- Pypi warns phishing -attack will continue to use fake domains and urgent E -Mail -Tactic
- Victims are fooled to verify accounts via typosquatted places like pypi-mirror.org
- Users and Mainteners invited to adopt phishing-resistant 2FA and domain-noticive password managers
Phishing -attack against Pypi users and maintenance continues, the foundation warns as it called on members to tighten up security and remain vigilant.
A new blog post published by Foundation’s Security Developer-in-Residence, Seth Larson, noted that the latest attacks are a continuation of a month-long campaign using compelling emails and typosquatted domains to steal people’s login-legitimation information.
“Unfortunately, the string continues with phishing attacks using domain confusion and legitimate emails,” Larson wrote. “This is the same attack Pypi saw a few months ago and targets many other Open Source stocks, but with another domain name. Judging from this we believe this type of campaign will continue with new domains in the future.”
How to remain safe
In e emails, the victims are asked to “verify” their addresses of “account maintenance and security procedures” and threatened with account closure if they do not comply.
This feeling of urgency and threat is typical of a phishing email that redirects victims of pypi-mirror.org, a domain not owned by Pypi or Python Software Foundation.
“If you have already clicked on the link and delivered your credentials, we recommend changing your password on Pypi immediately,” Larson warned. “Examine your account’s security story for something unexpected. Reports suspicious activity, such as potential phishing -campaigns against pypi, to [email protected].”
Phishing is both extremely difficult and extremely easy to defend courage. In theory, just use common sense and thinking before clicking in most cases. Just in case of a fall in focus, users are advised to use phishing-resistant 2FA such as hardware tokens.
On the other hand, maintenance must use a password administrator that is automatically completed based on domain name. If automatic filling does not work when it usually does, it is a huge red flag. Phishing-resistant 2FA is also recommended.
Via Registered
