Troy Hunt has been alerting us for years of the dangers of the passwords. It happened so often that it ended up turning those warnings into a project that has become a reference: Have I Been Pwned. And despite everything he knows, he just fell into a robbery of credentials with the most common method of all: a phishing email.
Can happen to anyone. Hunt had in his blog how he fell into a very well elaborate trap: a phishing email that simulated comes from Mailchimp, the platform he uses to distribute his newsletter. In the notice he was informed that he had received a spam complaint and that his shipping privileges in the service would be restricted. To solve it, yes, I could click on a button with a link.
Why did that phishing work? As this expert explained, “I have received a ton of similar messages that I have always identified quickly”, but there was a critical factor that played against him: the moment in which he received it and read it. Hunt had Jet Lag and was very tired when he received the message, and did not think enough that something was not right.
Difficult indications to identify. After clicking on the link, Hunt also noticed how his password manager did not autocomplete the details of his account (user and passwords, usually). This could have been an indication that the domain from which those credentials were requested was suspicious, but he himself indicated that many platforms record you in a domain (which the password manager keeps) and then authenticate you in another.
Theft of their subscribers. Phishing’s attack caused the attackers to steal 16,000 records that belong to people who subscribed but also that he had already discharged from his Newsletter. Mailchimp keeps those registers for some reason. In these data, email, IPS and latitude and length addresses are included, however they do not point to the subscriber location.
He has also been “Pwned”. The creator of the Have Ien Pwned site ended up adding the theft of his data to the database he uses on this platform, as was of rigor. As he pointed out in his blog, not to do it “it would have been a hypocrisy.” He also had the success of telling what had happened to him right away.
If a message is super urgent, suspect. Phishing attacks usually always take advantage of being written with an urgency tone or message. If you don’t act, they try to tell you, something bad can happen to you. That is precisely why in these messages it is to try to keep the head cold and clear and not act instinctively or immediately. It is probably the great lesson that can be taken from this event.
Passkeys help. Traditional passwords remain a potential threat to phishing attacks, but there is a method that helps us avoid that threat in particular: passkeys or passage keys, which make use of safe biometry. Its implementation, of course, is quite fragmented, but if we deposit confidence in a passkeys provider (such as Google or Apple, for example) they are undoubtedly an important element to add a notable security layer, as well as the authentications in two steps (2FA) have been so far.
Imagen | Saksham Choudhary
In WorldOfSoftware | There are users who pass from passwords. And they go to “I forgot my password” to generate them again and again
