Matt BlazeJan 21, 2024
Fascinating - iMessage phishing now includes specific instructions to get around iOS Lockdown Mode restrictions.
Show threadMatt Blaze

The replies about how people "should" notice the funky URL are distressing. Why should they?

If you expect people to become experts on esoteric naming conventions in order to use technology safely and securely, you're the problem, not them.

Jan 22, 2024 at 9:14pmWeb
Show threadMax Leibman has moved!Jan 22, 2024
@mattblaze If the fate of the company rests on whether or not I clicked on a single link, I’m not the one who fucked up.
Show threadJames TinmouthJan 22, 2024
@maxleibman @mattblaze this is a very interesting take. I've not thought of it that way before. 🤔
Show threadMartin KellyJan 22, 2024

@mattblaze point #4 from someone who forgot far more about security than they will ever know https://hachyderm.io/@shortridge/111784865253206399 I’m in a reflective mood this week and it’s kind of wild to me that I’m known as a “provocateur” in #cybersecurity for takes like:

💡 don’t shame victims

💡 UX matters, a lot

💡we should understand what we’re supposed to protect

💡 if someone clicking a thing on the thing-clicking machine leads to security failure, they are not the foolish one

💡 the best things a security program can invest in aren’t in the RSAC vendor hall

💡 maybe we should start actually proving outcomes??????????

¯\_(ツ)_/¯

Kelly Shortridge (@[email protected])

I’m in a reflective mood this week and it’s kind of wild to me that I’m known as a “provocateur” in #cybersecurity for takes like: 💡 don’t shame victims 💡 UX matters, a lot 💡we should understand what we’re supposed to protect 💡 if someone clicking a thing on the thing-clicking machine leads to security failure, they are not the foolish one 💡 the best things a security program can invest in aren’t in the RSAC vendor hall 💡 maybe we should start actually proving outcomes?????????? ¯\_(ツ)_/¯

Hachyderm.io
Show threadAdam Shostack  Jan 22, 2024
@mattblaze I promise to start paying attention to bizarre domain names the day my banks all stop creating domains like “account-online.com”
Show threadGarrett WollmanJan 22, 2024
@adamshostack @mattblaze Not to worry, even if they do, they'll still send you emails with some weird-ass third-party click-tracking URLs that have no obvious connection to anything, although you might recognize that your HR department uses the same spamcannon service.
Show threadOobleckJan 22, 2024
@wollman @adamshostack @mattblaze I would be happy if I could get the groups in my org to agree on 2-3 mailcannon services.
Show threadGarrett WollmanJan 22, 2024
@Oobleck @adamshostack @mattblaze Oh, you've run into the length limit on SPF records too?
Show threadChristopher EvansJan 23, 2024

@wollman @Oobleck ticket came in to setup marketing.domain dkim/spf/dmarc records.

And two other groups are putting in records for different spam cannons on the top domain. At least marketing knows to get a subdomain setup. Just a few days left for https://dmarcian.com/yahoo-and-google-dmarc-required/

Understanding Gmail and Yahoo DMARC Requirements - dmarcian

Starting February, 2024, long established email authentication best practices—DMARC, SPF, DKIM—will become a requirement.

dmarcian
Show threadOobleckJan 23, 2024
@becomingwisest @wollman And that subdomain is what I’m pushing to get set up. That link is appreciated! I can use it to help my case.
Show threadChristopher EvansJan 23, 2024

@Oobleck I use the free version of them for my personal domain.

Work kicked off with https://sendgrid.com/en-us/blog/gmail-yahoo-sender-requirements for my group.

Gmail and Yahoo’s New Sender Requirements: A Closer Look

Learn about Gmail and Yahoo!'s new sender requirements and what you should do to become compliant and protect your sending.

Sendgrid
Show threadChloé RaccoonJan 22, 2024
@mattblaze @VulpineAmethyst and that's is before I have seen legitimate emails using things like bitly url shortened uris :(
Show threadDarryl RammJan 22, 2024
@mattblaze The real problem is the black and white URLs 🙄
Show threadBoyd Stephen Smith Jr.Jan 22, 2024

@mattblaze I just don't know how to square this with requirements coming from the business that significant actions occur from a single click on a link in an SMS. I barely got them to let me do the GET -> JavaScript -> POST dance that will at least prevent preview/prefetch from breaking things.

Users have to read and understand before triggering something significant (i.e. clicking), right?

Show threadDan RileyJan 22, 2024
@mattblaze Lots of corporate O365 subscribers are signing up for MicroSoft "safelinks", which makes it pretty much impossible for normal people to have any idea where a plaintext message URL is going.
Show thread2xfoJan 22, 2024
@dan131riley @mattblaze
"The link was safe!"
"How do you know that?"
"It looked like the same gibberish it always is!"
Show thread✨pencilears✨Jan 22, 2024
@mattblaze the UPS has an online form for reporting these scams, I've just been doing that when they come in.
Show threadRon BowesJan 22, 2024

@mattblaze I've done a lot of different (and popular) security awareness training classes, and most of them spend a bunch of time explaining how to recognize a phishing URL.

I always roll my eyes, because I've been working in security/exploits for years and years, and I'm not sure I could recognize 100% of malicious URLs (not to mention the various ways to hide URLs, open redirects, etc etc)

Show threadJernej Simončič �Jan 22, 2024
@mattblaze Considering that practically all legit e-mails use weird redirectors (presumably for gathering statistics), it's practically impossible to figure out if a URL will lead you to a phishing site or not by just looking at it even if you're an expert in cybersecurity.
Show thread2xfoJan 22, 2024
@mattblaze
My work tells me to check the IP address of links in my email, but they all start with the address of the verification tool they use and the rest looks like a hash.
So, not exactly something i get to interrogate then
Show threadHaelwenn /элвэн/ Jan 22, 2024
@mattblaze Specially because so many genuine links are pretty much undistinguishable from phishing URLs (typically due to either vanity short domains and/or insane link tracking).
And also many legitimate websites tell people to disable safety measures, most of those being horribly uninformative about what's going on (when they're not full on FUD like browsers certificate errors).
Show threadJoanna HolmanJan 23, 2024
@mattblaze Exactly. I've been keeping an eye on the tracking for a parcel I'm sending from here in Australia to a friend in America. I don't know about how the US postal system works or what websites they use. I think I formatted the address on the label correctly but I'm not entirely sure so its believable something needs correcting. If I was distracted or tired I could easily assume it related to the parcel I'm sending and mindlessly click through.
Show threadWendy (prev Jason) AJan 23, 2024
@mattblaze I half agree shaming people for not catching the URL isn’t going to work and it’s a shitty thing to do. That said we really need some sort of computer ed for the average person. People may not learn to drive but chances are they will use computers on a regular basis.
Show threadMHLoppy (has moved!)Jan 23, 2024

@mattblaze Complicated further by legit companies sometimes using shady-looking short links themselves. Someone in my house got a legitimate Australia Post delivery text that included a link to something like auspo.st and we all thought it was a scam because we'd never seen it before.

Looked it up online and it was their real shortened URL lol.

So even "shady-looking URL" isn't a consistently reliable heuristic on top of the usability problem you've brought up.

Show threadAfroScribbleJan 24, 2024
@mattblaze URLs and emails kinda just suck, huh?
Show threadClaudius LinkJan 27, 2024

@mattblaze
Don't get me started. Apart from the victim blaming this simply doesn't work because companies use the weirdest URL schemes for marketing purposes (to track click) and even security tools are contributing to the issue. E.g. ti find the real URL behind a Safe Link in Microsoft Defender for Office 365 isn't trivial

🤬​