I can't believe that this is still a thing, but if your risk model is noticeably impacted by the adversarial capability of writing an email in the English language then I'm pretty sure your threat model is already broken.
One of the world's largest online travel agencies, Booking.com, is being used by fraudsters to trick hotel guests into handing over their payment card details.
How do I know? The fraudsters tried the trick with me.
J’ai reçu un SMS de phishing qui me disait d’aller consulter en MMS. En donnant le n° de Mari.
Ils ont eu accès à mon carnet d’adresse, c’est un hasard, ou c’est un autre qui a été piraté (au hasard le notaire à qui a on donné tous les eux nos numéros?)?
Et comment je fais maintenant pour qu’ils m’oublient ? #phishing
Wow, the comments on my article on #Passkeys in the German #iX/#heise has shown me a lot of misconceptions people have:
No, you don't need to synchronize Passkeys
nor do you need to use Google/MS/Apple
nor is storing an encrypted binary blob a big danger
Passkeys aren't just autofilled #passwords: they use challenge auth, not shared secrets!
#TOTP 's aren't better because they're a real #2FA. Actually they suck against #phishing.
A secure enclave can still be used, but it's mostly used for decrypting the keychain, not storing it
You can still use #YubiKey 's, either with discoverable creds (uses 1 slot each) or non-discoverable creds (1 slot for all Passkeys)
Generally, I think the term 2FA is misleading. Not all 2FA is created equal. One could even argue that Passkeys are "less" 2FA than Password+TOTP -- and yet, it's more secure in most attacks because it can't be phished.
A lot of people seem to think that the more annoying and difficult to use a technology is, the more secure it is. We have the same problem with passwords and their complexity. We humans suck at guessing how secure something is through intuition.
Qui est l'idiot qui vient de cliquer le lien dans un mail de relance Pole Emploi et de saisir son mot de passe malgré l'URL suspecte?
C'est moiiiiiiiii!
Je me suis reconnecté en passant par le vrai site et j'ai modifié mon mot de passe.
J'espère que les malandrins n'ont pas eu le temps de récupérer mes infos.
J'ai appris ma leçon : ne jamais cliquer un lien avant le premier café.
A local cellphone number called me just now to worry me about someone using my Visa card and declined a 400 and 1000 purchase. GREAT, because I didn't make them, and Visa doesn't call from a local number, and they don't call me, because I tell them off. So, mark this number in your BLOCKED SPAM NUMBERS #NovaScotia 902-471-2518 #SPAM#robocalls#Phishing#Halifax
Auf Phishing reingefallen: Landesministerium überweist Kriminellen 225.000 Euro
Sachsens Gesundheitsministerium hat eine betrügerische Rechnung bezahlt und Kriminellen 225.000 Euro überwiesen. Vor der Masche hat das LKA schon 2016 gewarnt.
Ich wäre gerade fast auf #Phishing hereingefallen. Die Mail passte zu gut zu Sachen, die ich gerade gemacht habe. Ich war nur zu faul, meine Zugangsdaten für den falschen Login rauszusuchen. Als ich zurück in die Mail-App gewechselt bin, ist es mit dann aufgefallen. Ja, aber wenn das in einer von einer Millionen Fälle funktioniert, kann man damit wohl genug ergaunern, dass es sich lohnt.
Fun reading about how even @pluralistic falls for phishing sometimes thanks to all the enshittification of getting in touch with necessary services making us less likely to catch the red flags.
I've clicked on a few of my office's "phishing tests" which at least gets me more "watch this social engineering info video" even if the videos are so bad that you can't help zone out.
I got a #Phishing/ #SPAM email with a really strange header. The header doesn't contain any "Received:" lines. As it "is" an external email IMHO there should be at least one of the local #SMTP-Server/#MTA
Interesting, heard about someone who almost had their work direct deposit changed... Someone set up a gmail account with their name and emailed HR of their employer and asked them to change their direct deposit to an account (that was NOT THEIRS). Worth keeping an eye on that one. #cybersecurity#phishing#scam
I've cracked billions of #passwords from tens of thousands of #data#breaches in the past 12+ years, and because of this, I likely know at least one #password for 90% of people on the Internet. And I'm not alone! While I primarily crack breached passwords for research purposes and the thrill of the sport, others are selling your breached passwords to criminals who leverage them in #AccountTakeover and #CredentialStuffing attacks.
Use a #Diceware style #passphrase - four or more words selected at random - for passwords you have to commit to memory, like your master password!
Enable MFA for important online accounts, including cloud-based password managers!
Harden your master password by tweaking your password manager's KDF settings! For #Bitwarden, use Argon2id with 64MB memory, 3 iterations, 4 parallelism. For #1Password and other PBKDF2 based password managers, set the iteration count to at least 600,000.
Use unique, randomly generated passwords for all your accounts! Use your password manager to generate random 14-16 character passwords for everything. Modern password cracking is heavily optimized for human-generated passwords, because humans are highly predictable. Randomness defeats this and forces attackers to resort to incremental brute force! There's no trick you can do to make a secure, uncrackable password on your own - your meat glob will only betray you.
Use an ad blocker like #uBlock Origin to keep you safe from password-stealing #malware and other browser based threats!
Don't fall for #phishing attacks and other social engineering attacks! Browser-based password managers help defend against phishing attacks because they'll never autofill your passwords on fake login pages. Think before you click, and never give your passwords to anyone, not even if they offer you chocolate or weed.
#Enterprises: require ad blockers, invest in an enterprise password management solution, audit password manager logs to ensure employes aren't sharing passwords outside the org, implement a Fine Grained Password Policy that requires a minimum of 20 characters to encourage the use of long passphrases, implement a password filter to block commonly used password patterns and compromised passwords, disable #NTLM authentication and disable RC4 for #Kerberos, disable legacy broadcast protocols like LLMNR and NBT-NS, require mandatory #SMB signing, use Group Managed Service Accounts instead of shared passwords, monitor public data breaches for employee credentials, and crack your own passwords to audit the effectiveness of your password policy and user training!
Well that’s funny do people actually fall for these also fax.html lmfao it’s 2023 who the hell has a fax even in business besides legal departments and such? #infosec#phishing#cybersecurity
Tipp Nr.8: Sei vorsichtig beim Öffnen von E-Mail-Anhängen oder dem Klicken auf Links, insbesondere von unbekannten Absendern. Diese können Phishing-Versuche oder schädliche Dateien enthalten. Phishing lässt sich bspw. über Rechtschreibfehler und/oder Prüfung der finalen URLs (Mouse-over-Effekt) erkennen. Wissenswert: Eure Bank wird euch nicht per E-Mail oder SMS zur Aktualisierung eurer Daten/Passwörtern/Installation von Apps auffordern.