I would never fall for a Phishing email
Really? Are you sure?
It’s that kind of overconfidence that can lead to a fall. Even those you would never expect to fall victim, including security expert Troy Hunt, can get hit when they have other things on their mind and get complacent…
Listen to this tale of woe to remind you to be careful.
More Info:
Troy Hunt: A sneaky phish just grabbed my Mailchimp mailing list
TroyHunt.com
Creator of HaveIBeenPwned site falls for Phishing Email
PCMag.com
Please remember that the InfoLine is free to share/distribute to your friends and family.
Who is Troy Hunt?
Troy Hunt is a Microsoft MVP for Developer Security, runs a blog about all things IT security, has testified before the US Congress on the impact of data breaches, and hosts the “Have I been Pwned” site (a free service that aggregates data breaches and helps people establish if they have been impacted by malicious activity on the web). He regularly speaks around the world and runs developer-focused security workshops. In short, he is someone who knows a thing or two about being safe on the web.
This is not the guy you would expect to fall for a phishing email. And yet, he did.
What happened?
Waking up a bit jet-lagged on an international trip, Troy opened his email to find a message purportedly from Mailchimp (an email marketing platform), which he uses, stating that his sending privileges were restricted due to a “spam complaint”. He clicked the link in the email to “Review Account” and logged in, unwittingly to a hacker platform, to resolve the problem. Just moments later, he realized his mistake and logged into the Mailchimp site directly through a browser and was able to change his credentials.
Long story short, in the few moments between entering his credentials to the fake site, realizing his mistake and changing his password, the hacker bot had downloaded his entire email subscriber list.
What did he do wrong?
With 20-20 hindsight, he realized (too late):
- Hovering over the link in the email, he noticed later that the URL directed him to “mailchimp-sso.com” instead of “mailchimp.com”. Using slightly different URLs is a common tactic that hackers use.
- The email was written with a sense of urgency, encouraging him to take an action before he could think it through fully.
Our take home message:
- Check each and every email before taking an action. Assume every email is a fake and look for clues to prove it.
- Remember that even experts in the field can fall for these tricks. They are designed to fool us, and we need to be on guard.
How did Troy handle it?
- He realized that he had made a mistake and fixed it quickly by logging in to the correct Mailchimp website directly through a browser and changing his credentials.
- He owned up to his mistake, and added his own Mailchimp breach to his “Have I been pwned” site.
- He publicized his mistake to use it as a warning to others. This must have been a huge slice of humble pie for him.
If you have questions about this, please let us know and we will be happy to assist you.
Take care,
