Windows 10: New, very good, Gmail phising atack in the wild

Page 2 of 4 FirstFirst 1234 LastLast
  1. Golden's Avatar
    Posts : 516
    macSierra, Windows 10 Pro x64, LinuxMint 18
       4 Weeks Ago #11

    Great explanation of authentification, and it's importance @Kari
      My System SpecsSystem Spec

  2. Kari's Avatar
    Posts : 9,982
    Windows 10 Pro
       4 Weeks Ago #12

    Thanks Golden. I thought this is important.

    Because I use two-step authentication with for instance Google, no password leak as with these massive leaks with Yahoo we have heard recently would pose any risk for someone else accessing my accounts; no one except me myself comes in to my Google accounts even if I publicly posted my password here.
      My System SpecsSystem Spec

  3. Golden's Avatar
    Posts : 516
    macSierra, Windows 10 Pro x64, LinuxMint 18
       4 Weeks Ago #13

    Indeed - I use 2FA for my Apple, Google and Microsoft accounts.
      My System SpecsSystem Spec

  4. dencal's Avatar
    Posts : 1,526
    W10 Pro + W10 Preview
       4 Weeks Ago #14

    TairikuOkami said: View Post
    In that case, you do not even need AV, you are a safe surfer. Then again better be safe than sorry. It is all about a risk management, I have nothing to loose, I have not used AV nor a firewall for years, it improves performance.
    TairikuOkami
    Three weeks ago you posted the above statement, now you are advising against two factor authentication.
    To say it is irresponsible is putting it mildly. *
      My System SpecsSystem Spec

  5.    4 Weeks Ago #15

    dencal said: View Post
    TairikuOkami
    Three weeks ago you posted the above statement, now you are advising against two factor authentication.
    To say it is irresponsible is putting it mildly. *
    @TairikuOkami is experienced user and in my opinion can manage the threats in his own way. This could be only irresponsible to inexperienced users. They can get a lot of good conclusion from debates as this one

    Thanks @Kari for great explanation of 2 step verification process. You really are geek Guru (and I'm serious about that).
    But I would like to add that this process doesn't eliminate possibility for hackers gaining access to users email. So stating that you can publish your email address online is a bit irresponsible too. So please can you be a bit gentler to us humans.
      My System SpecsSystem Spec

  6. Kari's Avatar
    Posts : 9,982
    Windows 10 Pro
       4 Weeks Ago #16

    AndreTen said: View Post
    But I would like to add that this process doesn't eliminate possibility for hackers gaining access to users email. So stating that you can publish your email address online is a bit irresponsible too. So please can you be a bit gentler to us humans.
    Could you please educate and civilize me and tell me how could for instance you access my Google or Microsoft account in case you knew my password if I have two-step authentication enabled, asking the security / verification code at every sign in from a not by me accepted trusted device?

    You don't have to go details, just tell the method you would use to get the verification code.

    Sincerely,

    Kari
      My System SpecsSystem Spec

  7.    4 Weeks Ago #17

    Kari said: View Post
    Could you please educate and civilize me and tell me how could for instance you access my*Google or Microsoft account in case you knew my password if I have two-step authentication enabled, asking the security / verification code at every sign in from a not by me accepted trusted device?

    You don't have to go details, just tell the method you would use to get the verification code.

    Sincerely,

    Kari
    It happens in context of this thread title. First you get social attack (mail with attachment) and if you are not careful you get to gmail login page (like in description of this attack).

    This doesn't apply to you as you would never put info into that fields...
    user can put info in gmail login page, after that bad guys intercept that info and try to login to real gmail account. Now, there are at least two possibilities that you can give them access code..

    1. code in that text attachment could also contain keylogger - you know the rest

    2. if they can reproduce first login page, what stops them to reproduce false code interception page too??

    One of this method have already been used by bad guys, other just came to mind... And if I can think of some methods, you can imagine what hackers could think of...
      My System SpecsSystem Spec

  8. Kari's Avatar
    Posts : 9,982
    Windows 10 Pro
       4 Weeks Ago #18

    AndreTen said: View Post
    One of this method have already been used by bad guys, other just came to mind... And if I can think of some methods, you can imagine what hackers could think of...
    Keyloggers do not help to access accounts with two-step authentication, simply because all codes are for single use. I have no issues with you getting a code as soon as I have used it because it is no longer valid. You simply have no chance to get my codes, that's the point. Not with keyloggers. Only chance would be to physically get hold of my phones.

    I want to stress the importance and security of two-step authentication, therefore I suggest the following:

    If you are up to it, I'll send you valid credentials (complete email address and password) to one of my Microsoft accounts. I prove it to you first in a private online live meeting that username and password are valid. I will also prove later, after your agreed time to try to hack into my account that I have not accessed the account in the meantime and changed the password. I will save a valid, original Windows 10 PRO product key in a text file in OneDrive of that account.

    You have then let's say a month to try to access that account. If you can manage it, you can keep the Windows license found in OneDrive. If not, you'll provide one Windows 10 PRO license for me.

    OK?

    Kari
      My System SpecsSystem Spec

  9.    4 Weeks Ago #19

    Kari said: View Post
    Keyloggers do not help to access accounts with two-step authentication, simply because all codes are for single use. I have no issues with you getting a code as soon as I have used it because it is no longer valid. You simply have no chance to get my codes, that's the point. Not with keyloggers. Only chance would be to physically get hold of my phones.

    I want*to stress of the importance and security of two-step authentication, therefore I suggest something:

    If you are up to it, I'll send you valid credentials (complete email address and password) to one of my Microsoft accounts. I prove it to you first in a private online live meeting that*username and password are valid. I will also prove later, after your agreed time to try to hack into my account that I have not accessed the account in the meantime and changed the password. I will save a valid, original Windows 10 PRO product key in a text file in OneDrive of that account.

    You have then let's say a month to try to access that account. If you can manage it, you can keep the Windows license found in OneDrive. If not, you'll provide one Windows 10 PRO license for me.

    OK?

    Kari
    no way Kari

    You missed the point, that this is social attack. I don't have to gain access to your PC (and admit, that keyloger thing was my thought - bad thou). Other variant have been used before. You get the code and you are using it, but you don't use it for real account, but typing it in fake page (like the first one).
    You are right, code can only be used once.

    To be clear, 2 step verification is by miles more safe than single. But doesn't eliminate threats completely. And this is also dangerous - giving false feeling of total safety.
      My System SpecsSystem Spec

  10. Kari's Avatar
    Posts : 9,982
    Windows 10 Pro
       4 Weeks Ago #20

    AndreTen said: View Post
    You get the code and you are using it, but you don't use it for real account, but typing it in fake page (like the first one).
    My point: let's say one of these days I do something stupid (it happens, take my word, depending on amount whisky I have consumed that day). Let's say I open a phishing site like this in question and enter my email address, password and a single use security code.

    What happens? Nothing because that code was used and no longer valid. If the scammer would then contact Microsoft pretending to be me saying he / she has forgotten the password and phone was stolen but he needs to access the account, or clicked "I have forgotten password" and then selected "I can't access any of those" when the list of verification options would be shown, the account would immediately be locked for 30 days and I would receive an email about it to my primary verification email, plus a text message to that phone scammer told has been stolen. Those messages would contain a link for me to sign in, verify my identity, reset password and re-open the account.

    Only if I would not react within this 30 day period would scammer gain access to my account.

    Kari
      My System SpecsSystem Spec


 
Page 2 of 4 FirstFirst 1234 LastLast

Related Threads
Good email reader for Gmail in Browsers and Email
Does anyone know of a Good email reader for Gmail that will basically sort by sender and then by date for that sender either ascending or descending date. And then also when you delete, it would actually delete the message, it would put it in trash...
A new flaw in latest version of Flash to be patched next week. On my systems I use the free version of Malwarebytes Anti-Exploit to protect my systems. I guess we will see another updated from MS also. ...
Hi there Well I suppose it had to happen - the MSDN RTM ISO's are out in the wild already !!! -- but I'd imagine these have their own keys so presumably won't be "Activateable" if you use these to update an existing installation and you aren't an...
Java zero-day security flaw exploited in the wild in AntiVirus, Firewalls and System Security
Java zero-day security flaw exploited in the wild | ZDNet
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 11:32.
Find Us
Twitter Facebook Google+ Ten Forums iOS App Ten Forums Android App



Windows 10 Forums