I’m a security reporter and got fooled by a blatant phish

Enlarge / This is certainly not a Razer mouse—however you get the concept.

There has been a latest flurry of phishing assaults so surgically exact and well-executed that they’ve managed to idiot among the most conscious individuals working within the cybersecurity business. On Monday, Tuesday, and Wednesday, two-factor authentication supplier Twilio, content material supply community Cloudflare, and community tools maker Cisco stated phishers in possession of telephone numbers belonging to workers and worker members of the family had tricked their workers into revealing their credentials. The phishers gained entry to inside programs of Twilio and Cisco. Cloudflare’s hardware-based 2FA keys prevented the phishers from accessing its programs.

The phishers have been persistent, methodical and had clearly accomplished their homework. In one minute, not less than 76 Cloudflare workers acquired textual content messages that used varied ruses to trick them into logging into what they believed was their work account. The phishing web site used a area (cloudflare-okta.com) that had been registered 40 minutes earlier than the message flurry, thwarting a system Cloudflare makes use of to be alerted when the domains utilizing its title are created (presumably as a result of it takes time for brand spanking new entries to populate). The phishers additionally had the means to defeat types of 2FA that depend on one-time passwords generated by authenticator apps or despatched by means of textual content messages.

Creating a sense of urgency

Like Cloudflare, each Twilio and Cisco acquired textual content messages or telephone calls that have been additionally despatched beneath the premise that there have been pressing circumstances—a sudden change in a schedule, a password expiring, or a name beneath the guise of a trusted group—necessitating that the goal takes motion shortly.


On Wednesday, it was my flip. At 3:54 pm PT, I acquired an e mail purporting to be from Twitter, informing me my Twitter account had simply been verified. I used to be instantly suspicious as a result of I hadn’t utilized for verification and did not actually wish to. But the headers confirmed that the e-mail originated from twitter.com, the hyperlink (which I opened in Tor on a safe machine) led to the actual Twitter.com web site, and nothing within the e mail or linked web page requested me to offer any data. I additionally seen that a checkmark had out of the blue appeared on my profile web page.

Satisfied the e-mail was real, I famous my shock on Twitter at 3:55.

What the hell. Twitter simply verified my account, although I’ve steadfastly refused to present them my ID or some other information. I’m wondering why.

— Dan Goodin (@dangoodin001) August 10, 2022

Seconds later, at 3:56, I acquired a direct message purporting to return from Twitter’s verification division. It stated that for my verification to turn out to be everlasting, I wanted to reply to the message with both my driver’s license, passport, or different government-issued ID.

I’ve robust emotions concerning the inappropriateness of Twitter—a firm that has been hacked not less than 3 times and admitted to misusing person telephone numbers—asking for this sort of knowledge. I used to be mad. It was close to the tip of my workday. I used to be nonetheless shocked on the sudden and unfaked gifting by Twitter of a checkmark I hadn’t requested for. So with out completely studying the DM, I tweeted a screenshot of it, together with a cynical remark about Twitter not being reliable.

I spoke too quickly. Sorry, @twitter, you are not reliable. Go forward and take away the blue checkmark. You’re not getting my ID solely so you will get hacked once more or use it for advertising and marketing functions. pic.twitter.com/dimLCLagdU

— Dan Goodin (@dangoodin001) August 10, 2022

The factor is, the DM used damaged English; the person deal with was named Support, adopted by a bunch of numbers; the account was locked. The DM is a textbook instance of a phish, with all of the hallmarks of a rip-off. So why was my first impression that this message was real? There are a few causes.


Please enter your comment!
Please enter your name here

Popular Posts

Biden warns Putin on NATO threat as Russia annexes Ukraine regions

U.S. President Joe Biden makes remarks about Russian President Vladimir Putin's feedback on the navy battle in Ukraine after delivering remarks on the federal...

Nord Stream gas leaks sees methane spew into the atmosphere

Climate scientists described the stunning photos of gas spewing to the floor of the Baltic Sea as a "reckless release" of greenhouse gas emissions...

Did Val Kilmer’s Doc Holliday Say ‘I’m Your Huckle Bearer,’ Not ‘Huckleberry’?

Actor Val Kilmer, whereas portraying gunslinger Doc Holliday within the 1993 Western movie “Tombstone,” repeated the catchphrase, “I’m your huckle bearer,” not “I’m your...

Report: 90% of companies affected by ransomware in 2022

Were you unable to attend Transform 2022? Check out all of the summit periods in our on-demand library now! Watch right here.An annual...