| ▲ | WesolyKubeczek 2 days ago | ||||||||||||||||||||||||||||||||||
When you grab a domain which is plausibly very similar to the legit domain the organization you work with is using, you can forge emails that will make your email client show all sorts of “verification passed” badges next to them. You can further appeal to developers’ geeky hearts by not making language mistakes and actually using verbiage present in real emails as sent by them. You can exploit recent supply chain attacks and the sense of urgency and panic that developer blogs have created by pressing for even more urgency. Seems like this does work. Don’t worry, when they actually target you, you’ll be caught. | |||||||||||||||||||||||||||||||||||
| ▲ | tialaramex 2 days ago | parent [-] | ||||||||||||||||||||||||||||||||||
> Don’t worry, when they actually target you, you’ll be caught. When they target me, which happens, it doesn't work because of WebAuthn. Buy a Security Key. If you think you might lose it, buy at least two more. For critical sites like GitHub (which was targeted here) set up your Security Keys and get into the habit of relying on them. It's the same philosophy as Rust itself, machines are really good at diligently performing a simple task, so don't leave those tasks to human vigilance, that is a foolish misallocation of resources. | |||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||