- PyPI warns phishing attacks will persist using fake domains and urgent email tactics
- Victims are tricked into verifying accounts via typosquatted sites like pypi-mirror.org
- Users and maintainers urged to adopt phishing-resistant 2FA and domain-aware password managers
Phishing attacks against PyPI users and maintainers are going to continue, the foundation is warning, as it urged members to tighten up on security and remain vigilant.
A new blog post, published by the foundation's security developer-in-residence, Seth Larson,noted the most recent attacks are a continuation of a months-long campaign that uses convincing emails and typosquatted domains to steal people’s login credentials.
“Unfortunately the string of phishing attacks using domain-confusion and legitimate-looking emails continues," Larson wrote. "This is the same attack PyPI saw a few months ago and targeting many other open source repositories but with a different domain name. Judging from this, we believe this type of campaign will continue with new domains in the future.”
How to stay safe
In the emails, the victims are asked to “verify” their addresses for “account maintenance and security procedures”, and threatened with account closure if they don’t comply.
This sense of urgency and threat is typical for a phishing email, which redirects victims to pypi-mirror.org, a domain not owned by PyPI or the Python Software Foundation.
“If you have already clicked on the link and provided your credentials, we recommend changing your password on PyPI immediately,” Larson warned. “Inspect your account's Security History for anything unexpected. Report suspicious activity, such as potential phishing campaigns against PyPI, to security@pypi.org.”
Phishing is both extremely difficult, and extremely easy to defend against. In theory, just using common sense and thinking before clicking should suffice in most cases. However, just in case of a drop in focus, users are advised to use phishing-resistant 2FA such as hardware tokens.
Maintainers, on the other hand, should use a password manager which auto-fills based on domain name. If auto-fill isn’t working when it usually does, that is a huge red flag. Phishing-resistant 2FA is also recommended.
Via The Register
You might also like
- What is a Secure Web Gateway?
- Take a look at our guide to the best authenticator app
- We've rounded up the best firewall software around
