| Blog | https://randomoracle.wordpress.com/ |
| Website | https://randomoracle.wordpress.com/about/ |
Props to scammers on clever use of a commercial security service to improve their phishing
This is a garden-variety scam, but the twist is that link to Exodus Wallet is a redirector through ProofPoint— ironically an email security company.
(Presumably helps bypass recipient-side URL scanning/blocking rules associated with cryptocurrency sites.)
Way to go Proofpoint. 🥇
Maybe they can brag about this at BH? "9 out of 10 scammers launder their URLs through our service"
Periodic reminder:
Every security incident is an opportunity for vendors to shill for their particular product, whether or not it would have made any difference.
Two great examples from the Bybit fiasco:
1. Fireblocks (aka "Dumpster-Fire Blocks") pushing MPC over multsig, when it would have exactly the same threat model if all key shard-holders are tricked into approving the wrong transaction
2. Ledger inventing a non-existent category of transaction review called "Clear Signing" when plenty of existing hardware wallets (such as Grid+ Lattice1) already have the capability to parse Ethereum calldata and present human-readable explanation of contract calls.
The typing-and-deleting from DeepSeek is absurdly hilarious.
Here the model initially attributes the 2009 "Aurora" attacks Google and against other US companies to Chinese APT, and then deletes its own answer once it realizes it uttered uncomfortable truths.
This LLM sounds like a conflicted white-collar criminal who confesses and then promptly retracts the confession behind an unconvincing ploy about changing the subject away from political concerns.
The fake "Jia Tan" account that inserted the backdoor into XZ was using a Gmail account.
Raises an interesting questions about when it is justified for Google (or MSFT) security team to conduct their own investigation into a customer, including possibly reading their email traffic to investigate blatant malfeasance.
From:
https://boehs.org/node/everything-i-know-about-the-xz-backdoor
Cloudflare used to be a popular choice for phishing sites, with an initial CAPTCHA designed to deter automated detection of malicious beahvior.
Now seeing a shift to using Google reCAPTCHA for the same purpose.
Here is a phishing site where the landing page requires a CAPTCHA before proceeding to the real target where it mimics MSFT Azure login.
Sadly the "Sign-in options" link is broken. These attackers really need to get on-board FIDO2 & passwordless...
CommuteAir— the US airline who leaked the No Fly List on one of their servers— is 100% correct in stating that the incident did not result in loss of any "customer information"
Because if you are on the No Fly List, by definition you can not get on an airplane and therefore you can not be the "customer" of any US commercial airline 🤷♂️
Doing 2FA with trusted devices is tricky. Tricky enough that even Apple fails at usability.
Trying to login to a website using Apple ID on Chrome?
You are asked to copy/paste OTP displayed in one pop-up window from MacOS into another window in the browser 🤦♂️
Surely there is a way to recognize when the browser is running on that "your device" the notification was sent to?
Way to go Macintrash.
This is a bizarre take from Binance.
Having negative balances in a proof-of-liabilities completely defeats the point of the proof.
Any amount of shortfall in assets can be swept under the rug by inventing a fictitious customer with large negative balance.
In standard proof-of-reserve, adding fictitious customers can only make it harder to prove solvency because each balance must be positive, either in cleartext or with a zero-knowledge proof showing it is positive. But once numbers are allowed to go negative, the liabilities become meaningless since you can invent any number of customers that allegedly owe you money.
