Crates.io phishing attempt

> If your bank calls you, hang up and log in or call their support number yourself.

And don't trust the number you see on Google. Google is known to show scammers' phone numbers in featured snippets or in their new "AI Mode". Click on the link and make sure it's the correct site before trusting the number.

Always good advice for anything. A variation of this is that you should also not answer the negative: that you definitely did not do something, if someone asks you that on a phone call. This is meant to spread harm to others.

I was speaking to a pharmacist yesterday. Apparently certain pharmacy insurance companies in the US have set up call centers that randomly call people and ask.

"We are from the fraud check department. Did you ask for receiving XYZ medication that your insurance paid $$$$$$ for?". The guy who does who's salary is an order of magnitude smaller, immediately panics and denies he ever asked for XYZ, even though they are obviously taking the medication. The purpose is of-course for pharmacy insurance companies to challenge/deny claims for on ALL XYZ orders the pharmacy made.

Of course checking insurance payouts is a hassle so most people reach for panic first and shortly thereafter denial.

Definitely. I get scammers calling me from a caller id that claims to be my bank asking about suspicious charges, and they know my name and have my account info, but they ask for my full credit card number to "verify" it. Yet, they give different suspicious charges every time you ask.

The worst part is that when I call the bank to see if its legit, they are much less pleasant to deal with than the scammers...

Same applies in person. I’ve had people knocking on my door offering a discount on my electric bill.

— You just need to do accept <whatever, I forget> and you’ll pay less.

— But I don’t want to switch providers, I’m happy with the current one.

— Oh no, you’ll stay with the same provider, we’re with them, that doesn’t change.

— Alright, then I’ll call the company to discuss this further and get the discount.

— Unfortunately, this is only valid this way. Not by calling or online.

— Then I’m not interested. Bye.

One of my neighbours was tricked at a different time by a similar scam, forcing them into a contract with a different company.

>> Don't trust anyone contacting you for sensitive stuff

For not sensitive either. If something is a good deal - they will not be calling me, it's me who should call to find and get the best deal.

The spammy calls I've gotten lately are for "tax help from the IRS" ... I really feel there's a special place in hell for people that do that.

Sage advice

Wow, thats pretty bad. Reminds me of the old Paypal Invoice scams where scammers would upload the paypal logo as the invoice logo (which appears top left) and essentially “bill” the user. The scammer the adds inside the invoice note a paragraph explaining “Your money is being held due to currency exchange issues”, which gives basic reason to the “monetary deduction”. It got me as a kid, was quite slick for the time. Thought these scam-methods would be at least flagged these days before going out.

This kind of incompetence should result in PayPal loosing its banking permits in the EU. This is unacceptable and there is no way for an average person to identify the fraud and that is PayPal's fault.

There should be no way to send custom text from Paypal to a stranger. They don't even parse out phone numbers!

Let's say someone falls for this.

What happens next, when they become the business account secondary user?

> Why does it seem like phishing is popular again?

Was it ever not popular? Looking at my spam box, I receive countless of phishing attempts per week, and doing some quick queries of the total count over time, it seems to more or less been the same for the last 2-3 years at the very least.

I'm not sure why it's such big news all of a sudden, probably because it recently succeeded against a developer of some popular npm packages?

I think most people either have the phishing emails flagged, so they never see them. The ones that get seen, get ignored as obvious phishing. And for the ones that click the link, their password manager would stop them from entering their detail. And then you have the final 0.0001% who never protected themselves, and were tired/stressed at that very moment, and fell for it.

So I guess ultimately it's bound to become news every now and then, until everyone finally got the memo to get a proper password manager that don't show accounts that don't belong to the domain.

Pure speculation - but I'm wondering if one or a few of the black hat players has figured out a good way to leverage AI to phish more effectively at scale, and are taking a stab at all the venues that host code that's within a lot of dependency chains.

A little thing that doesn't help the situation is when legitimate emails link you to domains that aren't obviously controlled by the company.

For example, yesterday at work I got an onboarding email from Lattice (lattice.com) with a link to latticehq.com, which triggered my phishing instincts before I remembered that was their old domain.

From my perspective, adjacent to front-line end user IT support in a lot of the work I do, phishing has never not been popular in the last couple decades.

It feels like it has become significantly more prevalent in the last couple years (tracking the rise of "business email compromise" being a term-of-art).

One of the worst, my SO approved "notifications" on some website.. and was getting viral alert notifications via that system. It looks like a typical tray notification in windows, and other than it's got a chrome header, it would be pretty easy to fall for. And this is why, before they passed, one of my Grandmothers was on Linux, and my other was on a Chromebook... no cleaning off random Windows malware twice a year.

People realized that past phishing attempts were quite badly constructed and a well constructed one is actually really easy to fall for.

I can't imagine that the absurd number of greenhorns entering the industry due to their "vibecoding prowess", or the inevitable number of people in management that perpetuate this fantasy of nocoder devs has anything to do with it. Surely not.

Again? Phishing is a constant threat. And it's easy to fall for them because you only need to drop your guard once to become a victim. Stress, tiredness, or intoxication can all contribute to even someone who thinks they're good at spotting phishing attempts suddenly falling for one.

Phishing attempts are usually low-effort and easily seen through, npmjs.help one was good though.

It never became unpopular. It's one of, if not the, leading cause of compromise.

I experience and wonder the same thing, but literally yesterday I had to help my grandmother recover from a phishing scam that actually (very nearly) worked on her. So there you go.

The worst (or best, I suppose) thing about phishing is that it automatically filters in the fools for you.

Phishing is dumb and easy to detect by purpose. I's to filter victims who are an easy target.

When you grab a domain which is plausibly very similar to the legit domain the organization you work with is using, you can forge emails that will make your email client show all sorts of “verification passed” badges next to them.

You can further appeal to developers’ geeky hearts by not making language mistakes and actually using verbiage present in real emails as sent by them.

You can exploit recent supply chain attacks and the sense of urgency and panic that developer blogs have created by pressing for even more urgency.

Seems like this does work. Don’t worry, when they actually target you, you’ll be caught.

> That's an exceptionally well crafted phishing email and landing page

I dunno, same was said about the npm email, but I think this one is even worse.

First off, crates.io doesn't even do their own authentication, it's GitHub auth all the way. So that smells incredibly funny immediately. What information would even be compromised here, the GitHub profile's email?

Secondly, why would the Rust foundation alert about this before the Crates/Cargo group does? It seems to come from the wrong people, but fair enough, most people don't have knowledge the Rust organizations I'm guessing.

Thirdly, if there truly was an security issue with crates, I'd expect that to be plastered all over the internet, not the very least official Rust website and crates.io, immediately. They wouldn't wait and reach out to authors first, then publicly announce it. Would be my guess at least.

In the end, a tired and/or stressed person could miss all of those things, which happens sometimes with phishing. We're all human after all, shit goes through the cracks sometimes, even to the best of us.

That's why it's really important that people stop trying to fight phishing by manually preventing it by processes, or going to the website instead of clicking links and so on. Just get a password manager that can connects domains with credentials, then when the list of accounts don't show up when you expect it to, pay close attention to what's going on. Otherwise you can just move forward without much thinking.

Yeah, npm has orders of magnitude more users than crates.io. This attack's success, or lack thereof, has no bearing on the savviness of JavaScript or Rust developers.

All I get is the message "onto the next package manager. WHOHOOO! - stdout"

This prompted me to check, and seems like KeePassXC supports storing passkeys, at least if you use the browser extension and enable a flag in its config. Until now I had thought it only supported unlocking your database with passkeys, I didn't know about it being able to actually store them.

I guess I'll try setting them up on some unimportant website to see for myself what all the hype is about.

My bluesky post was the one quoted in the OP.

I do think it was a decent attempt. A phishing attempt making it past gmail's spam filter is somewhat rare for me. Certainly less than weekly. And something this targeted is definitely a ~yearly occurrence (or less).

The major tip-offs for me were:

1. It was weird to be getting this from the Rust Foundation. The phishers likely don't understand Rust's governance structure. It's a common misconception shared by outsiders.

2. If a security incident like this would have occurred, there would have 100% been some kind of public communication about it on the rust-lang.org domain. I get notified whenever there's a new post there. So I knew this wasn't referencing a real event.

3. I also knew that crates.io doesn't manage authentication. It farms that out to GitHub. So the crates.io people wouldn't be communicating to me about my GitHub credentials being compromised. It didn't make sense.

And then finally, the URL is funny.

The somewhat scary part here though is that all of my points above come from being pretty dialed into the Rust organization and how things actually work.

But yeah, as a general rule of thumb, I always question any email asking me to log into something that wasn't just activated by me (like a "forgot my password" flow or something).

Finally, when I worked at Salesforce, the IT team there would occasionally send out fake phishing emails and ask you to report them to the team. I never fell for one, but I assume if I had, I would have been notified about it. I thought it was a very effective campaign because it always kept me on my toes.

I've grown old enough to ignore sense of urgency when coupled with authentication.

That e-mail does not pass my sniff test.

Being asked to login via an “internal login page” is a huge, bright red flag. It doesn’t matter what the reasoning is, if it’s not the same domain or an SSO integration that is well known to both you and the vendor then you shouldn’t be using it. This is security 101 type stuff.