Kurt Got Got

When we did annual pen testing audits for my last company, the security audit company always offered to do phishing or social engineering attacks, but advised against it because they said it worked every single time.

One of the most memorable things they shared is they'd throw USB sticks in the parking lot of the company they were pentesting and somebody would always put the thing into a workstation to see what as on it and get p0wned.

Phishing isn't really that different.

Great reminder to setup Passkeys: https://help.x.com/en/managing-your-account/how-to-use-passk...

Ever since I almost got phished (wasn't looking closely enough at the domain to notice a little stress mark over the "s" in the domain name, thankfully I was using a hardware wallet that prevented the attack entirely), I realized that anyone can get phished. They just rely on you being busy, or out, or tired, and just not checking closely enough.

Use passkeys for everything, like Thomas says.

Phishing training does not work.

"Understanding the Efficacy of Phishing Training in Practice" https://arianamirian.com/docs/ieee-25.pdf

This "content violation on your X post" phishing email is so common, we get about a dozen of those a week, and had to change the filters many times to catch them (because it's not easy to just detect the letter X and they keep changing the wording).

We also ended up dropping our email security provider because they consistently missed these. We evaluated/trialed almost a dozen different providers and finally found one that did detect every X phishing email! (Check Point fyi, not affiliated)

It was actually embarrassing for most of those security companies because the signs of phishing are very obvious if you look.

I got hit with the same kind of phishing attack a couple months ago

It's pretty incredible the level of UI engineering that went into it.

Some screenshots I took: https://x.com/grinich/status/1963744947053703309

I was reading this and wondering why it was posted so high (I didn’t recognize the company name), and then I got to the name at the bottom. I think the lesson here is “if it could happen to Kurt, it could happen to anyone.” Yeah, the consequences here were pretty limited, but everyone’s got Some vulnerability, and it’s usually in the junk pile in the corner that you’re ignoring. If the attacker were genuinely trying to do damage (as opposed to just running a two-bit crypto scam), assuming the company’s official account is a fine start to leverage for some social engineering.

This is why properly working password managers are important, and why as a web site operator you should make sure to not break them. My password not auto-filling on a web site is a sufficient red flag to immediately become very watchful.

Code-based 2FA, on the other hand, is completely useless against phishing. If I'm logging in, I'm logging in, and you're getting my 2FA code (regardless of whether it's coming from an SMS or an app).

Great writeup, but also gotta say that’s some excellent phishing

Funny!

Now that Kurt doesn't have commit access, who do I ask to get internal Fly Slack bot fizz off of my behind.

I was in a devrel channel for a short while and ever since it has asked me to write updates in a channel I don't have access to. Frequently.

That's some impressive work on the attackers part having that whole fake landing page ready to go, and a pretty convincing phishing email.

I'm don't know much about crypto so I'm not sure what makes them call the scam 'not very plausible' and say it 'probably generated $0 for the attackers', is that something that can be verified by checking the wallet used in that fake landing page?

Is there an anti-phishing extension that detects whether the domain is close to, but not exactly the popular legitimate domain? Would probably need to use a local LLM for the detection. If not I might look into making one.

I want to say again that the key thing in this post is that anything "serious" at Fly.io couldn't have gotten phished: your SSO login won't work if you don't have mandatory phish-resistant 2FA set up for it. What went wrong here is that Twitter wasn't behind that perimeter, because, well, we have trouble taking Twitter seriously.

We shouldn't have, and we do take it seriously now.

I'm always glad to see when companies, developers and CEOs make a heartfelt and humanistic mae culpa.

We would like to think that we're the smart ones and above such low level types of exploits, but the reality is that they can catch us at any moment on a good or bad day.

Good write up

I don't know the gullibility of the average tech CEO but this doesn't strike me as a very convincing phishing attempt.

* "We've received reports about the latest content" - weird copy

* "which doesn't meet X Terms of Service" - bad grammar lol

* "Important:Simply ..." - no spacing lol

* "Simply removing the content from your page doesn't help your case" - weird tone

* "We've opened a support portal for you " - weird copy

There should so many red flags here if you're a native english speaker.

There are some UX red flags as well, but I admit those are much less noticeable.

* Weird and inconsistent font size/weight

* Massive border radius on the twitter card image (lol)

* Gap sizes are weird/small

* Weird CTA

X Terms of Service error: Meme not dank enough.

CEO here, I also almost got taken by a fake legal notice about a Facebook post. My password manager would not auto enter my password so I tried manually entering it like a dummy. Fortunately, it was the wrong one.

Fly has consistently surprised me at how late they have been to doing the "standard company" stuff. Their sort of lack of support engineering teams for a while affected me way more though.

You gotta take the Legos away from the CEO! Being CEO means you stop doing the other stuff! Sorry!

And yes they have their silly disclaimer on their blog, but this is Yet Another "oh lol we made a whoopsie" tone that they've taken in the past several times for "real" issues. My favorite being "we did a thing, you should have read the forums where we posted about it, but clearly some of you didn't". You have my e-mail address!

Please.... please... get real comms. I'm tired of the "oh lol we're just doing shit" vibes from the only place I can _barely_ recommend as an alternative to Heroku. I don't need the cuteness. And 60% of that is because one of your main competitors has a totally unsearchable name.

Still using fly, just annoyed.

if anyone @ x.com infosec is here, my buddy got her account phished / there is someone in CS selling creds. Then it was used to pump a crypto scam and she has been trying for months to get it sorted. She's had the account for 16 plus years, it's surprising it's this hard to fix.

It's x.com/leighleighsf, we've tried every channel but for filing a small claims lawsuit in Texas to get her account back.

Like with occupational safety, we should worry about near misses as well as actual hacks. If you realize you just logged into X from a link in an email, you should berate yourself for could-have-been-hacked. Never enter credentials into links from emails!

> But if we’d actually done an ICO, you’d have lost all your money anyways.

tru tru

That was beautiful to read. lol.

... could we get webauthn / yubikeys prioritized for fly? afaik (don't want to disable 2fa to find out), it only supports totp.

For everyone reading though, you should try fly. Unaffiliated except for being a happy customer. 50 lines of toml is so so much better than 1k+ lines of cloudformation.

[Deleted]

[dead]

[flagged]

When did fly.io create their own crypto?

> This is, in fact, how all of our infrastructure is secured at Fly.io; specifically, we get everything behind an IdP (in our case: Google’s) and have it require phishing-proof MFA.

Every system is only as secure as its weakest link. If the company's CEO is idiotic enough to pull credentials from 1Password and manually copy-past them on a random website whose domain does not match the service that issued it, what is to say they won't do the same for an MFA token?