It's really common now for phishing kits to use interstitial pages that require solving a captcha before the actual phishing content is shown
Victims just click through the captcha without thinking, but it makes automatic verdicting by security scanners a pain because they just see a captcha page: can't tell the brand being impersonated, or even if it's a phishing site
Interesting! What I was thinking of was use of legitimate captcha integrations (reCAPTCHA, hCaptcha) in front of fake banking websites. Drives me crazy that there isn't an easy avenue to report those.
Oh some of them definitely use a real reCAPTCHA, hCAPTCHA, or Turnstile widget. It actually useful sometimes to track the same API key being used across multiple different domains
But yeah, I wouldn't even know where to report those API keys for abuse
> BM25F (or the BM25 model with Extension to Multiple Weighted Fields) is a modification of BM25 in which the document is considered to be composed from several fields (such as headlines, main text, anchor text)
https://en.wikipedia.org/wiki/Okapi_BM25
..huh, yep, you're right. That's.. super embarrassing and huge screw up on my part, uhg. I was 100% positive I submitted the order through Namecheap before pushing the repo up to GitHub for this exact reason, and that it went through.. but yeah, looks like I didn't and we don't own it. :(
Good news is we've got doctree.org, so will be using that instead. I've removed all references to the other domain.
If it was a good samaritan, shoot me an email -> stephen@sourcegraph.com
You mean "some dev deciding to keep using the .dev for personal test projects, as was the standard before ICANN and Google took a standard community resource and privatized it, yet again"
Before ICANN started auctioning off TLDs it was common practice to use .dev and .test (probably others that escape me).
It wasn't formalized, but that doesn't really matter. It was well known and commonly done.
In fact, it couldn't have been formalized, because the TLDs were limited and by definition any non standard TLD was for internal use only. It would make no sense to have a defined standard for an impossible situation.
> In fact, it couldn't have been formalized, because the TLDs were limited and by definition any non standard TLD was for internal use only.
No, there never was any guarantee that the existing TLDs were all that would exist ever, so non-standard TLDs were just that: non-standard, undefined what happens to them. And you even provided a counter-example: .test is explicitly reserved by an internet standard to never be in public DNS and thus safe to use for testing purposes.
Using .dev was always contrary to spec. Dunno how common it actually was—I personally never encountered it. Clearly ICANN decided it wasn’t such a hazard as .home and .corp, which are both indefinitely delayed (https://icannwiki.org/Name_Collision) due to their popularity (despite being contrary to spec). You should instead have used something like .localhost (reserved in RFC 2606) if it’s on your local machine, or .test (reserved in RFC 2606) in a local network, or some domain that you control (even if it’s not publicly routable).
Oh, 100% I need some more docs on the page: it's definitely not foolproof.
From my testing, it works even if the window is in the background somewhere but generally it stops working if you switch to a different tab within the same window.
Yup, that's my bad CSS I'm afraid. https://bulma.io explicitly resets the color of <a> tags inside a hero, so I need to figure out how to stop/override that
I think this is "zero day" in the sense of no patch is available, not in the sense of skipping responsible disclosure.
This has a CVE number allocated (CVE-2022-29072) and the README mentions 7-zip disputing that this is their problem (rather, some underlying Windows component).
Good sentiment but so so tricky to get the wording right. You've got to write a sentence so perfect the fraudster can't pervert it or persuade the victim to ignore it.
For your example, the fraudster could say "yes, your account is being targeted by criminals, that's why I'm calling you". The warning inadvertently backs up their story
It feels like a bit of a stretch "so you are calling me to tell me about criminals after you said you would never call me because that's what criminals do?"
If their intelligence is that low at that point the criminals can skip all these hoops and directly ask them for their credit card numbers saying they are from the bank and they need to verify them.
Mate, I've met lawyers who sent millions to Nigeria. They're not low intelligence. They're very smart people.
Who were very desperate and clung to a highly irrational hope because they really needed one. Also, they often believed that it couldn't be a scam, because they were intelligent, and only dumb people get scammed. Quod Erat Demostrandum...
Now, were they low wisdom? Definitely.
The old joke that "intelligence is knowing that a tomato is a fruit, wisdom is not putting it in a fruit salad", is still very true.
Plenty of intelligent people do very dumb things all the time. Nexium, Scientology, a guru's cult who may or may not commit biological attacks at local salad bars. All have intelligent people involved.
After all, they couldn't have cultured their salmonella if they didn't.
Depending on how you read the sentence, it may mean that they will not call you about that specific email, but they will call you if you're being targeted by criminals. So the caller says "I'm not calling you about a specific email that you're received, but because your account is being targeted by criminals".
It's not about having low intelligence. It's about being caught off guard. Not everyone is in a big city and have constant contact with fraudsters. Some people are in small towns where they trust everyone and when they receive a call from the supermarket or some other place they usually just trust them too. So, they are not attempting to find all the flaws in their reasoning, they may just think that the wording was a bit off, but an understandable mistake and continue the conversation.
> Not everyone is in a big city and have constant contact with fraudsters. Some people are in small towns where they trust everyone and when they receive a call from the supermarket or some other place they usually just trust them too.
Yeah, I grew up in a small town. Guess what? We didn't trust anyone we didn't already know and trust. Strangers are danger until they prove otherwise. That goes triple on the Internet.
Victims just click through the captcha without thinking, but it makes automatic verdicting by security scanners a pain because they just see a captcha page: can't tell the brand being impersonated, or even if it's a phishing site
I wrote a post about a number of these which actually pretend to be Cloudflare! https://phish.report/blog/fake-cloudflare-interstitials
reply