Wednesday, March 27, 2024

1Password.co Tracking Links

PSA: 1Password uses “1Password.co” for email links — instead of their usual “1Password.com” domain.

So the “phishing link” with the .co domain was a valid link and documented as such.
But I still find it inexcusable.
That link caused 30 minutes of complete panic. I know enough about how phishing works to know how absolutely fucked I’d be if that link hadn’t just been to track my click in the email.
Which brings up another question: why is a company I pay to protect my private information using tracking links in the emails it sends me?

Cabel Sasser:

Craig isn’t an idiot; it 100% feels like phishing. If you ask me, tracking link clicks and opens in emails is simply not worth the potential freak-out when you think you’ve been phished[…]

Sam Schmitt:

Another way of looking at this: [it’s] best practice to use a different domain for stuff like this. If the marketing tool gets compromised, you don’t want it to have the ability to send actual phishing domains on the real domain. You’ll see it with other stuff, like Microsoft logins being on “microsoftonline.com”. I agree it does mean you do some double takes.

Hex Batch:

best practice is using subdomains and not cousin domains.

Troy Hunt:

What makes this situation so ridiculous is that while we’re all watching for scammers attempting to imitate legitimate organisations, FedEx is out there imitating scammers! Here we are in the era of burgeoning AI-driven scams that are becoming increasingly hard for humans to identify, and FedEx is like “here, hold my beer” as they one-up the scammers at their own game and do a perfect job of being completely indistinguishable from them.

Previously: