[beefield]

> I suppose the real lesson to be learned is to

...never, ever buy or even take anything from anyone who approaches you without you being the original initiator of the communication. Simple rule that applies to both online and real world and makes your life simpler and safer.

[TedDoesntTalk]

This is an old tip my father gave me 40+ years ago that applies to banking, mortgages, insurance, investing, credit cards, and all personal finance.

[AndrewUnmuted]

Also a very good rule of thumb for recreational drugs and other illicit activities.

[stallmanite]

This is my strategy as well. If I want something I initiate a search. Incoming sales attempts do not exist in my universe.

[forgotmypw17]

Be careful which search result you click:

https://wp.josh.com/2019/05/06/breaking-news-google-adwords-...

[coronadisaster]

If you want to see where Google search results really point to, you can right click it and then hover over it to get the real destination... it's been like this for 15+ years (google changes the destination on-click).

[forgotmypw17]

Thanks, I'll be sure to explain this to all my friends and family, right after I teach them what onclick, "real destination", "hover", etc. mean.

[coronadisaster]

I think that it is pretty screwed up that browsers allow this "feature"...

[exikyut]

Just checked; and while they did indeed use to change the URL (on mousedown (!) - which was infuriating, because right-clicking to copy URLs produced a mess I'd then have to pass to data:text/plain,... in a new tab to extract the URL-encoded... agh), they currently really do just leave the link alone now.

They just fire off a request to google.com/url?... to track the click before letting you on your merry way.

Sigh

[lopmotr]

That used to be my strategy until a salesman knocked on my door offering heavily discounted ceiling insulation, which is something I had half-heartedly always wanted but never got round to buying. He said my address was one chosen by the government to give a subsidy to but funds were limited so it was first come first served or risk missing out. Sounded suspicious so I checked with the government who confirmed everything the salesman said was true. I got a 2nd quote from another installer but the door-knocker was cheaper so I bought his. I wouldn't have known the subsidy was available without him and would have missed out on a genuine rare high-value giveaway.

[stjohnswarts]

Same with phone calls or mail. Look them up on the web and go through their web site for numbers/email addresses

[stallmanite]

Great point. When the IRS phone call scam first came around it scared the crap out of me for a second but a quick search revealed the truth.

[toxicFork]

Also works nicely against advertising too, a good principle ;)

[zmmmmm]

The sad thing is, this is simultaneously the only way to stay safe AND also the underpinning of almost the entire ad industry - and in turn about half of the money that funds what we think of as "the internet" today.

It really sucks that it seems like we've built the most important infrastructure of our generation effectively on quicksand.

[aplummer]

There's a current scam going on right now where people are getting calls to get in on the ground floor of the "Stripe IPO"...

[spurdoman77]

Really nice guideline for work. Should spread it around.

[mritchie712]

meh, he calls out the exact mistake he made. If I see an ad and like the product, I go to the domain. If the domain is legit (e.g. not developgameonline@gmail.com), you can start to feel pretty good about it. We run ads. If you google my companies name ("seekwell"), the entire first page is properties that we've owned for years. This includes podcasts and youtube videos.

It's ok for the initial pull to be an ad, but only buy from the source.

[headmelted]

Not at all fool-proof.

What if they can register a very similar / regional domain that you didn’t set up already?

Normal rules don’t apply when you’re a criminal so spoofing SSL cert names is something you might as well do too. It’s just not practical to examine and confirm the cert manually of every company you interact with online.

These internets are dangerous, even if you know what you’re doing.

[jkoudys]

The people here posting about how clever/careful they are, which is why they haven't been scammed, are the ones I see as most likely to get scammed (if they haven't been already without realizing). You're best protection against being tricked is realizing that you can be tricked.

[jkoudys]

*your. This was the last straw. I've finally had enough of my OnePlus autoincorrecting me all the time.

[tialaramex]

> Normal rules don’t apply when you’re a criminal so spoofing SSL cert names is something you might as well do too

SAN dnsNames in certificates in the Web PKI are verified by the issuer - these days using one of the Ten Blessed Methods. It would certainly be possible to obtain certificates for a name you don't actually own, but it's a bit beyond the usual casual crooks that run scams like this. We see what appear to be nation state adversaries doing it, as part of wider targetted hijack schemes (e.g. to intercept IMAP credentials for a foreign government agency) but it's definitely not something you see an ad scammer doing.

Any vaguely competent modern browser checks the certificate is trusted in the Web PKI and that it matches the SAN dnsNames to the FQDN in the URL exactly so there's no room for any funny business there.

And human readable names in end entity certificates are largely irrelevant. Nobody looks at them, who cares?

[hal9000-tng]

You are replying to a point that the GP didn't make. This was the precursor for the might-as-well-go-for-letsencrypt statement:

"What if they can register a very similar / regional domain that you didn’t set up already?"

In other words, they register fakebook.com and then just go get a TLS cert for it. If you're not looking carefully, you might not notice the difference.

Whether the CA system, with fungible, interchangeable certificates that can be issued by dozens of CA's (pinning excepted), is worth sinking lots of trust into is an entirely different matter ;)

[tialaramex]

The Web PKI does a pretty good job of making the web browser do what lay people assume it did anyway. Surely this is news.ycombinator.com or else why does it says so in the URL bar? Without the Web PKI there was no assurance of that whatsoever, which is not intuitively obvious.

But a very similar domain is the wrong domain. This is not a great novelty, people are aware that a ROJEX watch isn't the real deal, no surprise Fakebook isn't the social media site you actually wanted either.

In terms of authentication, this is where WebAuthn shines because it's tied to that actual domain name. Even if you're 100% dead certain this is really Facebook, your WebAuthn authenticator can't help you. There is no "Look, I know the URL says Fakebook, but ignore that, I am 100% sure this is really Facebook, just shut up and take my money" button.

[headmelted]

So my point was that having news.ycombimator.com in the title and address bar is not going to flag anything if they both match and have a SSL cert that's been signed by an authority.

Probably more relevant is that if I have registered luxowatch.com to sell my lovely watches, but am a small store, I certainly won't have registered (as yet) a bunch of global domains. There's nothing stopping you registering luxowatch.co.uk or luxowatch.net with a valid SSL cert to scam my potential customers. Cloning my site to one of those domains (with cert) can be done almost instantly for close to zero cost.

[mritchie712]

You're proving my point, Google the companies name. I'd like to see an example of a fake company you can Google and get good results on.