Kurt Got Got

We know. Our Twitter got owned. We knew within moments of it happening. We know exactly how it happened. Nothing was at risk other than our Twitter account (and one Fly.io employee’s self-esteem). Also: for fuck’s sake. Here’s what happened: Kurt M

Thomas Ptacek
7 min readintermediate
--
View Original

Overview

The article discusses a phishing incident involving Fly.io's CEO, Kurt Mackey, detailing how the attack was executed and the lessons learned from it. It emphasizes the importance of phishing-resistant authentication methods and the vulnerabilities associated with shared accounts on platforms like Twitter.

What You'll Learn

1

How to recognize phishing attempts and respond effectively

2

Why phishing-resistant authentication is crucial for security

3

When to implement multi-factor authentication (MFA) in your organization

Key Questions Answered

How did the phishing attack on Fly.io's CEO occur?
The phishing attack was successful due to a well-crafted email that exploited psychological vulnerabilities, specifically targeting the CEO's insecurities about social media engagement. The attackers used a fake alert to prompt a response, leading to unauthorized access.
What are the best practices to prevent phishing attacks?
Implementing phishing-resistant authentication methods, such as FIDO2 and Passkeys, is essential. These methods ensure that real credentials are not sent to fake sites, thereby reducing the risk of successful phishing attempts.
What lessons can be learned from the Fly.io Twitter incident?
The incident highlights the importance of using secure authentication methods and maintaining hygiene in credential management. It serves as a reminder that even seemingly low-risk accounts can be targeted and compromised.
What challenges did Fly.io face in recovering from the phishing attack?
The recovery process took approximately 15 hours due to the attacker revoking tokens and setting up new two-factor authentication, which required intervention from Twitter. This delay illustrates the complexities involved in account recovery.

Technologies & Tools

Some links below are affiliate links. We may earn a commission if you make a purchase.

Authentication
Fido2
Used as a phishing-resistant authentication method.
Authentication
Passkeys
Another form of phishing-resistant authentication mentioned in the article.
Security
1password
Used for managing credentials securely.

Key Actionable Insights

1
Implement phishing-resistant authentication methods across all accounts.
Using technologies like FIDO2 and Passkeys can significantly reduce the risk of phishing attacks by ensuring that credentials are not easily compromised.
2
Regularly audit access to shared accounts and credentials.
Maintaining strict control over who has access to sensitive accounts can help prevent unauthorized access and reduce the impact of phishing attacks.
3
Educate team members about the risks of phishing and social engineering.
Understanding the tactics used by attackers can empower employees to recognize and report suspicious activities, thereby enhancing overall security.

Common Pitfalls

1
Failing to recognize phishing attempts due to psychological manipulation.
Attackers often design phishing emails to exploit specific vulnerabilities, making it crucial to remain vigilant and skeptical of unexpected communications.
2
Over-reliance on user training to prevent phishing.
While training is important, it is not foolproof. Organizations should implement technical controls alongside training to effectively mitigate phishing risks.

Related Concepts

Phishing-resistant Authentication Methods
Multi-factor Authentication (mfa)
Credential Management Best Practices