distracted. Nothing distracts like food and fire. And why don't you of all people, have a log-in only e-mail address that no one else ever sees and you never share?

It was mentioned that hovering the hyperlink would show it not going to an x domain, however now a days it's common practice for all hyperlinks to go through a 3rd party cookie tracking service to measure engagement from emails. I don't think it's deliberate that many companies use it for their reset password emails too, but I have seen it plenty of times so hovering the hyperlink is not always applicable

I didn't even know Luke had a channel of his own. 😂

Sorry you got hacked but, happy about the team looking to jump from twitter lol

A while ago my bank called me because I fell for a phishing scam, and I just wasn't skeptical at all. I definitely should have been, but thankfully it was real. They called me minutes after I actually fell for it, and then all they asked me was "was this you" and "do you want us to change your card". No identifying information at all. I said yes change my card and it was done.

I only check my email once a day, and i dread doing it because of all the spam. No matter how many i mark as spam, it just keeps flooding in. And I've opened new email accounts, and never used them, yet they get spammed. So the email providing services must be sharing our email addresses with advertisers or something.

I love listening to tech from a guy that falls for basic phishing

If I had a nickel for every time a LTT account got hacked, I’d have two nickels. It’s not a lot but it’s weird that it happened twice.

The whale on the "got phish" design should have a black fedora to represent "black hat" hackers.

Twitter is a hellscape anyway

Acting fast is definitely important, a month ago my Sony Account was hacked and while I only have it for HD2 and didn't care much, they took maybe 3 minutes to completely take over my account and make a purchase. After finally finding a support phone number, the support was actually very quick to rerverse everything and get my account back. Sony can still f themselves for a variety of reasons but at least that experience didn't leave a bad taste.

As a South African, hearing EFF made my ears perk up with fear!

tbh phishing can happen to even the most technical computer guy, as long as that person is not thinking right or bothered by something else.

My mum got very close to being scammed by people claiming to be from HMRC (the tax people of the UK). I came home one day and found the door on the chain, her crying and terrified because they had threatened to come round to her house after she was finally told by her bank that it was a scam The deepest circle of hell is meant for these sorts of people...