It's impossible to overestimate the power of expectations to create trust (even in the face of contrary indications).
This just almost happened to me this week: A couple of days ago I wrote an email to a friend I hadn't been in touch with for several years. A day later I got a message from him on Facebook with what looked like a YouTube link and the cryptic message, "It's you?"
I didn't want to see myself on a random youtube video I had never heard of, so I wrote back that I didn't want to click.
Then the next day my friend announced that his account had been hacked and that those messages were spam/malware, with a bad impersonation of a YouTube link. But I was so sure it was a legit message from my friend that I didn't even notice that the link didn't actually go to YouTube. Fortunately I never clicked it, but just like the OP, it was blind luck.
A few days ago, I also received the same message from a friend with a link to a fake youtube page, but unlike you, I actually clicked it despite intuitively knowing that it was malicious. Seemed like a "regular" phishing attempt but I now wonder if it is more than that, having read this article.
That's what I keep my old Blackberry Z10 for.
If I get something weird or want to go to dangerous places on internet (for research obviously) I use that thing.
I'm pretty sure know one writes a 0-day for a 0.0% market share device.
Couple of years ago a significant news site here in .no had their ad network hacked. The result was that if you were browsing that site that morning, and was a customer of the largest bank in .no, you'd silently got served some software which would do a MITM attack against the online account page of said bank, redirecting any payments you did without your knowledge.
All you had to do was to visit that site with Java installed on that computer, which most users of said bank did because their 2-factor login relied on Java...
I use firefox which I've locked down pretty hard. No site gets to run active content of any kind by default. No java, not even javascript. That and all the ad-blocking really limits likelihood of my getting infected from just an initial click, but even that isn't foolproof. IE once managed to let attackers get you just by viewing an image (CVE-2005-2308)
0-days are not limited to javascript - the next one might well be in the canvas/image/svg renderer. When someone has targeted you with a 0-day and you load the site they compromised website, all bets are off.
This attitude is exactly what the spear-fisher is hoping for! Mac people, especially, think their OS is "secure by design" (as Apple says it is) and there's no way they can be attacked.
Take another look at the article! This took advantage of a Firefox 0day that really could run software outside the brower's sandbox just by clicking on a link.
If that link has browser 0day, it can. If that link takes you to a page you expect to demand login creds (google groups, youtube, google docs), it can.
This just almost happened to me this week: A couple of days ago I wrote an email to a friend I hadn't been in touch with for several years. A day later I got a message from him on Facebook with what looked like a YouTube link and the cryptic message, "It's you?"
I didn't want to see myself on a random youtube video I had never heard of, so I wrote back that I didn't want to click.
Then the next day my friend announced that his account had been hacked and that those messages were spam/malware, with a bad impersonation of a YouTube link. But I was so sure it was a legit message from my friend that I didn't even notice that the link didn't actually go to YouTube. Fortunately I never clicked it, but just like the OP, it was blind luck.
[edit: fixed wording]