ETHSecurity Community

If you missed it I definitely recommend you take a look at @nick.eth 's tweet thread about a fairly clever phishing attack: https://x.com/nicksdjohnson/status/1912439023982834120

TL;DR the attackers change the app name to the message, Google sends it to you and then they host the actual phishing site on `sites.google.com` 

This attack underscores the value of using Passkeys and hardware security keys (like YubiKeys). Unlike traditional username/password logins or codes sent via SMS or used in Authenticator apps, passkeys and hardware tokens use cryptographic proofs that are tied directly to the exact domain of the legitimate site. They will refuse authentication on any other domain—even if it looks visually identical. This makes passkeys and YubiKeys effectively 100% immune to phishing attacks like these. Additionally, password managers can help by automatically identifying domain mismatches, preventing users from submitting credentials to fraudulent websites.

Recently I was targeted by an extremely sophisticated phishing attack, and I want to highlight it here. It exploits a vulnerability in Google's infrastructure, and given their refusal to fix it, we're likely to see it a lot more. Here's the email I got: https://t.co/tScmxj3um6

nick.eth

Lead developer of ENS & Ethereum Foundation alum. Certified rat tickler. he/him.

I'm on Mastodon: https://cryptodon.lol/@weka

I'm on bluesky: nick.eth.limo

Sec/Madness.

@privy principal security 
SEAL
 technical council + 911.



Prev HoS @uniswap // D&R/IR @ Robinhood // IR @ BitMEX

Built Maltego for 10 years!

I'm still not entirely in love with passkeys, I think the UX is iffy and I dont like the sharability, but I will take them everyday over OTP/authenticators/sms! 

If you go yubikeys I like to do the 5C NFC which works for phones too and the 5C nano which just lives in the computer, they are even easier to use than any other form of MFA!