This is a most excellent place for technology news and articles.
Solving the "being human" part of security will probably never happen, which is why you're encouraged to do stuff like use 2FA, different passwords, service isolation and stuff like that.
Anyone and everyone can be fooled at some point, best to try and limit the damage.
I just never click links in email.
If you use a password manager it won't fill credentials because it will be the wrong domain
Unfortunately the article said he just put in his credentials anyway, even though his password manager wouldn’t autofill for him. Pretty stupid, but at least he acknowledges it
I clicked one once by accident when trying to select it. You can be as diligent as you want you still will slip up from time to time
Exactly. Put as many obstacles as possible into the path of scammers, and give yourself as many chances as possible to stop said scammers, and all without making services too annoying to use.
MFA + password manager seems to work well.
FIDO2 and security keys are the closest things we have to a solution. Unfortunately far too few companies support them. It would have saved him here because each credential only works with the proper URL for it.
He must have been really tired, he even stated all the warning signs he ignored.
If anything it should just be a warning that literally anyone can make a mistake due to stress/fatigue/whatever
I've clicked an obvious phishing link once in an isolated environment with a hardened browser on purpose. It had a tracking link and all and the URL was just ever so slightly off. Nothing happened on the target page though. No attempted script execution, no iframes, no cross site shenanigans, no weird popups or a fake login UI urging me to enter my credentials asap.
Someone from my company's security department called me shortly, telling me how I've failed the obvious phishing exercise and I had to undergo a half hour long mandatory awareness training. Wasn't getting out of that one.
If you look at the headers, you can tell which ones are fake phishing and real phishing.
Happens to the best.
I work for a managed service provider, and security for our clients is one of our most important goals.
Our CEO accidentally got phished then sent out emails to all our clients. We rolled with it by explaining kinda what you just said.
I’m not just the owner, I’m also a member!
The original article: https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/
Don't password managers verify the domain name before offering credentials?
Does that mean he doesn't use a password manager?
Edit: RIP, now that's a proper phishing. I understand where he's coming from
He mentioned that he does and the password manager didn't prompt to autocomplete the password automatically, so he had to force it.
The thing that should have saved my bacon was the credentials not auto-filling from 1Password, so why didn't I stop there? Because that's not unusual. There are so many services where you've registered on one domain (and that address is stored in 1Password), then you legitimately log on to a different domain.
Then add multiple URLs for that entry. You can even have it match on the base domain, so it works on any subdomain, or restrict it to a subdomain.
I assume that works on 1Password, it works on Bitwarden at least.
That said, I could see myself making this mistake. I've had to manually find entries before for one reason or another (e.g. usually use the app, but access the website this one time).
It does work there. The unfortunate thing is that so many sites change their login structure often enough that it no unusual to discover that a site just changed again and you need to update the list.
Yeah,.there are plenty of instances where I'm adding a new URL for a password because the app and the website are too different from each other, or the app changes its login paths...
Or heck, sometimes it's close enough, and with my password manager on my phone, I don't have it auto fill -- I have it auto-suggest. So "Probably a match" and "Exact match" have the same path to entry.
This was mentioned in the write-up, the password manager didn't autofill, but he was too out of it to notice at first
Not everyone uses a browser extension for their password manager.
Thats why we have RSS feeds. Thats how I follow Troy
