Incident evaluation revealed the usage of 1Password’s branding, phrasing, and urgency cues, together with authentic help hyperlinks, resulting in the “safe my account now” button that landed victims on a credential-stealing web page on a typosquatted area.
Flawed but a convincing faux
The faux e-mail got here from “watchtower@eightninety[.]com,” an handle that in the first place look appeared genuine. The embedded hyperlink even used Mandrillapp, a Mailchimp service usually seen in real company emails, earlier than redirecting customers to “onepassword[.]com”, a misleading look-alike area.
Including a layer of realism, the “Contact us” hyperlink routed to the true 1Password help web page through the identical Mandrill redirect. The faux e-mail shared by Malwarebytes displayed generic alert messages like ”Your 1Password account password has been compromised” and “Take motion instantly”.
