It turns out that halfway clever phishing attacks really, really work


#1

Originally published at: http://boingboing.net/2017/01/13/it-turns-out-that-halfway-clev.html


#2

tl:dr: Check the address bar when you click on a link Make sure it starts with 'https://" (in green, with a lock icon)

Something’s wrong if you see “data:text/” at the start, rather than a secure URL

It’s an interesting trick the hackers use to hide the address bar and to fool us into thinking that we’re going to a good address rather than the bad one they supplied.


#3

Gmail has 2 factor authentication. So if you are setup correctly the attacker will generate a bunch of codes texted to your phone because google doesn’t let someone log into your account from a new computer without the code.

Or… you know I guess someone who is to lazy to setup the security that protects them against this type of attack is the same kind of person that would fall for the attack to begin with… YMMV.


#4

Surprise, i don’t email with anyone. I think i’m safe


#5

Don’t hire an assistant who will forward these attacks to you.


#6

I wrote a “conversation starter” on a time sharing system back in the early 70s. It was like the cookie monster that asked for a cookie. If you left your terminal unattended someone would start this up and after a bit it would print out a message that looked like an instant message from one of the other users on the system. It was usually something like, “Thanks for the help.” or “What’s the command to …?” The kind of stuff people would tend to answer, even from a slightly unexpected source. I never expected to use it in the wild, but some friends of mine did and said it was surprisingly effective.


#7

2-factor auth + autofill password manager (also with 2-factor auth), means you get to mostly dodge these. :wink:


#8

It’s automated, the botnet AI these days is scary good.


#9

If I’m reading an email in gmail and there is an attachment that sends me to a link where I need to sign into gmail… I’d immediately be all WTF?


#10

I use iCloud password management and I think it keys off of the url’s domain. I’m hoping this mechanism cannot be fooled. Except… Apple.

Hmmm.

Okay, I’m going to have to re-think my entire security model.


#11

The phone-based 2 factor is better than nothing; in that any given code is only good for 60 seconds or so; but if you are tricked into trying to log into a phishing page, the attacker gets your password and your code, and can pass them through to authenticate. They may not bother, depending on what the percentage of users who bother is; but cryptographic fobs are where it’s at.


#12

Trying to email some people to warn them about these phishing attacks, but I’m having trouble entering my login info… can’t click into the email address box:


#13

That’s easy to solve, let me help you. Can you give me your network IP and router password? I just need to check your internets, nothing nefarious here.[/s]


#14

Nothing to stop the phisher throwing up page with https.


#15

Just being asked to log in would make me immediately suspicious. I mean, I was just logged in reading my email. Why is this here?

Or am I misunderstanding the mechanism?


#16

My friends have long since learned to ignore any emails I send out with the subject line, “Have a look at this, it really shows how wrong you were”


#17

Some of us access g-mail through non-web clients (Apple Mail in my case).
Still, if i got one of these, i’d open up another window and open g-mail there to see whether i got automatically signed in as expected, showing the scam to be what it is.


#18

Sure, but you need to do that every time, without fail. And not just you, but everyone has to do it every time.

When you’re tired, hungry, distracted, drunk, stoned, watching TV, working to a tight deadline, dealing with a migrane, being harassed by the kids to play or the dog wanting to go for a walk.

Every.
Time.


#19

I leave gmail open continuously in a browser tab while I’m working. Every once in a while (days apart) it logs itself out, and goes back to the login display. That behavior is sucker bait for credential stealing. So yeah, I like the two factor check a lot.


#20

The 2FA Google uses also sets up “primary” accounts that, when you sign in to a new device, prompts the existing ones as a “so, did you actually do that?” and you can say yes or no.

Most people don’t like this level of “annoyance.” I don’t like the idea of accounts becoming compromised.