#Tag · bonfire.cafe

In the new multi-channel social engineering landscape, LinkedIn is one of the main breeding grounds for phishing attacks. This article, even if biased given its sponsor, gives a good overview of the risks. www.bleepingcomputer.com/news/securit... #socialengineering #phishing #infosec #linkedin

5 reasons why attackers are ph...

BleepingComputer

5 reasons why attackers are phishing over LinkedIn

Attackers are increasingly phishing over LinkedIn to reach executives and bypass email security tools. Push Security explains how real-time browser protection detects and blocks phishing across apps and channels as users load malicious pages.

Gillo

@alicudi.bsky.social@bsky.brid.gy · 4 weeks ago

BleepingComputer

5 reasons why attackers are phishing over LinkedIn

Ricky Mondello

@rmondello@hachyderm.io · 4 weeks ago

@publicvoit @renchap @gracjan Nice try. Please watch my explanation that I sent to Renaud.

Karl Voit :emacs: :orgmode:

@publicvoit@graz.social replied · 4 weeks ago

@rmondello @renchap @gracjan To my understanding, some implementations that allow migration of #passkeys to other accounts are prone to #Phishing.

https://arxiv.org/abs/2501.07380
"Another concern could be #socialengineering, where a user is tricked into sharing a passkey with an account controlled by an attacker." -> classic phishing, I'd say.

Convenience vs. #security, the usual trade-off.

According to that, roaming authenticators (classic #FIDO2 USB/NFC devices that are able to handle passkeys) are the only phishing-resistant method.

Still, Passkeys are much better than anything else (except FIDO2 HW tokens, of course) but it seems to be the case that the slogan that passkeys are 100% protecting against phishing isn't true any more.

What are your thoughts on that angle?

arXiv.org

Device-Bound vs. Synced Credentials: A Comparative Evaluation of Passkey Authentication

With passkeys, the FIDO Alliance introduces the ability to sync FIDO2 credentials across a user's devices through passkey providers. This aims to mitigate user concerns about losing their devices and promotes the shift toward password-less authentication. As a consequence, many major online services have adopted passkeys. However, credential syncing has also created a debate among experts about their security guarantees. In this paper, we categorize the different access levels of passkeys to show how syncing credentials impacts their security and availability. Moreover, we use the established framework from Bonneau et al.'s Quest to Replace Passwords and apply it to different types of device-bound and synced passkeys. By this, we reveal relevant differences, particularly in their usability and security, and show that the security of synced passkeys is mainly concentrated in the passkey provider. We further provide practical recommendations for end users, passkey providers, and relying parties.

Federation Bot

@Federation_Bot · 2 months ago

Google won’t fix ‘ASCII smuggling’ hack in Gemini AI

‘the issue can only result in social engineering’

https://www.youtube.com/watch?v=Yr8ENG1y5Cw&list=UU9rJrMVgcXTfa8xuMnbhAEA - video
https://pivottoai.libsyn.com/20251011-google-wont-fix-ascii-smuggling-hack-in-gemini-ai - podcast

time: 3 min 47 sec

con man holds up two empty hands, and picks pocket of the other guy with a third hand

SpaceLifeForm

@SpaceLifeForm@infosec.exchange replied · 2 months ago

@davidgerard

Interesting. I got s SMS spam from Gemini recently. I can not delete it. If I try, it just nags me to sign up. I takes over the UI. So, it remains to be forever ignored.

#UI #UX #SocialEngineering