
Phishing attacks that bypass 2-factor authentication are now easier to execute - LinuxBender
https://www.csoonline.com/article/3399858/phishing-attacks-that-bypass-2-factor-authentication-are-now-easier-to-execute.html
======
devy
> The presence of an TLS/SSL indicator and a valid certificate are not enough
> to consider a website is legitimate because certificates can now be easily
> obtained for free, so most phishing sites will be HTTPS-enabled.

That's untrue for sites implemented with trust-on-first-use techniques like
HTTP Public Key Pinning(HPKP). Also even though TLS certificates are easier to
acquire these days, it's still a good way to tell proxy HTTPS site by checking
the "domain name" or "subjective alternative names" fields on the TLS
certificate to verify identity. Additionally, all TLS certificates are logged
to Certificate Transparency logs that's available publically.

~~~
LinuxBender
Very few companies use HPKP, for fear of bricking their site / business. Even
fewer people view the cert details of a site when they are being phished. The
transparency logs will show the host the attacker used to make the cert,
though attribution is rare, as they often use stolen CC's to pay for the VM's.

