Troy Hunt, creator of the Have I Been Pwned website
Troy HuntThe phishing attack was “highly automated and designed to immediately export the list before the victim could take preventative measures,” Hunt wrote.The attack highlights the limitations of passwords and two-factor authentication (2FA) in preventing phishing attacks. Hunt said the incident highlights the need for more sites to adopt passkeys, a modern alternative to passwords that relies on cryptographic secrets stored on registered devices.”By no means would I encourage people not to enable 2FA via OTP, but let this be a lesson as to how completely useless it is against an automated phishing attack that can simply relay the OTP as soon as it’s entered,” Hunt concluded.Hunt told CSO that he had never previously fallen victim to a phishing attack, to the best of his knowledge.”Fallibility it something we all have, I never thought I was immune,” Hunt said. The security researcher added that the incident illustrated that “security is a shared responsibility” so simply blaming security unsavvy users for falling victim to phishing attacks fails to get at the heart of the problem.More sites and services should introduce passkeys or non-phishable 2FA alternatives which should not involve any major expense or difficulty in applying, Hunt concluded.
Even seasoned pros are susceptible to phishing: Aditi Gupta, principal security consultant at Black Duck, said the attack illustrated how bad actors feed on fear and weaknesses such as tiredness and a sense of urgency in order to bait unsuspecting users.”Using passkeys is an immediate preventative measure, but basic hygiene like evaluating sender identity and double-checking domains on a different browser before clicking and entering credentials is a smart thing to do,” according to Gupta.Erich Kron, security advocate at security awareness vendor KnowBe4, added that the incident illustrates how even a “seasoned professional can fall victim to a well-done phishing attack”.”This is one reason we should avoid shaming users who have made a mistake and potentially clicked on a link or performed some other action,” Kron said. “Organisations should work toward a security culture that celebrates reporting.”Kron added: “Hunt deserves kudos for speaking about it publicly, admitting his error and using this to help educate others.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3854489/even-anti-scammers-get-scammed-security-expert-troy-hunt-pwned-by-phishing-email.html
