Want to Piss Off Your It Department? Are the Links Not Malicious Looking Enough?
Posted4 months agoActive4 months ago
phishyurl.comTechstoryHigh profile
excitedpositive
Debate
40/100
SecurityPhishingURL Manipulation
Key topics
Security
Phishing
URL Manipulation
A website generates malicious-looking URLs that redirect to harmless sites, amusing HN users and sparking discussions on security and corporate IT practices.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
38m
Peak period
66
0-6h
Avg / period
20
Comment distribution160 data points
Loading chart...
Based on 160 loaded comments
Key moments
- 01Story posted
Sep 18, 2025 at 6:40 PM EDT
4 months ago
Step 01 - 02First comment
Sep 18, 2025 at 7:18 PM EDT
38m after posting
Step 02 - 03Peak activity
66 comments in 0-6h
Hottest window of the conversation
Step 03 - 04Latest activity
Sep 21, 2025 at 4:57 AM EDT
4 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 45295898Type: storyLast synced: 11/26/2025, 1:00:33 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
https://carnalflicks.online/var/lib/systemd/coredump/logging...
1: https://pc-helper.xyz/scanner-snatcher/session-snatcher/cred...
As I am still alive, it is still my day. Need I make myself clearer?
I didn't have the guts to tell my family about goatse.
https://mammon.typepad.com/root_of_all_evil/2007/06/goatse_l...
https://match-heaven.club/trojan/malware_dropper.exe?id=0416...
Since you can't exhaustively enumerate every good thing or every bad thing on the internet, a lot of security detection mechanisms are based on heuristics. These heuristics produce a fair number of false positives as it is. If you bring the rate up, it just increases the likelihood that your security folks will miss bad things down the line.
* https://jdebp.uk/FGA/html-message-myths-dispelled.html#MythA...
Ah, I see. We should allow HTML but display it as plain text.
* https://www.emailorganizer.com/kb/T1014.php
The only people who care about HTML mails are scammer and marketing.
In the meantime, does anyone else get a kick out of receiving emails from quarantine@messaging.microsoft.com where they quarantine their own emails?
Edit: I see other people said things that are similar to a more mature version of my feeling. We need to address this in a way that addresses the threat of email links properly, not throw machine learning at guessing which are OK to click. BTW, I'm not implying that you're saying that is what should be done to solve the issue, but I'm sure it's behind the silly MS quarantine I mentioned, and when an email from the one person I email the most, who is also in my contacts, going to spam in iCloud.
(For a different domain).
The other 10% are people who are just like you and know better.
https://cam-xxx.live/trojan-hunter/evil-snatcher/malware_cry...
Instead of naively trusting the link, only to click it and get rickrolled, you’re naively distrusting the link, so you’ll never know the link was fine all along.
I’ve worked for multiple large companies where the annual IT security signoffs look exactly like malicious emails: weird formatting; originates from weird external url that includes suspicious words; urgent call to action; and threats of discipline for non-compliance.
All this money being spent on training, only to immediately lull users into accept threats.
I ended up creating my own browser extension for gmail that blocks clicking on any link unless the domain is whitelisted. Now if I click any link and it's not in the whitelist, it shows a popup that displays the domain name, and I can then choose to whitelist it and then it opens the link, or just keep blocking it. I haven't had to re-take any phishing compliance tests in a long time.
Also, we were thought to inspect the URL before clicking on it.
Except that the spam system they use completely mangles the URL...
I hate this trend. Like an overused pool of the same "Secret Questions" every company asks, it needs to be on some "X considered harmful" list.
I'm not sure how many companies that would happen at, but it seems... just dumb enough to be plausible.
(Writing your passwords down on paper is actually less crazy than it sounds like:
It's impossible to hack paper from the internet. And, if someone has physical access to your stuff, they could install a keylogger anyway.)
But at least the answer doesn't match the question.
I've also learned to store the question, as some websites make you select the question before providing the answer. And my answers don't allude to what the original question was.
I usually pick the first or default question. But yeah, that order might change.
You'll definitely want to memorize the password to the backup service that has the last copy of your password vault after a disaster. :P
> Writing your passwords down on paper is actually less crazy than it sounds
I agree that physical security can be incredibly useful against a lot of modern threats... but we can do better. I wish there was a dedicated password-keeper device format of:
* A small keyboard and screen
* The data encrypted at rest by one master password
* Only permits upload/download of the the encrypted file over USB. With some companion software, you just plug it into your computer, computer copies the encrypted file to somewhere on disk that gets regularly backed up, the disconnects and beeps to tell you it's done.
* Sturdy enough that any "Evil Maid" attack needs to be done by a professional rather than a conniving roommate or jilted partner.
* Tracks history of entries, last-changed, etc.
Why? Write it down. Perhaps leave multiple paper copies around with some trusted people, like your lawyer and a safe deposit box at your bank.
Your proposed device seems a bit complicated. You can get pretty far with a piece of paper and this protocol:
Construct your password from two parts. (1) random gibberish you write down on paper, (2) a 'correct horse battery staple'-style part that you memorise.
Btw, have you looked into Yubikeys? They are better than password storage, because they can store your private keys and do signing with them. The key never leaves the device. (They can also store passwords, I think.)
Those people would then effectively have access to your nearly-current desktop/laptop data from anywhere, especially since they would have to know who you are which greatly simplifies guessing your username/email.
> You can get pretty far with a piece of paper
Password Papers (A) never get backed-up and (B) I've already tried getting relatives using them to adopt exactly such a fixed+variable combo scheme.
Those people would then effectively have access to your nearly-current desktop/laptop data from anywhere, especially since they would have to know who you are which greatly simplifies guessing your username/email.
> You can get pretty far with a piece of paper
Password Papers (A) never get backed-up, meaning they'll be locked out of basically everything if the house burns down and (B) I've already tried getting relatives using them to adopt exactly such a fixed+variable combo scheme.
Not great when you're on the phone with United Airlines and the person who's trying to help you get un-stranded asks what your favorite ice cream flavor is.
United has the absolute stupidest secret questions.
my high school mascot? fish-car-base-picture((#$#$&#*4303483
People kept falling for phishing links though, so they got a Trend Micro device to scan emails, which also rewrote every link in it to point to their URL scanning service, which means every link now looks like https://ca-1234.check.trendmicro.com/?url=...; I guess no one would be allowed to click on any link in an email at that company.
Of course, their URL rewrites also broke a good number of links, so you'd wake up to a production incident, and then have to get your laptop, log in manually to Pagerduty/Sentry or what have you, and look up the incident details from the email...
Sounds like something a phisher would do. Better not click.
Handles all the phishing concerns, except that participation was either low or the feedback was negative, which would lead to the leaders issuing subtle threats to the team about how they'd find out the involved folks and fire them. If you tried to uninstall it, it'd be back in a few hours through policy management software (jamf and its ilk). On the internal discussion forums, they'd nuke threads talking about how to disable that software.
So, in the end, people just started giving the best possible feedback regardless of the team or manager performance. I never really needed those threads, all I needed was tcpdump and then blocking its domain in the hosts file :)
Again, YMMV.
That seems to be the best possible strategy for any feedback you have to give as a captive audience?
Reminds me of the feedback German companies are forced to give about their employees. It's like a formal letter of reference, but you can and will be sued if you you anything negative. Consequences are as you would expect.
And because there has been an inflation in how complimentary these letters are, people started suing when their letter wasn't flowery enough, because that somehow could be read as an implicit criticism. (Just like how A is a bad mark, when everyone else gets A+.)
It is, but at that point why even have that bureaucratic process that achieves exactly nothing?
Of course, I understand that being able to pat yourself on the back and concluding with statements like "Leadership is truly connected with its employees, keeping in touch every day through questions about improving the workplace. Our surveys show 99% of our employees are very satisfied with their team, their work, and work-life balance" is "valuable", I guess, I just feel very sad about humanity.
It is a very good question that you should never bring up as captive audience.
Don’t do it with a group which isn’t large enough though, you’ll get you all fired for unionizing^W no reason.
Well, I was talking about the best strategy from the captive audience's point of view. You are now asking about the strategy for the captor.
Going a bit beyond: getting honest feedback out of subordinates is a hard problem! Both formally and informally. That was always a big concern on my mind as a manager.
You got a source for this folktale?
You usually need the reference letter to be reviewed by the works council or by an employment lawyer.
Good to know though, if true.
- grade D, poor performance: "We were satisfied with his performance" - grade C, meh: "We were entirely satisfied with his performance" - true grade A+: "We were always satisfied to the utmost degree with his performance" plus highly positive and extensive in the rest of the reference letter.
- "was sociable": alcoholic - "was always striving for a good relationship with colleagues": was gossiping instead of working - "sociability was appreciated": had sex with colleague - "was very empathic": had sex with customer
This would be very funny to see on an Arbeitszeugnis for a prostitute. Remember prostitution is legal in Germany.
This code is known by people in the HR and hiring departments. It’s a very weird praxis. I have to explain this to my non German colleagues because for them even a mark F letter sounds awesome ;)
There's a difference in saying "Yes I confirm person X worked here, he did a good job on all the tasks that we have asked him to do" vs "Yes, he was amazing at his job, he was proactive and really drove innovation, we are sad to see him leave"
The German situation is especially unhinged. See https://de.wikipedia.org/wiki/Arbeitszeugnis (ask Google Translate for help, if necessary).
I have written all my recommendation letters myself. The employers just put their letter head and sign it.
I presume you're referring to "Amazon Connections"?
Had to be the most-hated bit of corporate enforcedware around. Every Linux laptop user had a different hack for hobbling or removing it.
This is getting off-topic, but I found it interesting so I'll include more details anyway.
In a lot of cases, all the fuss is to return amounts that are tiny, and yet the companies need to keep reaching out and trying to convince people. I got $0.06 (2) from my current employer. Because I've moved countries with them, I ended up falling in the category of needing to provide some bank/tax details. Of course, I wanted to log in with the silliest OS I could think of to test/mess with the tracking dashboard, and so somehow I managed to enter my DOB wrong, which even further increased the back-and-forward and emails involved (I was in the project, so the Payroll peeps involved probably didn't hold it against me).
The re-calculation which led to the payment actually worked out that I had been underpaid in come calculations, but overpaid by far more (although still very, very little) in others. The company believed they couldn't offset, so all the fuss was for a tiny amount, which I felt I really wasn't owed anyway. Also unfortunate, was that if any former employee didn't bother to claim the amount because it's so small it's not worth the fuss, it just leads to more work in follow-ups.
New Zealand Holidays Act is quite an interesting area in general, in a how-can-it-possibly-be-this-hard kind of way. I think it contributes to the reputation of NZ payroll being one of the trickiest in the world.
1) https://thespinoff.co.nz/business/27-06-2019/cheat-sheet-wha...
It is the former employees for up to 15 years that make the contacting step difficult. They all need to provide bank/tax details.
There are also some current employees who still have to provide details before they can be paid. The company I work for has a lot of people moving countries, and therefore tax jurisdictions. In addition, some employers decided it was worth asking if employees were prepared to voluntarily allow offsetting between the overpayments and the underpayments, as in some cases those were quite large.
I can understand not wanting to give large amounts of money where it effectively would just balance out, especially after spending staggering amounts on the recalculation itself. There are government departments that have been working on it for years (or perhaps worse, and paying consulting companies to work on it).
Edit: I should have said, I did see companies rounding all amounts up to some small amount, like $1, so your suggestion is good. It just doesn't save effort on recalculation, or much effort in getting people to dig the email out of their trash folder and provide their information to receive their $1.
> It is the former employees for up to 15 years that make the contacting step difficult. They all need to provide bank/tax details.
Give people 30 dollars extra on their way out, and only contact them when you used up that budget? (Should take care of the majority of cases?)
> Edit: I should have said, I did see companies rounding all amounts up to some small amount, like $1, so your suggestion is good. It just doesn't save effort on recalculation, or much effort in getting people to dig the email out of their trash folder and provide their information to receive their $1.
Oh, my suggestion was to do the calculation, as arduously as you describe, compare with what you already overpaid earlier voluntarily, and if the company is still in the green, then don't bother contacting anyone.
Or is that not possible?
I think what you're proposing probably would have worked for reducing the communication issues in the future for any employees who left after that. I didn't hear of anyone who did that, but that definitely doesn't mean it didn't happen. Likely no one thought of it because I would guess most people didn't expect it to take as long as it did to fix. That the people who left while the recalculation was going on would just be a few more compared to everyone who had left in the previous 7 or 10 or 15 years (I think different companies came to different opinions for the time period they needed to retrospectively fix).
There should be a white hat phishing service you can hire to target your elders. Then when they give up their social security number, someone shows up at their door with a big cake with all their personal details in frosting.
They train people not to click links and then someone in management is fucking stupid enough to pull "just send an email with a link" kind of crap instead of properly planning the communication in advance by telling people that there will be a survey, what will be the company that is sending it, when they should expect it - but that just "too much work".
I would fire that kind of clown ass on the spot for not doing their job.
My company does this too by the way. Usually for external things like surveys they send a pre-email.
Greetings from AWS,
There are upcoming changes in how you will be receiving your AWS Invoices starting 9/18/2025. As of 9/18/2025, you will receive all AWS invoices from “no-reply@tax-and-invoicing.us-east-1.amazonaws.com”. If you have automated rules configured to process invoice emails, please update the email address to “no-reply@tax-and-invoicing.us-east-1.amazonaws.com”.
This was brain dead. If I saw an email with that sender, I would think it was a scam. They had to walk it back.
For context, I get random other emails about things like Lambda runtime deprecation from “no-reply-aws@amazon.com” which looks a lot more official.
And “aws-marketing-email-replies@amazon.com”
Greetings from AWS,
We recently notified you about upcoming changes to AWS invoice emails (subject “Important – AWS Invoice e-mail address changes”). Based on customer feedback, we are reviewing this change to determine a better customer experience. The email you receive your AWS invoices from will not change on 09/18/2025, as originally communicated, and you will continue to receive all AWS invoices from the usual email address.
Sincerely, The Amazon Web Services Team
Nothing raises my suspicions quite like something calling itself "safe".
Ah yes, it's like a country having "democratic republic" in it's name - if you have to say it, it's probably not true.
Usually use company-i-buy-from@mydomain.ninja whenever I make online purchases, and I had a guy from a small shop call me up and ask why I had an email with his company name on. Took some good fifteen minutes to explain him that I was legit and owned the domain. He was still reluctant in the end, but eventually ended the conversation with something along the lines of "it's your problem, not mine, if the parcel won't reach you for using a fake email" :)
Never going to know what reaction I'm going to get.
160 more comments available on Hacker News