[josephcsible]

> By default, we encode this snippet so that an attacker eyeballing a plundered MySQL dump file doesn’t spot it immediately.

But if you're looking at the dump file, isn't their encoded version itself super suspicious looking?

[mh_]

You can wave the encoding away (with a tick-box) but in general, people over-estimate what attackers will "notice". In cases like this, many are as desperate to get the loot as users are when they get phished. dialogue boxes and browser warning fade into the background as they hit "accept" to move closer to their goal.