Troy Hunt, the security blogger behind data breach site Have I Been Pwned, has fallen victim to a phishing attack targeting his email subscriber list.
In a blog post disclosing the incident, Hunt described how the attack took place, with screen shots of the phishing email, which purported to come from his email marketing provider, Mailchimp.
The trap used a classic phishing tactic of including a button that linked to a page with a similar url to the legitimate one – mailchimp-sso.com (now deactivated) versus mailchimp.com.
Hunt, who said he was “really jet lagged and really tired” at the time entered his credentials and the one time password (OTP) and the page then hung, rather than loading.
“Moments later, the penny dropped,” Hunt wrote. “I logged onto the official website, which Mailchimp confirmed via a notification email which showed my London IP address.”
“I immediately changed my password, but not before I got an alert about my mailing list being exported from an IP address in New York,” he added.
Hunt himself and others in the industry reacting to the news have said this is an example of how hackers exploit human weaknesses to carry out successful attacks.
In the case of Hunt, tiredness led to lack of attention, which in turn led to him falling for a phishing scam of the kind he said he would typically have recognized early.
Erich Kron, security advocate at KnowBe4, said the incident is a prime example of how even a seasoned cybersecurity veteran can fall prey to cyber criminals.
"Social engineering is largely getting the right message to the right person at the right time, and that combination can lead to unfortunate situations such as this.”
Aditi Gupta, principal security consultant at Black Duck, echoed Kron's comments, noting that bad actors deliberately "feed on fear and weaknesses such as tiredness and a sense of urgency" to bait unsuspecting users.
"This recent phishing attack further highlights that, in the end, we are all humans, and sophisticated phishing attacks could get the best of us."
Kron commended Hunt, adding that he “deserves kudos” for revealing what had happened to him and using the incident as an opportunity to educate others.
For his part, Hunt said he has gone through the usual gamut of emotions felt by someone who falls for a scam, including feeling “so stupid” and acknowledged “[his] own foolishness”.
However, he also hit out at some of Mailchimp's own practices that he claimed are poor in relation to data security. These include not offering phishing-resistant two factor authentication (2FA) and not automatically deleting unsubscribed email addresses.
Hunt concluded his blog post by offering his “sincere apologies to anyone impacted by this”, but added that “on balance I think this will do more good than harm and I encourage everyone to share this experience broadly”.
MORE FROM ITPRO
- Hackers are using this new phishing technique to bypass MFA
- 10 quick tips for identifying phishing emails
- How hackers are using legitimate tools to distribute phishing links
-
M&S suspends online sales as 'cyber incident' continuesNews Marks & Spencer (M&S) has informed customers that all online and app sales have been suspended as the high street retailer battles a ‘cyber incident’.
-
Manners cost nothing, unless you’re using ChatGPTOpinion Polite users are costing OpenAI millions of dollars each year – but Ps and Qs are a small dent in what ChatGPT could cost the planet
-
Healthcare organizations are turning a blind eye to phishing attacksNews A survey reveals that most attacks go unreported, putting patient data at risk
-
Hackers are using Zoom’s remote control feature to infect devices with malwareNews Security experts have issued an alert over a new social engineering campaign using Zoom’s remote control features to take over victim devices.
-
State-sponsored cyber groups are flocking to the 'ClickFix' social engineering techniqueNews State-sponsored hackers from North Korea, Iran, and Russia are exploiting the ‘ClickFix’ social engineering technique for the first time – and to great success.
-
‘We are now a full-fledged powerhouse’: Two years on from its Series B round, Hack the Box targets further growth with AI-powered cyber training programs and new market opportunitiesNews Hack the Box has grown significantly in the last two years, and it shows no signs of slowing down
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackersNews Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Law enforcement needs to fight fire with fire on AI threatsNews UK law enforcement agencies have been urged to employ a more proactive approach to AI-related cyber crime as threats posed by the technology accelerate.
-
Security experts warn of ‘contradictory confidence’ over critical infrastructure threatsNews Almost all critical national infrastructure (CNI) organizations in the UK (95%) experienced a data breach in the last year, according to new research.
-
Healthcare organizations need to shake up email security practices
News Microsoft 365 is the source of almost half of all healthcare email breaches, thanks mainly to misconfigurations in security settings.
