Twilio customer data exposed after its staffers got phished Twilio confirmed someone breached its security and accessed "a limited number" of customer accounts after successfully phishing some of its employees. The company declined to respond to The Register's inquiries about how many customers' accounts were compromised and the type of data that the crooks stole, though the …
A lot of my users have been getting very targeted phishes claiming to be from managers, along with sigs matching the sender's actual titles, etc. Figured out it's just harvested from LinkedIn. Hard to protect people when they self-publish everything needed to pretend to be them.
but I still prefer to, you know, check the URL before I open it. If the server behind that link is hosting attack code your fake password trick is only solving one problem when you face two.
Though if you did feed a unique fake in and it pops up somewhere, that will connect some dots. But the attacker can easily check if it succeeded, so they should also be aware it's a fake after the failed login, and your machines IP may be the only thing that shows up in the logs. Unless you can cut over to a honeypot, which would let you flip that script in a fairly literal sense.
Except as has been proven many times over, humans are **REALLY** bad at a) looking at the URL and b) determining whether it is valid.
From mobile browsers hiding the URL, to non-Western characters in the domain to make it look right, to variations on the domain name (twilio-support.com, login-twilio.com, etc.), anyone, whether company or user, relying on reading the URL for their security is going to hit trouble.
See https://www.troyhunt.com/humans-are-bad-at-urls-and-fonts-dont-matter/ for a good write-up with examples.
> humans are **REALLY** bad at a) looking at the URL and b) determining whether it is valid.
And companies (especially banks and similar unimportant websites) are **REALLY** good at making legit URLs look as suspect as possible, clearly to progressively desensitize the victim customer until he accepts any funny looking URL as legit.
That is, if the browser even allows you to see it, apparently nowadays URLs are considered uncool and something you shouldn't worry your pretty little head with... O tempora, o mores...
> If it was accepted then (a) you don't give a real one, (b) you can raise the alarm
Won't work, because usually the attacker site immediately uses it to log in, so he will immediately know it's incorrect and most likely tell you and ask for the correct one, much like the legit site.
In breaches of this kind time is precious, the attackers will try to establish a solid foothold in your network before somebody smarter then the rest sounds the alarm and passwords get changed.
> Give an incorrect password the first time
DON'T do that.
You've thought about it. So have the people who make a living out of this. The credentials are checked real time, which is also how you get around 2FA.
If in any doubt at all about the legitimacy of a site just don't login, plain and simple.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
