- A jetlagged Troy Hunt accidentally clicked a link and logged into an account only to realise he had been phished.
- Despite reacting quickly, attackers were able to export a mailing list for Hunt’s personal blog.
- Hunt has detailed the attack and warned his subscribers in a timely fashion.
It’s completely different. In that case, they were able to set up a fake business to accept payments, which is way more sophisticated than what happened to me. In my case, they just needed my login name and phone number, and I had reused the login name on several sites, so a number of places could have been involved in a breach. All the scammer had to do in my case was:
- check if I have an account at a major banking institution
- call me, pretending to be the fraud department
- get me to give them my SMS code (they’d trigger through the normal “forgot my password” process)
- keep me on the line long enough to link an external account
- get me to give them another SMS code (“final authorization” or whatever)
That’s it, just two pieces of information, some smooth talking, and a little luck that I don’t catch on. Corey Doctorow’s situation required quite a bit more setup than that:
- get Amex to approve them as a mechart
- create a fake online ordering website that gets enough SEO to show up in search results
- have someone actually place an order at the vendor so nobody gets wise
That’s a lot more sophisticated than what happened to me.
He got scammed again? Damn. Sorry, I was referring this one. And not really the details of the scam, but it was the wrong place / wrong time element that reminded me.
Edit: the article you linked is older, so I guess not “again”.
Oh yeah, that’s a lot more similar.
