Why does it seem like phishing is popular again? Maybe bad actors forgot how gullible humans were? I get phishing attempts nearly daily via email or sms and I honestly thought “Who would fall for this?” every time one came in.
The only phishing I can see that would be extremely hard to detect are browser extension injections (either in extension window or page replacement) so the domain is legitimate.
Seems like identical approach to the npm phishing attempts. There was some good suggestions last time like locking down the ability to upload packages for a few days after a security change.
If you get a message (text, email or call), it's best to not trust the contents of the message until you verify it by logging in or whatever yourself. If crates.io says you have a problem, close the email and go to crates.io yourself. If your bank calls you, hang up and log in or call their support number yourself. Don't trust anyone contacting you for sensitive stuff
I got an official email from Paypal last week saying that I had a charge for $900 at Kraken, and to call some number if it's suspicious.
What's great about the attack is that it's sent from paypal.com and signed by paypal. And the email contains a legit link to paypal, not some phishing site. But the phone number is the attack.
The attack:
1. Register a paypal business account
2. Add the victim's email address (or one that forwards to them) to the biz account's "secondary users"
3. Add a custom invitation message about how they have a $900 charge that they need to contest by calling a phone number that you control.
4. Paypal shows your custom invitation message inline with their official email with no indication that it was written by someone other than paypal (wtf?)
Here's the email that was of course surrounded by Paypal's own official email chrome:
> New Profile Charge: We have detected a new payment profile with a charge of $910.45 USD at Kraken.com. To dispute, contact PayPal at (805) 500-8413. Otherwise, no action is required. PayPal accept automatic pending bill from this account.Your New PayPal Account added you to the Crypto Wallet account.
I called the number and some guy started asking me for my info starting with my full name. I didn't hang around on the call long enough to see what the attack was.
Amusing. You have to ignore SSL to get the image since the site has HSTS enabled.
A coincidence is that today I got a "two factor code from Coinbase. If you did not request this, call this number". Ho ho ho. Yes, I will call your number, Coinbase.
That's an exceptionally well crafted phishing email and landing page. It looks so real! Even the URL looks legit - github.rustfoundation.dev (the real URL is rustfoundation.org).
Btw, if you go to https://rustfoundation.dev right now it says in meme format: Virgin npm devs falling for phishing (sleepy doge) vs Chad Rust devs (shredded doge).
As chad as Rust devs supposedly are, something tells me at least a few of them are going to fall for this attack.
12 comments
[ 2.9 ms ] story [ 32.7 ms ] threadhttps://blog.rust-lang.org/2025/09/12/crates-io-phishing-cam...
The only phishing I can see that would be extremely hard to detect are browser extension injections (either in extension window or page replacement) so the domain is legitimate.
https://docs.github.com/en/authentication/authenticating-wit...
What's great about the attack is that it's sent from paypal.com and signed by paypal. And the email contains a legit link to paypal, not some phishing site. But the phone number is the attack.
The attack:
1. Register a paypal business account
2. Add the victim's email address (or one that forwards to them) to the biz account's "secondary users"
3. Add a custom invitation message about how they have a $900 charge that they need to contest by calling a phone number that you control.
4. Paypal shows your custom invitation message inline with their official email with no indication that it was written by someone other than paypal (wtf?)
Here's the email that was of course surrounded by Paypal's own official email chrome:
> New Profile Charge: We have detected a new payment profile with a charge of $910.45 USD at Kraken.com. To dispute, contact PayPal at (805) 500-8413. Otherwise, no action is required. PayPal accept automatic pending bill from this account.Your New PayPal Account added you to the Crypto Wallet account.
I called the number and some guy started asking me for my info starting with my full name. I didn't hang around on the call long enough to see what the attack was.
Chad Rust Devs
vs.
Virgin NPM Devs Falling For Phishing
Amusing. You have to ignore SSL to get the image since the site has HSTS enabled.
A coincidence is that today I got a "two factor code from Coinbase. If you did not request this, call this number". Ho ho ho. Yes, I will call your number, Coinbase.
Btw, if you go to https://rustfoundation.dev right now it says in meme format: Virgin npm devs falling for phishing (sleepy doge) vs Chad Rust devs (shredded doge).
As chad as Rust devs supposedly are, something tells me at least a few of them are going to fall for this attack.