Learning from Troy Hunt’s Sneaky Phish
Troy Hunt has a good post about being phished. Good on Troy for being transparent, and he talks about being tired and jet lagged, and that deserves sympathy. Attackers are sneaky. Troy honorably admits that he overrode 1Password and filled out the phishing site. In this post, I want to share why I think I wouldn’t fall for this, even jet lagged.
That defense is intensive sorting into folders, enabled by custom email addresses. I tell mailchimp my email is mailchimp827@threatsbook.com. I then route that to a mailbox called “vendors.” If the message is anywhere else, it’s not sent to the address I gave mailchimp, and it’s a phish or a spam. I don’t have to think that much because the the expectation is there’s no corporate mail in my inbox. There’s a variant, which is “plus addressing.” Most mail services will deliver email with a plus in the username. So if you’re adam@example.com, adam+randombits@example.com will likely reach you, and that extra part can be used for sorting.
If I’m looking at my mailchimp folder, it’s probably email from mailchimp. If it’s anywhere else, it’s almost certainly not from them.
Maybe some jerk will see this, and think all of Adam’s custom addresses are “vendor and three digits” and says, “hah, I’ll send to all of those!” I’ll see dozens or hundreds of attempts, and I may get sneakier, and tell mailchimp they’re now +fdsafu8ewrejwddms. (I do this for banks, and send them to a folder named for the bank. It makes for entertaining conversations when customer support people ask me to confirm my email address.) You can also use ‘from’ addresses as part of your sorting, but it turns out a lot of companies will switch those up in various ways, and so it requires more ongoing tuning effort.
Even if you don’t run email domains, you can leverage sorting. Troy uses Microsoft email, and there’s a rules setting which is perfect for filing emails. Less perfectly, the Google mail web interface offers labels, which are less effective than folders for ensuring you see them. But nothing prevents you from using a different UI like Apple mail or Outlook with your gmail.com address. You can name folders in ways that will help your vigilance.
As an aside, the old internet of protocols meant people created new tools to interface with them as a matter of course. Today, little companies like Slack are too small to define APIs that enable such things as they nimbly compete with open source projects like Mastodon, who somehow manages to support a wide set of clients. That enables experimentation, exploration and emergent solutions, perhaps not envisioned or prioritized by the designers or product managers at a specific vendor.
Update: On Mastodon, Paul mentions memorability. And yes, there’s a real tradeoff there. You can absolutely do this with simpler strings like “hotels” or “hertz,” and you’re making a tradeoff of memorability for security. There are cases where I’d never need the string away from my computer. And there are cases, like banks, where I’m willing to stop and look them up.
Update 2: On Linkedin, Darby Mullen mentions breaches. It’s a good point: If a company is breached, the attackers can send you a phish that’ll pass through this layer of defense. You may even be somewhat more vulnerable because you can generally let your guard down. It’s still a net win of fewer phishes. The attackers will miss all the shots that don’t land in the right inbox.