Source: www.schneier.com – Author: Bruce Schneier
Comments
Winter • April 4, 2025 12:03 PM
@ideho “justice”
“my oh my, the guy says: “they don’t provide 2FA” – and he wants the world to take him for some big “IT” “guru” or some “important” “cyber” guy??? ”
Every security and fraud expert knows they can be tricked.
Only the ignorant and inexperienced think they are too smart to be tricked.
SocraticGadfly • April 4, 2025 12:28 PM
He’s a “Microsoft Regional Director.” That’s probably the best place to start.
Clive Robinson • April 4, 2025 1:02 PM
@ ALL,
Getting Phished is to be expected.
As two sayings put it,
We are all human.
To err is human.
As I’ve said before, for most people, in most cases of attack, the only reasons it’s not yet happened to you are,
1, It’s a target rich environment.
2, Your number has not yet come up.
3, Or you are only slightly less ‘low hanging fruit’.
There is another reason that few consider,
4, You can not be reached by the phishers.
People for quite some time have wonder and indeed questioned why I do not do “social media” or “email” or a whole lot of other
“Un or insufficiently gated communications.”
Those old enough to remember the old security advice from back in the 1960’s if not a lot earlier (remember not all security advice is about computers 😉
“If they get to the front panel it’s game over.”
Which is why a heck of a lot of early “information security” was actually “physical security” re-worded so effectively “old wine in new bottles”.
The point is though as I point out from time to time,
“Mitigation by segregation”
Works, even with insecure systems.
But Troy points out three things of note,
1, The way he received the message lacked information.
2, The message was suitably worded.
3, His password manager failed unexpectedly.
So the first point to take real notice of,
Most electronic communications like Email, SMS, etc are
1, Not authenticated / authorized
2, Not source location verified.
Thus they are “NOT Gated”… Be it security or otherwise.
They are in short, a good deal “less reliable” than a hand written flyer pressed into your hand in the street by a wild eyed looking individual mumbling in a way that apparently lacks contact with reality.
But because it’s the age of Web 3.0… all “looky feely” with nothing taxing or alarming to be made available by “Marketing edict”…
Back with “old style” Email clients you could turn on “all headers” and other information. Whilst they can be faked they have the advantage with regular messages from the same organisation of “being consistent”.
Thus if they change in any way there has to be a reason, so cause for caution and checking.
But if you can not see any changes because they are kept out of sight…
Always looking, stopped me getting caught out more than a couple of times back when I still did “personal Email”. It was the fact that Email from people I’d had no contact with started rising be they “crooks, advertisers, or worse”… It made me stop “Personal Email”, it’s also yet another reason I don’t do “messaging apps” secure or otherwise[1].
And also why I don’t do “Walled Garden Apps” from the likes of Apple or Google, their argument of “It’s more secure for users” is an obvious nonsense due to the number of apps that “steal info or worse” they’ve made money from etc.
But onward,
The second notable point, that Troy has made is of the message,
“It created just the right amount of urgency without being over the top.”
Is an example of a fairly standard human failing, and employers are their own worst enemy because employees are almost always “under a clock”. Or some other “performance measure” to “Increase productivity” for those C-Corridor bonuses that come with increasing the perception of “Shareholder Value”…
As the old saying has it,
“Act in haste, repent at leisure”
The thing is it’s almost always the employee not the C-Suite that gets to do both with no choice.
But the third point is a doozy and one people should take to heart,
“His password manager failed unexpectedly.”
Actually it did not fail it acted on information that Troy did not see (see first point above).
There are two reasons why automatic systems fail,
1, Something has been changed and picked up.
2, The system is not implementing specification or the specification was deficient.
Sometimes it’s both, and people then seem to think it’s,
“A corner or edge case.”
Thus some how not just allowable but acceptable…
It’s not and importantly users should be informed in a meaningful way that they can understand easily if not intuitively.
The fact that Marketing types assume all their users will do a,
“Don’t Panic Mr Mannering”
Dance whilst waving their arms etc etc says more about Marketing types than is probably safe to know…
[1] A friend who tried getting me to use WhatsApp, because “it does great things and everybody uses it” has just found out that there are down sides to messaging apps. Some one they talked to via WhatsApp has been arrested and put in jail and they found out when “The boys in blue” came around and took computers etc “in for forensic evidence investigation”.
Fazal Majid • April 4, 2025 2:24 PM
He’s right about one thing: sites that don’t use FIDO or Passkeys for 2FA are just engaging in security theater.
I use a different email address for each company I work with, and almost always, when it is compromised, the leakage was from an Email Marketing service provider. The fact the phish was sent to mailchimp@example.com or whatever suggests Mailchimp’s database may have been breached.
lurker • April 4, 2025 2:26 PM
I had to check the date on his article to be sure it wasn’t 1 April.
It’s easy to say if I got the phishing message I would have said “Bother”, or more, and gone away to make some strong coffee. Perhaps we can assume he didn’t simply click the link, because he says:
“I went to the link which is on …”
Again it’s easy to say that I have bookmarks set on my browser menu bar for places that I get regular email notifications. Using my own bookmark also has the benefit of breaking the tracking built into most clickable links.
But if I were “really jet lagged and really tired and the cogs in your head are just moving that little bit too slow” would I have done the right thing? Phishers attack the weak human link. We all have a weakness, somewhere, and the adversary phishes for it.
Clive Robinson • April 4, 2025 3:38 PM
@ lurker,
With regards,
“We all have a weakness, somewhere…”
Yup mine is breathing. For some strange reason I just can not do with out a good breath every few seconds, it’s a terrible failing, I know but heck the joy of fresh air across the tonsils, it’s got me hooked.
But yeah all jokes aside like it or not we all have them call them hooks, buttons, pressure points, etc, there is always some one looking for leverage in one form or another to abuse and exploit.
Which begs the question,
“What sort of person does this?”
Well first lets say “person or human” is not a good description of them. They are without doubt defective, broken and with the pieces that make the majority of us human missing.
You could call them “Self Entitled” and many of them are, but all to often any benefit they gain is at best transitory, thus they are in effect compelled by their own failings to continue to cause harm any way they can, as long as we as a society let them.
And that is the point, all to often we lock up the wrong people, those that do so much harm over and over are for some strange reason seen as successes as winners and even heros.
The reality though is they are none of those and often it does not take long for their real failings to become increasingly apparent to greater and greater numbers.
You also have to ask an all important question,
“What’s in it for the followers?”
Based on the usual outcomes, nothing very much, some transitory ego/vanity sop, then along comes “Pay Back”, and at the very least being thrown under the bus is the best you can hope for, with public disgrace, bankruptcy, and jail time being oh so common… also the dog at the top can shine like many another false idol come fascist dictator.
Who? • April 4, 2025 5:39 PM
@ lurker
Homograph attacks are becoming a nightmare. Internet must return to its roots——we have certainly learned a lot in these years, and it is good, it has never been a waste of our valuable time: we learned what we can do, what we shouldn’t do, and how we can do what we really want to do in better ways, in some cases.
It is time for technology to become simple again, as simple as to be auditable or, at least, understandable.
We know how building secure services (e.g. telnet(1) vs ssh(1)), firewall-friendly protocols (ftp(1) vs sftp(1)); we learnt what we shouldn’t do too, like writing browsers whose codebase is formed by millions of lines coming from thousands of different, unrelated, sources, whose only real use is preserving bugs from ancient HTML releases so twenty years old web pages ——only available at archive.org these days—— can be render as they were conceived by their authors in the nineties.
I feel the world is making the same mistake with Internet that Microsoft Corporation did in the nineties when they moved from DOS to Windows: preserving an old operating system, full of bugs, never thought as a foundation for a new paradigm ——where a fast-changing world was moving quickly from modems to ATM networks—— as the core for a new operating system concept, instead of writing a new, modern, operating system from scratch.
Currently technologies are becoming as convoluted that even security experts like Troy Hunt can make mistakes.
It is time to reconsider what we are doing.
Who? • April 4, 2025 6:43 PM
Mr. Hunt was using 2FA, but a weak one based on OTP codes.
As you know, OTP codes remain valid for a certain amount of time (usually half a minute) and, to avoid time synchronization issues, the previous and next ones are usually accepted too. If you log into a fake login service (i.e. through a punycoded URL), the attacker can quickly relay your authentication code to the real authentication service while hanging your session, so he is in control of your account now.
I would say most of us use exactly this class of 2FA technology, so we all are vulnerable.
Who? • April 4, 2025 6:48 PM
To be more precise, I should have written time-based one time pad (“TOTP”) codes; a clever ——but not too secure—— variant of the OTP codes widely used on the Internet.
Ismar • April 4, 2025 6:54 PM
Two things which seem to be overlooked here:
- The mailing list is what the attacker was after and more important than compromising Troy’s account per se. There are probably emails of some more valuable targets on that list than what Troy can offer
- Why are we still using passwords to login into these sites accessible to anyone on the internet- hardware dongles with well defined standards and protections against phishing having been around for decades now but i guess we still want to do it on the cheap hoping someone else will pay the price of the breach
Clive Robinson • April 4, 2025 8:10 PM
@ Ismar, ALL,
Hardware is not the way to go?
With regards,
“hardware dongles with well defined standards and protections against phishing having been around for decades”
Not exactly “decades” as the standards are less than that.
But hardware has always been seen as an issue. Back in the 1980’s when online banking started –yup over a decade before the Internet– hardware solutions were just not feasible. Trust me I know I designed a secure modem that did not require passwords back then based around a Z80 CPU and a handful of other chips. But the likes of Am9568 “Data Ciphering Processor”(DCP) and similar were not part of it. Because of what many now call “International Traffic in Arms Regulations”(ITAR) limitations and what was also an outrageous cost.
In short the banks said the chip had to be in it but they were not going to pay for it…
They did not get the hardware, and the bank customers got hit with losses due to effectively non existent security.
Ever since banks have resisted hardware in all sorts of ways and where they have used hardware, it’s been “shonky build” at best. So inadequate not just security wise, but failing rapidly due to such terrible build quality.
I was in part responsible for “one time codes” over SMS, and well lets just say it’s something that was not my greatest moment.
The simple fact is unless decent security is required by legislation and regulation customers will loose to “inadequate by design” subbed out to a “lowest foreign bid” like China.
Ismar • April 4, 2025 8:25 PM
@Clive
It is a convenience issue and i get that but if my life savings are at stake I should be ok with having to carry a small dongle with me like I do my house keys.
FIDO offers good phishing protection and its support should be mandatory for any website which allows access to large funds or any other sensitive information.
On the other hand, while we wait for the legislation that may never come, We as customers can make a difference by going with those sites which offer this kind of secure service and avoid those which don’t
ResearcherZero • April 5, 2025 12:41 AM
Targeted phishing is likely to get worse in the current environment.
It is also an extremely volatile time with many rapidly changing events taking place that can catch people of guard. This is not helped with changes that effect workplaces and jobs.
Clueless people attempting to change systems in government departments, introduce AI, cut services and who propose to modernise legacy systems which they do not understand will no doubt lead to a huge amount of confusion, mistakes and exposure or loss of data.
This is all taking place while people try and figure out what to do with important services under enormous strain due to reduced funding, fewer resources and fewer staff, with other crucial services about to be ended entirely.
The US administration may also be about to attempt to consolidate information once isolated, into single databases, while laying off top national security personnel.
‘https://www.wired.com/story/plaintext-trump-executive-order-information-silos-privacy/
This article points to some of the problems which may arise:
“These people have zero clue what they are working on,” a VA employee stated.
https://www.wired.com/story/doge-department-of-veterans-affairs-ai/
ResearcherZero • April 5, 2025 1:51 AM
This is the targeted bulk email phishing campaign responsible. It is connected to experienced criminal operators in the data theft space that have access to the resources needed – including sophisticated phishing kits – to create targeted and convincing lures.
‘https://www.silentpush.com/blog/poisonseed/
ResearcherZero • April 5, 2025 2:40 AM
spammydodgyaddress@notrealemail[.]gov
Dear To whomever,
Include everything important you have been doing to justify why you should continue to be employed in your position, then return it to this address.
Include a list of every payment you were responsible for along with a justification for each and every payment made, breakdown of expenses, total amount and to who it was made.
Department of Government Efficiency Not The Real DOGE
–
Warnings malign actors may be reading email responses to DOGE regarding work activities.
‘https://www.nbcnews.com/politics/doge/hhs-warns-responses-elon-musks-email-may-read-malign-foreign-actors-rcna193553
Clive Robinson • April 5, 2025 5:16 AM
@ Ismar, ALL,
With regards security hardware,
“It is a convenience issue and i get that but if my life savings are at stake I should be ok with having to carry a small dongle with me like I do my house keys.”
It’s mostly not the people with the savings that are objecting to having small dongles they can carry or lock in the safe.
Though they do rightfully complain about the quality of the dongles, the quality of the system, and in some cases the quantity of dongles.
The real issue is the banks etc, not wanting customers to have security such that the bank becomes liable for all those “rounding errors” and other errors where money goes missing from accounts.
Other countries have stronger protective legislation and surprise the banks do a much better job…
But consider your point,
“… carry a small dongle with me like I do my house keys.”
The dongles are usually way way bigger than a house key. The smallest dongle I ever had that was “standalone” was larger than ten Yale type cylinder lock keys stacked together on a key ring. Worse it was a “dirt magnet” and about as fragile as you could make it, and broke beyond use/repair all to often in everyday use. I’ve never had a cylinder lock key go “wrong” on me, they’ve never “broken” on me and the don’t “run out of juice”. Interestingly neither did my “bank book” which was once the “key to your account” along with an identity document.
So dongles banks issue do have a lot of strikes against them individually, but consider you have to have one for every account… Then in their multiplicity they really do project you into a newly minted “level of hell”… Not least is the physical design like a giant almond pit it is almost,
“The perfect shape and construction for self destruction.”
When two or more hang together. Made worse by the fact they become like a “Newton’s Cradle” executive desk toy…
Oh and if they break or stop working which they used to do try getting a replacement… I had to wait six weeks for one with a UK Bank, and then they said I had to pick it up from a branch that had closed about a month before… Lets just say I was not amused, and so shifted bank. Which oddly just needed ne to turn up to any of their –still open– branches with a letter and identity and walk out with a “counter cheque”.
So the question is why is there little or no “adult joined up thinking” in the banks with respect to the multitude of issues with their dongles and other tokens?
Miki • April 5, 2025 6:14 AM
Interesting story.
The FIDO2 keys are superior for phishing protection, anyway good password manager and 2FA can provide good protection and avoid phishing links too. The problem is that an user can bypass it how it happened in this case.
So important is to verify the link and go to the institution over saved/known link and no credentials from password manager should be big warning and stop sign.
Adam Shostack • April 5, 2025 11:54 AM
People can defend themselves with email sorting, so that real emails land in specific places. I explain in Learning from Troy Hunt’s Sneaky Phish.
The core of that is
That defense is intensive sorting into folders, enabled by custom email addresses. I tell mailchimp my email is mailchimp827@threatsbook.com. I then route that to a mailbox called “vendors.” If the message is anywhere else, it’s not sent to the address I gave mailchimp, and it’s a phish or a spam. I don’t have to think that much because the the expectation is there’s no corporate mail in my inbox. There’s a variant, which is “plus addressing.” Most mail services will deliver email with a plus in the username. So if you’re adam@example.com, adam+randombits@example.com will likely reach you, and that extra part can be used for sorting.
Subscribe to comments on this entry
Leave a comment
Sidebar photo of Bruce Schneier by Joe MacInnis.
Original Post URL: https://www.schneier.com/blog/archives/2025/04/troy-hunt-gets-phished.html
Category & Tags: Uncategorized,phishing,social engineering – Uncategorized,phishing,social engineering
Views: 2
