- Mar 2023
-
blog.cmpxchg8b.com blog.cmpxchg8b.com
-
The problem with using SMS-2FA to mitigate this problem is that there’s no reason to think that after entering their credentials, they would not also enter any OTP.
-
I assume anyone interested in this topic already knows how phishing works, so I’ll spare you the introduction. If a phishing attack successfully collects a victim's credentials, then the user must have incorrectly concluded that the site they’re using is authentic.
-
If you also want to eliminate phishing, you have two excellent options. You can either educate your users on how to use a password manager, or deploy U2F, FIDO2, WebAuthn, etc. This can be done with hardware tokens or a smartphone.
-
- Mar 2022
-
-
Can we get hacked by visiting an infected website? Unfortunately, we can always be hacked when visiting an infected website. Due to the existence of a number of vulnerabilities on the web, visiting websites has always been dangerous over the years. Moreover, with the advent of JavaScript, infecting with a malicious virus became easier.
-
- Jul 2021
-
security.stackexchange.com security.stackexchange.com
-
Assuming that people trust your site, abusing redirections like this can help avoid spam filters or other automated filtering on forums/comment forms/etc. by appearing to link to pages on your site. Very few people will click on a link to https://evilphishingsite.example.com, but they might click on https://catphotos.example.com?redirect=https://evilphishingsite.example.com, especially if it was formatted as https://catphotos.example.com to hide the redirection from casual inspection - even if you look in the status bar while hovering over that, it starts with a reasonable looking string.
-
- Feb 2021
-
stackoverflow.com stackoverflow.com
-
that's a point, but I would say the opposite, when entering credit card data I would rathre prefer to be entirely in the Verified By Visa (Paypal) webpage (with the url easily visible in the address bar) rather that entring my credit card data in an iframe of someone's website.
-
- May 2020
-
krebsonsecurity.com krebsonsecurity.com
-
golden rule: If someone calls saying they’re from your bank, just hang up and call them back — ideally using a phone number that came from the bank’s Web site or from the back of your payment card.
Golden rule of talking to your bank
-
“When the representative finally answered my call, I asked them to confirm that I was on the phone with them on the other line in the call they initiated toward me, and so the rep somehow checked and saw that there was another active call with Mitch,” he said. “But as it turned out, that other call was the attackers also talking to my bank pretending to be me.”
Phishing situation scenario:
- a person is called by attackers who identify as his bank
- the victim tell them to hold the line
- in the meantime, the victim calls his bank representative who confirms after a while that he is with them on another line
- in reality, the another line is done by attackers pretending to be him
-
- Apr 2020
-
guides.rubyonrails.org guides.rubyonrails.org
-
In December 2006, 34,000 actual user names and passwords were stolen in a MySpace phishing attack. The idea of the attack was to create a profile page named "login_home_index_html", so the URL looked very convincing. Specially-crafted HTML and CSS was used to hide the genuine MySpace content from the page and instead display its own login form.
-
- Apr 2019
-
gizmodo.com gizmodo.com
-
Per a Wednesday report in Business Insider, Facebook has now said that it automatically extracted contact lists from around 1.5 million email accounts it was given access to via this method without ever actually asking for their permission. Again, this is exactly the type of thing one would expect to see in a phishing attack.
Facebook are worse than Nixon, when he said "I'm not a crook".
-
-
www.thedailybeast.com www.thedailybeast.com
-
Facebook users are being interrupted by an interstitial demanding they provide the password for the email account they gave to Facebook when signing up. “To continue using Facebook, you’ll need to confirm your email,” the message demands. “Since you signed up with [email address], you can do that automatically …”A form below the message asked for the users’ “email password.”
So, Facebook tries to get users to give them their private and non-Facebook e-mail-account password.
This practice is called spear phishing.
-
- Apr 2017
-
www.wordfence.com www.wordfence.com
-
Phishing attack that uses Unicode characters to fake a domain name.
The xn-- prefix is what is known as an ‘ASCII compatible encoding’ prefix. It lets the browser know that the domain uses ‘punycode’ encoding to represent Unicode characters. In non-techie speak, this means that if you have a domain name with Chinese or other international characters, you can register a domain name with normal A-Z characters that can allow a browser to represent that domain as international characters in the location bar.
What we have done above is used ‘e’ ‘p’ ‘i’ and ‘c’ unicode characters that look identical to the real characters but are different unicode characters. In the current version of Chrome, as long as all characters are unicode, it will show the domain in its internationalized form.
-