Back in February I received a phishing attempt for my account on Wikipedia. I knew it was a phishing attack because Wikipedia thought it was probably me when the IP address that was used to request my password reset. If anyone reads Graham Cluley they would know enough about hackers and stupid end user tricks to realize that it doesn’t have to really be me to hack me with this type of password attempt method that is very obvious.
While I am in IT and work with F5’s, security and servers in my position as a System Administrator, I do care that someone else could get nabbed in a phishing scam. so, being the proactive I thought I would give Wikipedia a heads up and that they may look into it as they gave me an IP address in the UK as the one that had asked for the password reset. Hum, I live in the US, have never left the country except for a few visits to Niagara Falls and a cruise to the Bahamas both when I was in my teens or early 20’s. Let me see, that would make it the late 70’s or early 80’s so I don’t think I was logged into a Wikipedia account at that time. You would think right?
You would also think that having a user, you have a pattern of log on attempts and IP’s from which they came from. This would eliminate that I was in the UK, or would trigger a security alert that would drop the request. At the very least it would send in wary email saying someone requested a reset from an IP in a location you have never tried to log in from before. Nah, instead I receive:
Someone (probably you, from IP address 126.96.36.199) requested a reset of your password for Wikipedia
Later in the email it says:
This temporary password will expire in 7 days.You should log in and choose a new password now. If someone else made this request, or if you have remembered your original password, and you no longer wish to change it, you may ignore this message and continue using your old password.
To me that is just ignoring the possible phishing attack, while the response was even more incredulous that I don’t think they take security very seriously to escalate it another level to verify a possible attack to other accounts from the same IP or range.
I don’t think there’s much we can do here – if you didn’t make the password reset request then it should be ignored.
This is why many companies are hacked. They don’t take it serious or choose stick their heads in the ground.Good security is more than changing your password.