Have I Been Pwned owner, pwned - Hypertext
htxt.co.za
A phishing attack managed to fool Troy Hunt into handing over MailChimp credentials.
  • A jetlagged Troy Hunt accidentally clicked a link and logged into an account only to realise he had been phished.
  • Despite reacting quickly, attackers were able to export a mailing list for Hunt’s personal blog.
  • Hunt has detailed the attack and warned his subscribers in a timely fashion.
  • ZikejiEnglish
    24·
    4 days ago

    I’m fairly certain I annoy the people at my bank because I always insist on calling them back at their official number if they ask for any personal information. I don’t fuck around with my bank security. I did however get got a couple of more years ago back when the chrome browser window phishing attack first started and had my Steam account stolen for a solid minute.

    That’s the attack where they simulate a browser window so what you think is a oauth popup is actually just inpage javascript and CSS.

    • sugar_in_your_tea@sh.itjust.worksEnglish
      6·
      4 days ago

      Yeah, I’d really rather avoid waiting on hold every time there’s a fraud alert or something. It doesn’t happen a lot, but I have a lot of cards (like 10) and I often have one that gets an alert most years. It’s usually not an issue, especially since I don’t usually have money at the same institutions where I have a credit card, this was a special one where it’s a card I only use at like 3 places (Steam being one of them) because it’s for purely personal spending (as opposed to “family” spending).

      If I wasn’t on vacation, hadn’t just gotten a new phone (I enter my bank’s numbers as contacts), or wasn’t impatient (I was hungry and waiting for food), it wouldn’t have been an issue. It was just a perfect storm of opportunity. Now it’s even less likely because I now use TOTP and my understanding is that there’s no reason the bank would ever ask for that code (I think they only send text).

      It happens.

      • ZikejiEnglish
        1·
        4 days ago

        Yup, what you’re describing sounds inline with how Corey Doctorow fell victim to fraud.

        • sugar_in_your_tea@sh.itjust.worksEnglish
          5·
          4 days ago

          This one?

          It’s completely different. In that case, they were able to set up a fake business to accept payments, which is way more sophisticated than what happened to me. In my case, they just needed my login name and phone number, and I had reused the login name on several sites, so a number of places could have been involved in a breach. All the scammer had to do in my case was:

          1. check if I have an account at a major banking institution
          2. call me, pretending to be the fraud department
          3. get me to give them my SMS code (they’d trigger through the normal “forgot my password” process)
          4. keep me on the line long enough to link an external account
          5. get me to give them another SMS code (“final authorization” or whatever)

          That’s it, just two pieces of information, some smooth talking, and a little luck that I don’t catch on. Corey Doctorow’s situation required quite a bit more setup than that:

          1. get Amex to approve them as a mechart
          2. create a fake online ordering website that gets enough SEO to show up in search results
          3. have someone actually place an order at the vendor so nobody gets wise

          That’s a lot more sophisticated than what happened to me.

          • ZikejiEnglish
            5·
            4 days ago

            He got scammed again? Damn. Sorry, I was referring this one. And not really the details of the scam, but it was the wrong place / wrong time element that reminded me.

            Edit: the article you linked is older, so I guess not “again”.