- A jetlagged Troy Hunt accidentally clicked a link and logged into an account only to realise he had been phished.
- Despite reacting quickly, attackers were able to export a mailing list for Hunt’s personal blog.
- Hunt has detailed the attack and warned his subscribers in a timely fashion.
You must log in or # to comment.
He must have been really tired, he even stated all the warning signs he ignored.
If anything it should just be a warning that literally anyone can make a mistake due to stress/fatigue/whatever
Solving the “being human” part of security will probably never happen, which is why you’re encouraged to do stuff like use 2FA, different passwords, service isolation and stuff like that.
Anyone and everyone can be fooled at some point, best to try and limit the damage.
I just never click links in email.
If you use a password manager it won’t fill credentials because it will be the wrong domain
Unfortunately the article said he just put in his credentials anyway, even though his password manager wouldn’t autofill for him. Pretty stupid, but at least he acknowledges it
I clicked one once by accident when trying to select it. You can be as diligent as you want you still will slip up from time to time
Exactly. Put as many obstacles as possible into the path of scammers, and give yourself as many chances as possible to stop said scammers, and all without making services too annoying to use.
MFA + password manager seems to work well.
FIDO2 and security keys are the closest things we have to a solution. Unfortunately far too few companies support them. It would have saved him here because each credential only works with the proper URL for it.
AT this point it is safe to assume you will fall for scams like this in your life. They are too like the real thing. We need the laws and police to catch up to investigating this thus making crime not pay (most of this is from countries that don’t work with police - so probably some major international efforts required as well).
I almost fell for a bank scam a couple years back. Basically, I had just gotten a new phone w/ GrapheneOS, which doesn’t have Google’s scam number protection (I was well aware, that’s not the issue) and I hadn’t yet transferred my contacts, and I received a call about a fraud alert on a card. This has happened a few times, and usually it’s a pretty straightforward call where they verify my identity before asking me about certain transactions. As a bit of background, I was on vacation at the time and I got the call while waiting in the parking lot while my SO ordered something at a food truck.
Anyway, the call progressed like this:
- Mentioned <card type>, which I have
- Asked to verify my identity with a code to my phone - standard
- Went over a couple suspicious transactions, which I confirmed wasn’t me
- Asked to verify my identity again, and that’s where I got suspicious, so I didn’t provide it
I immediately called my bank and sorted things out, and we figured out nothing was stolen because I didn’t provide the second code (that was to link an external account to suck my money out). Because I was in an unfamiliar setting and honestly pretty tired (we drove all day the day before), I just skimmed the text in step 2 w/o reading that it was a user-initiated code (i.e. for a password reset) instead of a bank initiated code (i.e. verify identity).
I consider myself a pretty security-conscious person. I use a password manager, MFA everywhere I can (preferring TOTP), I’m a lead backend SW engineer who has caught multiple security issues, etc. However, I fell for the scam and missed the safeguard that should have protected me. Fortunately it all worked out, but I did have to change all of my account numbers and login, which wasn’t particularly fun while on vacation. That bank is fortunately one of the few that supports TOTP in my country, though I had avoided setting it up because it required a special app (Symantec VIP) and calling in (no self-service). I now have it set up and feel much better about my account security.
I’m fairly certain I annoy the people at my bank because I always insist on calling them back at their official number if they ask for any personal information. I don’t fuck around with my bank security. I did however get got a couple of more years ago back when the chrome browser window phishing attack first started and had my Steam account stolen for a solid minute.
That’s the attack where they simulate a browser window so what you think is a oauth popup is actually just inpage javascript and CSS.
Yeah, I’d really rather avoid waiting on hold every time there’s a fraud alert or something. It doesn’t happen a lot, but I have a lot of cards (like 10) and I often have one that gets an alert most years. It’s usually not an issue, especially since I don’t usually have money at the same institutions where I have a credit card, this was a special one where it’s a card I only use at like 3 places (Steam being one of them) because it’s for purely personal spending (as opposed to “family” spending).
If I wasn’t on vacation, hadn’t just gotten a new phone (I enter my bank’s numbers as contacts), or wasn’t impatient (I was hungry and waiting for food), it wouldn’t have been an issue. It was just a perfect storm of opportunity. Now it’s even less likely because I now use TOTP and my understanding is that there’s no reason the bank would ever ask for that code (I think they only send text).
It happens.
Yup, what you’re describing sounds inline with how Corey Doctorow fell victim to fraud.
It’s completely different. In that case, they were able to set up a fake business to accept payments, which is way more sophisticated than what happened to me. In my case, they just needed my login name and phone number, and I had reused the login name on several sites, so a number of places could have been involved in a breach. All the scammer had to do in my case was:
- check if I have an account at a major banking institution
- call me, pretending to be the fraud department
- get me to give them my SMS code (they’d trigger through the normal “forgot my password” process)
- keep me on the line long enough to link an external account
- get me to give them another SMS code (“final authorization” or whatever)
That’s it, just two pieces of information, some smooth talking, and a little luck that I don’t catch on. Corey Doctorow’s situation required quite a bit more setup than that:
- get Amex to approve them as a mechart
- create a fake online ordering website that gets enough SEO to show up in search results
- have someone actually place an order at the vendor so nobody gets wise
That’s a lot more sophisticated than what happened to me.
He got scammed again? Damn. Sorry, I was referring this one. And not really the details of the scam, but it was the wrong place / wrong time element that reminded me.
Edit: the article you linked is older, so I guess not “again”.
Oh yeah, that’s a lot more similar.
Asked to verify my identity with a code to my phone - standard
No, absolutely not standard. This is where red flags should go up. If your bank texts you a code when you log in, then that’s what the scammers are doing (trying to log in as you, triggering the website to send you the code to confirm that it’s you logging in (except it’s not you, it’s them), and then getting you to tell them the code so they can finish logging into your account.
There are two types of texts:
- 2FA - usually says something like “we’ll never text you this code, don’t give it to anyone”
- ID verification - pushed by a rep while on a call, and doesn’t have the “we’ll never text you this code” bit
The first is needed for user-initiated actions, the second is only used to ensure the person you’re talking to has access to the device on file.
When I called the actual bank, they did the second one to reset my account credentials, and again when I set up the MFA app after the trip. It’s absolutely a thing. When I call for help navigating the website, the person on the phone walks me through the SMS verification process, but explicitly tells me to not tell them that first type of code.
Scammers do the first and cannot do the second, which is why they have the warning text on the first and not the second (though there is different warning, which makes it clear they’re different). My fail was skimming the text for the number and ignoring the warning about not giving it to anyone.
I personally know of two different banks who send a notification to your phone app to verify that it’s you they are speaking with on the phone, and they will do this even when it’s them that called you and not the other way around.
It’s security theater as it doesn’t prove anything to either party (as it’s trivial for scammers to have a man-in-the-middle) but they still do it.
Then you tell them you will call them back, hang up, call the bank yourself and do it that way. If they are legit, they can tell you their name and extension and you can verify that is even real when you personally call the bank.
I did this once, it was legitimate but he refused to tell me even what department he called from. I said i wasn’t going to give personal into to an incoming call and i wasn’t calling back unless i knew why. He ended up mailing me a letter instead.
I almost got scammed a few years ago by being called about fraudulent activity the day after i reported fraudulent activities, in hindsight I think they just got lucky with timing, but I take no chances now.
Ever noticed how decades ago if someone defeated a bank’s security we called it bank robbery, but now it’s called identity theft and we get blamed for it.
USAA does this when someone calls in, but I think that last part is the real difference here
That’s exactly the issue, how do you prosecute hackers from countries that either a) don’t care because they’re collapsing/at war/etc or b) actively encourage hackers like DPRK, Russia, China.
There’s no way to realistically police it without some One World Government type shit. All we can do is practice good security.
I’m just glad I got my parents trained enough to immediately contact me for anything that seems “off”. The result is that they panic needlessly almost daily, but I still prefer that over getting the dreaded “they emptied all our accounts” call.
Perhaps Jason Statham can be part of the solution, a la The Beekeeper
If anyone hasn’t seen the videos Jim Browning did a while back about gaining access to a india scam call centers network and subsequently, thier cameras, its a fascinating watch but also pretty concerning.
https://youtube.com/playlist?list=PLBNmQJqxpaMaxqghShRiOnHUjO00ZCsor
One of the worst parts is that sometimes the police are on the scammers payroll, making it hard to take action. It would likely take an international effort to even make a dent against these kinds of places. They make a ton of money off these scams so its going to keep happening.
police excelling at anything other than enforcing a state monopoly on violence
I, too, would love to live in a fantasy world
police excelling at anything other than enforcing a state monopoly on violence
That’s pretty much what the police’s job is though. But there are supposed to be safeguards in place to make sure they don’t abuse that monopoly.
I’ve clicked an obvious phishing link once in an isolated environment with a hardened browser on purpose. It had a tracking link and all and the URL was just ever so slightly off. Nothing happened on the target page though. No attempted script execution, no iframes, no cross site shenanigans, no weird popups or a fake login UI urging me to enter my credentials asap.
Someone from my company’s security department called me shortly, telling me how I’ve failed the obvious phishing exercise and I had to undergo a half hour long mandatory awareness training. Wasn’t getting out of that one.
If you look at the headers, you can tell which ones are fake phishing and real phishing.
Please explain
Most companies add an email header like “X-PHISHTEST” to the phishing tests (and a corresponding spam filter rule) to ensure they don’t get caught by spam filters. If you look at the headers of a spam email, the company test emails will have that header.
Any company that does that needs to be sent on a mandatory awareness training for failing an obvious fake phishing exercise. It’s far too easy to whitelist that and send it to an “ignore” folder.
Is there anything bad that can happen if you just click a link without logging in or anything? How is it different from opening up a random search result?
Not all phishing links are related to credential theft or trying to get you to download something malicious. Zero-day vulnerabilities in web browsers are revealed constantly. A malicious website (or malicious content embedded into an otherwise benign website) can leverage these or other unpatched vulnerabilities when visited.
You should never follow a known or suspected phishing link unless it’s your job and you are using the appropriate tools and techniques. Just report it to the security department or delete it and move on with your day.
Does that also mean I should not browse any websites I don’t already know? That’s very limiting.
I never said that. I said do not follow known or suspected phishing links. It takes practice and skill, and it is not always simple. But if you know if it is a risk, you should consider avoiding the risk.
“This looks like it might be phishing. Let me check it out and see what’s on the other side.” <— That’s what I am suggesting to avoid.
Security is an onion: layered. Patched software. Good, unique passwords. MFA. Various security defense tools. But technology can have gaps, flaws, or be circumvented. It’s important to keep in mind that us as individuals are also a security layer, and are often the first or last line of defense.
I’m no expert, but as I understand it, there are several things that can go wrong just by clicking. This depends somewhat on your browser settings and how you use it.
Visiting a compromised site may allow the attacker to access data from other tabs and windows in the same browser session. Some sites warn you to close the whole browser when logging out because of this.
Sometimes bugs in a browser can allow a site to run arbitrary code on your machine. These hopefully get patched quickly.
If the link was unique to the email, then it could be a signal to the phisher that is a valid address for further targeting.
Happens to the best.
I work for a managed service provider, and security for our clients is one of our most important goals.
Our CEO accidentally got phished then sent out emails to all our clients. We rolled with it by explaining kinda what you just said.
I’m not just the owner, I’m also a member!
The original article: https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/
Don’t password managers verify the domain name before offering credentials?
Does that mean he doesn’t use a password manager?
Edit: RIP, now that’s a proper phishing. I understand where he’s coming from
He mentioned that he does and the password manager didn’t prompt to autocomplete the password automatically, so he had to force it.
The thing that should have saved my bacon was the credentials not auto-filling from 1Password, so why didn’t I stop there? Because that’s not unusual. There are so many services where you’ve registered on one domain (and that address is stored in 1Password), then you legitimately log on to a different domain.
Then add multiple URLs for that entry. You can even have it match on the base domain, so it works on any subdomain, or restrict it to a subdomain.
I assume that works on 1Password, it works on Bitwarden at least.
That said, I could see myself making this mistake. I’ve had to manually find entries before for one reason or another (e.g. usually use the app, but access the website this one time).
It does work there. The unfortunate thing is that so many sites change their login structure often enough that it no unusual to discover that a site just changed again and you need to update the list.
Yeah,.there are plenty of instances where I’m adding a new URL for a password because the app and the website are too different from each other, or the app changes its login paths…
Or heck, sometimes it’s close enough, and with my password manager on my phone, I don’t have it auto fill – I have it auto-suggest. So “Probably a match” and “Exact match” have the same path to entry.
This was mentioned in the write-up, the password manager didn’t autofill, but he was too out of it to notice at first
Not everyone uses a browser extension for their password manager.
Depends… if you use an offline password manager ( like keepass), you can ask it to autotype your credentials into anything… if that’s what you ask it to do (ie it’s not a fault)
Main point though: don’t reuse the same credentials across different sites.
They’ll get 1 site, but not all the rest of them…
Why is there a comma in the, title?
It indicates a pause, and a separation of the two objects in the sentence. It is a subtly different sentence than “Have I been Pwned owner Pwned”, and is clearer with greater emphasis on what happened.
wouldn’t it be clearer with
-
“Have I Been Pwned” owner pwned.
-
Owner of “Have I Been Pwned” pwned.
?
Clarity is not normally something headlines are all that concerned with (some are intentionally opaque, but this one is just joking around). Anyway, I think the “[foo], [bar]ed” structure was a lot more common some decades before the Internet—I had no trouble parsing it, but this marks the first time in a while that I’ve seen it, and I can see how it might be unfamiliar to some audiences.
I’d argue that the original is clearer and more fun than these, but style is subjective.
-
It feels awkward to me. I don’t think it’s grammatically correct. To me, it doesn’t add any clarity, especially when the comma could’ve been the word “got” or something, lol
Headlines are generally pretty flexible with grammar, because a good headline is supposed to be terse.
I think it’s fine.
I think a professional headline would usually just lack the comma there. Headlines typically have weird phrasing (due to their terseness), but they’re generally still grammatically sound.
I think “HackerNews owner hacked” would be a headline, rather than “HackerNews owner, hacked”.
“Have I Been Pwned owner pwned” seems to be on par with “Headline English” to me
