Dev: *Recieves email from manager with several typos/grammar mistakes asking to open attachment with strange name and click on tinyurl style link*

Dev: *Flags as phishing*

Manager: Hey how come you didn’t action my email?

Dev: That was actually from you?

Manager: Yes.

Dev: …

> Be me
> Desperate for a driver
> Find nothing useful
> Oh a GitHub repo, hmmh
> '𝐃𝐨𝐰𝐧𝐥𝐨𝐚𝐝 𝐡𝐞𝐫𝐞 ===> tinyurl.com/XXXXXX'
> Nope
> It's time to report!

Context:

- The url is a redirect chain to a phishing site

- Repo is completely empty except for a single folder with 1000+ files all named after drivers, with the same 'download' link, and probably scraped website text at the bottom (probably to increase searchability)

- The 'user' joined just a couple days ago and has no other repos

Email: "we have carried out a phishing test company wide"

Me: Nice!

Email: "results are here"

Me: wow, already done? Didn't even see the email. I must've subconciously discarded it! Damn, I'm good!!

Email: "the test was carried out yesterday"

Me: *was OOO y-day*

Me: fuck

The most annoying hack I've had to deal with was back when I did IT support, actually. Level 1 call center tech at the time. Apparently someone fell for a phishing email and gave out his outlook credentials. The phisher used that email account to send out another phishing email to roughly 1800 employees.

Security Operations noticed, because this guy's job didn't generally involve sending out mass-communication emails. They investigated, figured out what had happened, and opted for the nuclear option: they reset the password for EVERY SINGLE ACCOUNT that received the email. All 1800 of them. Over the weekend.

I walked into the call center Monday morning and checked the call stats, then did a double-take. There were over 300 people waiting in the queue. I almost left and called in sick. Turns out it wasn't that bad though. Annoying to reset so many passwords and having no downtime due to the full queue, but on the other hand my stats were better that day than any other, since every call was a 5-minute password reset.

In highschool we went through something like a malware/phishing prevention course.

It was pretty cool tbh, we spend the whole hour in a virtual environment where you'd see common malware and phishing attempts, but the really fun you could also "hack" other students.

Hacking them means you could cause some things to happen on their "PC". One of those was showing in a captcha on their screen and they had to type a the string of your choosing, before they could access the rest of the "virtual computer" again.

You can probably guess where this is going.
I was the first who had the idea to mix big i and small L and tested it on our teacher, who was also part of this environment and screenshared to the projector.

Thanks to sitting next projection I could see the pixels and I can confirm: same character, Pixel perfect!

I will forever cherish the memory of my the teacher begging me to undo the "hack" and the chaos that followed amongst my peers 😈

Also one of the excersizes was stupid. Click on a phishing mail and enter your credentials in the form. I asked the teacher WTF kind of credentials they even want me to enter to microsooft.cum and they just said "the credentials obviously" so I think they got their karma🖕

All mail clients are intentionally made not to show sender email address, but rather their chosen name to then launder money on anti-phishing trainings.

Got a phishing email with a link to a website hosted by wix. The only thing on the site was a form and submit button so I’m sure it’s for collecting credentials. I was able to report them and wix shut it down which was nice. But I was thinking, if someone were to ddos the web server, what action would wix do? Would they let the requests keep coming and increase the customers bill? Or would they just shut down the server?

I just experienced a new level of wut at my job. Web Engineering has a Google group email. This morning someone at work sent us an email about canceling a work order (and he didn’t know how to cancel it)…for a plumbing issue 😑Wrong engineering department, my dude. And you can cancel your work order by going to the request system where you submitted it or the email receipt of you request, which was certainly not to this Google group email. You have the work order number, so you must have an email somewhere about your request. And how’d he get this email?? I’m seriously wondering if this is a weird phishing attempt.

!dev-related

Found out that a pervert from my gf’s highschool took a bunch of screenshots of her Instagram (bikini pictures, etc.) and posted them to the r/breeding and other fucked up subreddits even though she was only 16/17 in the photos

We notified the uni he goes too and nothing happened. We noticed the police of his hometown and they said they couldn’t do anything because he was currently at his uni

He then claimed it was a rumor and it wasn’t him even though the Reddit account that posted it had a previous post that directly connected the Reddit account to his Instagram account and the Reddit account mentioned had a post that mentioned his home town

My poor gf is now having panic attacks bc this motherfucker wanted to jerk his tiny dick off with his retard friends bc they were rejected by her in highschool

It’s taking so much effort not to send him some phishing emails and empty his fucking bank account