New, very good, Gmail phising atack in the wild

Great explanation of authentification, and it's importance @Kari

Thanks Golden. I thought this is important.

Because I use two-step authentication with for instance Google, no password leak as with these massive leaks with Yahoo we have heard recently would pose any risk for someone else accessing my accounts; no one except me myself comes in to my Google accounts even if I publicly posted my password here.

Indeed - I use 2FA for my Apple, Google and Microsoft accounts.

TairikuOkami said:

In that case, you do not even need AV, you are a safe surfer. Then again better be safe than sorry. It is all about a risk management, I have nothing to loose, I have not used AV nor a firewall for years, it improves performance. :)

TairikuOkami
Three weeks ago you posted the above statement, now you are advising against two factor authentication.
To say it is irresponsible is putting it mildly. *

dencal said:

TairikuOkami
Three weeks ago you posted the above statement, now you are advising against two factor authentication.
To say it is irresponsible is putting it mildly. *

@TairikuOkami is experienced user and in my opinion can manage the threats in his own way. This could be only irresponsible to inexperienced users. They can get a lot of good conclusion from debates as this one :)

Thanks @Kari for great explanation of 2 step verification process. You really are geek Guru (and I'm serious about that).
But I would like to add that this process doesn't eliminate possibility for hackers gaining access to users email. So stating that you can publish your email address online is a bit irresponsible too. So please can you be a bit gentler to us humans.

AndreTen said:

But I would like to add that this process doesn't eliminate possibility for hackers gaining access to users email. So stating that you can publish your email address online is a bit irresponsible too. So please can you be a bit gentler to us humans.

Could you please educate and civilize me and tell me how could for instance you access my Google or Microsoft account in case you knew my password if I have two-step authentication enabled, asking the security / verification code at every sign in from a not by me accepted trusted device?

You don't have to go details, just tell the method you would use to get the verification code.

Sincerely,

Kari

Kari said:

Could you please educate and civilize me and tell me how could for instance you access my*Google or Microsoft account in case you knew my password if I have two-step authentication enabled, asking the security / verification code at every sign in from a not by me accepted trusted device?

You don't have to go details, just tell the method you would use to get the verification code.

Sincerely,

Kari

It happens in context of this thread title. First you get social attack (mail with attachment) and if you are not careful you get to gmail login page (like in description of this attack).

This doesn't apply to you as you would never put info into that fields...
user can put info in gmail login page, after that bad guys intercept that info and try to login to real gmail account. Now, there are at least two possibilities that you can give them access code..

1. code in that text attachment could also contain keylogger - you know the rest

2. if they can reproduce first login page, what stops them to reproduce false code interception page too??

One of this method have already been used by bad guys, other just came to mind... And if I can think of some methods, you can imagine what hackers could think of...

AndreTen said:

One of this method have already been used by bad guys, other just came to mind... And if I can think of some methods, you can imagine what hackers could think of...

Keyloggers do not help to access accounts with two-step authentication, simply because all codes are for single use. I have no issues with you getting a code as soon as I have used it because it is no longer valid. You simply have no chance to get my codes, that's the point. Not with keyloggers. Only chance would be to physically get hold of my phones.

I want to stress the importance and security of two-step authentication, therefore I suggest the following:

If you are up to it, I'll send you valid credentials (complete email address and password) to one of my Microsoft accounts. I prove it to you first in a private online live meeting that username and password are valid. I will also prove later, after your agreed time to try to hack into my account that I have not accessed the account in the meantime and changed the password. I will save a valid, original Windows 10 PRO product key in a text file in OneDrive of that account.

You have then let's say a month to try to access that account. If you can manage it, you can keep the Windows license found in OneDrive. If not, you'll provide one Windows 10 PRO license for me.

OK?

Kari

Kari said:

Keyloggers do not help to access accounts with two-step authentication, simply because all codes are for single use. I have no issues with you getting a code as soon as I have used it because it is no longer valid. You simply have no chance to get my codes, that's the point. Not with keyloggers. Only chance would be to physically get hold of my phones.

I want*to stress of the importance and security of two-step authentication, therefore I suggest something:

If you are up to it, I'll send you valid credentials (complete email address and password) to one of my Microsoft accounts. I prove it to you first in a private online live meeting that*username and password are valid. I will also prove later, after your agreed time to try to hack into my account that I have not accessed the account in the meantime and changed the password. I will save a valid, original Windows 10 PRO product key in a text file in OneDrive of that account.

You have then let's say a month to try to access that account. If you can manage it, you can keep the Windows license found in OneDrive. If not, you'll provide one Windows 10 PRO license for me.

OK?

Kari

no way Kari :)

You missed the point, that this is social attack. I don't have to gain access to your PC (and admit, that keyloger thing was my thought - bad thou). Other variant have been used before. You get the code and you are using it, but you don't use it for real account, but typing it in fake page (like the first one).
You are right, code can only be used once.

To be clear, 2 step verification is by miles more safe than single. But doesn't eliminate threats completely. And this is also dangerous - giving false feeling of total safety.

AndreTen said:

You get the code and you are using it, but you don't use it for real account, but typing it in fake page (like the first one).

My point: let's say one of these days I do something stupid (it happens, take my word, depending on amount whisky I have consumed that day). Let's say I open a phishing site like this in question and enter my email address, password and a single use security code.

What happens? Nothing because that code was used and no longer valid. If the scammer would then contact Microsoft pretending to be me saying he / she has forgotten the password and phone was stolen but he needs to access the account, or clicked "I have forgotten password" and then selected "I can't access any of those" when the list of verification options would be shown, the account would immediately be locked for 30 days and I would receive an email about it to my primary verification email, plus a text message to that phone scammer told has been stolen. Those messages would contain a link for me to sign in, verify my identity, reset password and re-open the account.

Only if I would not react within this 30 day period would scammer gain access to my account.

Kari