New, very good, Gmail phising atack in the wild

AndreTen said:

As the word stupid became so popular with you and dencal...

I use the S word to stress the fact that not using Two-Step Authentication is just that.

I have some difficulties to understand your apparent and pointless need to undermine that fact. Somewhat tired to your "yes, but..." I am unsubscribing this thread after posting this; feel free to post next "yes, but..." for other members to read, I will not see it.

DavidY said:

My understanding was that Microsoft's own Authenticator app uses the same algorithm as Google Authenticator.
I only have the Windows Phone 7.5 version (so it's possible this compatibility has been removed now), but my old phone still let me login to my Google account when I tested it just now with the Microsoft Authenticator I have.

As far as I know you can't get Google verifications to work in latest Microsoft Authenticator app in Windows Phone 8 or Windows 10 Mobile, but in all honesty I have to say I haven't even tried it.

Kari

I think this is a good discussion/topic, and sorry to see Kari has unsubscribed....

Just thinking out loud:
If someone were a victim of a MIM (man-in-the-middle) attack, stealing the active cookie session, I think it's then possible to spoof the session, and access an account (even one that's protected with 2FA), at least long enough to do some major damage. I'm not sure exactly how it's done, but it appears to be possible (in my mind).

Just food for thought... :)

simrick said:

I think this is a good discussion/topic, and sorry to see Kari has unsubscribed....

Just thinking out loud:
If someone were a victim of a MIM (man-in-the-middle) attack, stealing the active cookie session, I think it's then possible to spoof the session, and access an account (even one that's protected with 2FA), at least long enough to do some major damage. I'm not sure exactly how it's done, but it appears to be possible (in my mind).
Just food for thought... :)

If its done from an unrecognised computer....it would require phone code authentication.

Kari said:

authentication when set up correctly does never mean you lose access to your emails and / or account.

I did and consequences were severe for me. 2FA is great, in theory, just like relying on AV to detect malware.

Kari said:

One personal recommendation to you, polite and in all friendliness: It is never a good idea to post anything that could be taken as advice on subjects you know nothing about.

That is exactly why I have posted it, people should know about the risks. I have seen too many people to loose access to their emails, even business, because they have followed the common advise and decided to use it. The only advice I could have offered them was to think twice about using it again. Nothing is perfect.

It is called 2FA for a reason, you need to provide 2 authentications to access your email, if you lose either, you are damned. If you could gain access with just one, then it would be pointless, it is fairly simple to understand.

Kari said:

Not using Two-Step Authentication (also known as Two Factor Authentication, TSA, 2FA) to protect your online accounts is not only dangerous but also extremely stupid in todays online world full of scammers trying to get in to your accounts.

Do you realize, that in many countries, you can get a replaced phone number without providing ID? Not to mention, that faking a phone number to get SMS has been POC way too many times.

AndreTen said:

Picture is in the first post..

AndreTen said:

That does not show the important part, since some browsers shows the certificate on the right side.

TairikuOkami said:

I did and consequences were severe for me. 2FA is great, in theory, just like relying on AV to detect malware.


That is exactly why I have posted it, people should know about the risks. I have seen too many people to loose access to their emails, even business, because they have followed the common advise and decided to use it. The only advice I could have offered them was to think twice about using it again. Nothing is perfect.

It is called 2FA for a reason, you need to provide 2 authentications to access your email, if you lose either, you are damned. If you could gain access with just one, then it would be pointless, it is fairly simple to understand.


Do you realize, that in many countries, you can get a replaced phone number without providing ID? Not to mention, that faking a phone number to get SMS has been POC way too many times.


That does not show the important part, since some browsers shows the certificate on the right side.

You didn't check the link I posted in the first post. Here is part of it

This phishing technique uses something called a ‘data URI’ to include a complete file in the browser location bar. When you glance up at the browser location bar and see ‘data:text/html…..’ that is actually a very long string of text. If you widen out the location bar it looks like this:

There is a lot of whitespace which I have removed. But on the far right you can see the beginning of what is a very large chunk of text. This is actually a file that opens in a new tab and creates a completely functional fake Gmail login page which sends your credentials to the attacker.
As you can see on the far left of the browser location bar, instead of ‘https’ you have ‘data:text/html,’ followed by the usual ‘https://accounts.google.com….’. If you aren’t paying close attention you will ignore the ‘data:text/html’ preamble and assume the URL is safe.
You are probably thinking you’re too smart to fall for this. It turns out that this attack has caught, or almost caught several technical users who have either tweeted, blogged or commented about it. There is a specific reason why this is so effective that has to do with human perception. I describe that in the next section.
How to protect yourself

When you sign in to any service, check the browser location bar and verify the protocol, then verify the hostname. It should look like this in Chrome when signing into Gmail or Google:

Make sure there is nothing before the hostname ‘accounts.google.com’ other than ‘https://’ and the lock symbol. You should also take special note of the green color and lock symbol that appears on the left. If you can’t verify the protocol and verify the hostname, stop and consider what you just clicked on to get to that sign-in page.
Enable two factor authentication if it is available on every service that you use. GMail calls this “2- step verification” and you can find out how to enable it on this page.
Enabling two factor authentication makes it much more difficult for an attacker to sign into a service that you use, even if they manage to steal your password using this technique. I would like to note that there is some discussion that indicates even two factor authentication may not protect against this attack. However I have not seen a proof of concept, so I can not confirm this.

There is also news on ghaks.net

AndreTen said:

There is also news on ghaks.net

That is, what I was looking for, thanks. :)