@Vivaldi@jon There seems to be #Phishing campaign targeting #VivaldiWebmail uses. I've just got e-mail from mateja.potocnik2@telemach.net that my account will be suspended and I need to take action. The link (shortened with tinyurl.com) leads to the site hosted on http://mimecastmail.co.za/ which looks like vivaldi.net login page.
Fighting Phishing: Everything You Can Do To Fight Social Engineering and Phishing by Roger R. Grime serves as the ideal defense against phishing for any reader, from large organizations to individuals. Unlike most anti-phishing books, which focus only on one or two strategies, this book discusses all the policies, education, and technical strategies that are essential to a complete phishing defense.
This is one of the most convincing #phishing messages I've seen in a long time.
The email is clean and professional, the web site it links to doesn't get flagged by either #Firefox or #Chrome (I've reported it), and the web site (https:// apple-coin.io/, screenshot included below in case it gets taken down) is REALLY smooth.
Please give any #iPhone+#crypto users in your life a heads-up about this, because it's likely to fool a lot of people.
Please boost for visibility. #infosec#cybersecurity
Cyberangriffe mit Hilfe von E-Mails sind weiterhin eine große Bedrohung für Unternehmen, Organisationen und Bürgerinnen und Bürger. Insbesondere Phishing-Mails sind ein weithin genutztes Angriffsmittel. Wir haben die Technische Richtlinie "E-Mail-Authentifizierung (TR-03182)" veröffentlicht, die E-Mail-Service-Providern eine Richtschnur im Vorgehen gegen Phishing & Spoofing, also das Fälschen des Absendernamens, zur Verfügung stellt.
Liebes BSI,
bei einer Phishing Attacke wäre es doch sinnvoll Absender von zielgerichteten Mails möglichst schnell sperren zu lassen.
Gibt es hierfür eine Zentrale Stelle?
but sent from an indian investment firm (with valid SPF, DKIM and DMARC, so probably a vulnerable/misconfigured SMTP server on their end);
call-to-action links to the canadian "bikers against pedophiles"' (‽) staging website (a page under wp-includes, so probably leveraging a WordPress vulnerability)
that redirects to a page on the czech Pandora website
that mimics the UAE bank, asking for credit card details (phishing page has already been removed and I forgot taking a screenshot a few hours ago)
Fun reading about how even @pluralistic falls for phishing sometimes thanks to all the enshittification of getting in touch with necessary services making us less likely to catch the red flags.
I've clicked on a few of my office's "phishing tests" which at least gets me more "watch this social engineering info video" even if the videos are so bad that you can't help zone out.
I don't know my own work phone number. I don't share it. I just got a phone call from someone presenting as wanting to send me a publication. They had my phone number, name, and title. Who the hell is leaking my data!?
Phishing scammers now helpfully include the steps you need to take to click on their risky link in their texts. I’m sure ‘tuanosali1981@mailbox.org’ has my best interests in mind and is definitely from “the US Postal team.” I definitely shouldn’t question where they got my phone number from and why USPS wouldn’t just return a package to its sender. #scam#phishing#TrustNoOne
My employer lets a private company send fake phishing mails to all staff in order to train them. Now that company, which most personnel do not know, sends an e-mail in its own name to all our staff, asking them to click on a link to follow an anti-phishing training. So it looks like the message they are giving to all our staff is: it's OK to click on links from unknown companies, as long as they tell you that it's anti-phishing training. 🤦♂️ #phishing#infosec
Achtung, #Phishing: Aktuell sind E-Mails mit falscher #BNetzA-Mailadresse und Grußformel des #BZSt im Umlauf. Die E-Mails sind nicht echt. Öffnen Sie keine Links und geben Sie bitte keine persönlichen Daten wie beispielsweise Ihre IBAN preis.
Reading about #scammers always depresses me. I know there are far greater problems in the world, but I wish the people who put so much effort into scamming others would redirect those efforts into doing something positive for society.
More specifically, I was tricked by a phone-phisher pretending to be from my bank, and he convinced me to hand over my credit-card number, then did $8,000+ worth of fraud with it before I figured out what happened. And then he tried to do it again, a week later!
--
If you'd like an essay-formatted version of this thread to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
@pluralistic “There's a leak somewhere in the CU systems' supply chain”
I absolutely believe it.
I received a plausible #phishing mail, sent to an address I use only for one specific CU, with my correct name, purporting to be from the CU's president.
The payload link used in the phish contained the email address of the CTO of a different CU; I think the scammer just re-used a link without fine-tuning it for my CU.
The scammers clearly have access to CU client DBs & are targeting many CUs.