
We Got Phished - juanplusjuan
https://www.exploratorium.edu/blogs/tangents/we-got-phished-2
======
ryanobjc
2 factor authentication is key here. The ubikey is a gold standard for
business - no one should do serious business without it!

For everyone else, I think the new 2fa Google App approach is better. When you
go to login, your Google App pushes a notification to your phone and you have
to click on it. This raises the bar to doing a simultaneous login, which isn't
impossible, but even if it weeds out a large number of attacks for now, it's
worth it!

~~~
laurencei
Does 2 factor prevent phishing though?

If I was going to do a Google Phishing page - I would take the username +
password that the user supplied into MY fake page, and POST/CURL that to the
Google login.

If Google returns asking for a 2factor to MY fake, I would display the 2
factor prompt to the user, and get them to type the 2-factor into my page,
which I would pass back to Google.

Basically you can use a phishing page as a MITM attack.

When you auth against Google with 2-factor, there is a "remember this
computer" option - giving the attacker at least 30 days of access to your
email without needing a further 2-factor code.

So if the person is tricked enough to type their username+password into a fake
google page, they are just as likely to follow through with their 2-factor
code.

~~~
acdha
This is where the type of MFA matters a lot: with a TOTP code, that phishing
attack will be successful.

With U2F, however, a per-host keypair is generated during the setup process
and the public key is given to the remote server. Critically, the hostname as
seen by your browser is part of the key identifier: see
[http://security.stackexchange.com/a/71704/311](http://security.stackexchange.com/a/71704/311)

That means that if in the future even if someone convinces you to visit their
phishing site and activate the token, the login attempt will still fail
because the hostname as seen by the browser won't match a key on the token.

~~~
cryptarch
But can't the phisher just visit Google and log in there with 2FA, while
receiving the 2FA code from the fake site?

This only requires the user not to read the URL and match it to the URL in the
Google Authenticator app (as far as I can see right now).

~~~
autocracy
It depends on which 2FA method you use, and there's an associated time window.
The TOTP method (Google Authenticator App) of a rotating number must be used
within a window of at most a few minutes -- new numbers are generated every 30
seconds, so they could use that if they logged in immediately.

If you use U2F, then the domain name difference will mean that the U2F key can
never match unless the attacker has control over DNS and is issued a
Google.com SSL certificate by an authority the target's computer trusts.

------
ivank
Google provides a Chrome extension that alerts you (and an administrator) if
you accidentally enter your Google password on a site that isn't
accounts.google.com: [https://github.com/google/password-
alert](https://github.com/google/password-alert)

~~~
matthewcford
it doesn't seem to work on the kind of phishing attacks i've seen which use an
iframe.

------
wingless
I use Lastpass and I just realized that it prevents phishing since it
autocompletes my login info based on the domain.

~~~
zeveb
Which is yet another reason (not that we needed one) why those pages which try
to prevent autocomplete of passwords are wrong, wrong, _wrong_.

~~~
loeg
While I also don't like sites breaking autocomplete, LastPass' "Show matching
sites" dropdown only lists accounts valid for the current domain. So a very
similar protection is available even without autocomplete.

------
tikhonj
This article seems great at describing how phishing actually works in
practice, especially to people without much exposure to technology. I've gone
through at least a couple of training emails from IT departments about
phishing, and this was way more effective. A realistic case-study with a
really clear description is valuable!

This article could definitely augment the anti-phishing education at your
organization—the only downside is that it's a bit long, so busy people
probably won't want to read it :/.

~~~
brachi
Education is key. A great way to do that is with
[http://phishme.com/](http://phishme.com/), were you can also assess how
vulnerable you'd be. The bad thing is that convincing an IT department to use
it and maybe embarrass other people, specially technical, is hard.

------
nmc
The beginning of the story is missing. PZ clicked on the link in the email
because it was _" received [...] from a familiar mailing list"_.

Did PZ trust a mailing list where anyone could post? Or did the attackers
spoof the "from" field? The former may have been prevented by employee
training, the latter by SPF or similar technologies.

~~~
phn
Or it could come from an already infected account, which might make the e-mail
even less suspicious.

~~~
nmc
Yes but this would just mean an even bigger part of the story is missing — how
that one got compromised.

~~~
pauldancstep
Hi, I'm the author of that blog post. The backstory is that, indeed, the
"familiar mailing list" had been compromised; the attack was conveyed to us in
much the same way as we passed it on to others.

------
the_watcher
Kudos to Exploratorium for sharing. Hopefully they're able to find a way to
use it in their educational exhibits.

~~~
mathgenius
Yeah it is really good, and I'd like to post it on my fb, but it says nothing
about how to protect against phishing, Ie. check the url. (Even that I'm not
so sure about.)

------
BoysenberryPi
Many people won't check the url when signing in if everything looks to be on
the up and up. This is why I really liked one of the things Yahoo did which
was create a sign-in seal. Every time you signed in Yahoo would display a
custom image that you set and if that image wasn't there then something was
probably wrong.

~~~
makmanalp
Here's some more info on that:
[http://security.stackexchange.com/questions/19155/effectiven...](http://security.stackexchange.com/questions/19155/effectiveness-
of-security-images)

~~~
BoysenberryPi
That's incredible. Not sure if I underestimated hackers ingenuity or
underestimated how gullible people are..

~~~
throwthisawayt
I don't think it's gullible for a user to proceed when they see a site missing
an image, I think it's gullible that an engineer expects that the user would
notice without any actual evidence. seems like a cardinal sin of engineering -
don't assume your users will behave a certain way.

------
Raphmedia
We also got hit by this a few months back. It also got send to all of your
company's contact. We had to mail all of them back and lost face.

One hour in or so Google made it so that the emails (even those already
received and opened) were blocked. It helped to mitigate the issue. Most of
the outside contact that would have received the mail received it in their
spam.

We learned from it and have better security now.

------
registered99
> URL shortener, which IT reverse engineered with a URL expander

That's an interesting way to put it...

~~~
ASalazarMX
Wow, you're good. You easily reverse engineered their reverse engineering.

------
shawkinaw
It seems to me that browsers could be smarter about this kind of thing. Like,
"Hey, you just put your Gmail credentials into a non-Gmail login form, did you
really mean to do that?"

Obviously in the HN-type crowd, you know to always carefully check the URL of
links and form submissions. But I just don't know how realistic it is for that
to be expected of an average user.

~~~
Swizec
> Obviously in the HN-type crowd, you know to always carefully check the URL
> of links and form submissions. But I just don't know how realistic it is for
> that to be expected of an average user.

How often do you actually check super carefully? I'm pretty sure I'm not as
careful as I know I should be. Especially when busy and distracted and
thinking about other things.

~~~
shawkinaw
I always check email links carefully before clicking them. I'm a little more
lax about other ones though :)

------
arkitaip
Google needs to add some optional intelligence to Chrome so that when it comes
across a site with suspiciously similar design as key google urls by on a
unrenognized url, it should warn the user.

~~~
davidpatrick
You can use Google's AMP that is hosted on their domain, to host a redirect,
effectively using their domain to host the phishing attempt. Check the
screenshots on [http://motherboard.vice.com/read/how-hackers-broke-into-
john...](http://motherboard.vice.com/read/how-hackers-broke-into-john-podesta-
and-colin-powells-gmail-accounts)

~~~
moduspwnens14
Don't those screenshots just show domains crafted deceptively to look like
Google domains? I don't see any legitimate Google ones.

> “We are approaching the point in this case where there are only two reasons
> for why people say there’s no good evidence,” Rid told me. “The first reason
> is because they don’t understand the evidence—because the don’t have the
> necessary technical knowledge. The second reason is they don’t want to
> understand the evidence.”

Is there anywhere we can see this evidence? Objectively I'm curious how an
attack which consisted of basic phishing was determined to be definitively
supported by the Russian government.

If they broke SHA-256 or coerced a Russian CA to generate a Google
certificate, I'd agree... but using bitly and decades-old "click this link to
reset your password" links? Come on.

~~~
dend
Notice in one of the last screenshots, the link actually points to a real
Google.com domain, but in the /amp/ destination, under which a tiny(cc) link
was hidden and therefore fetched the content that "seemed like" it came from
Google when Google merely acted as a CDN.

~~~
moduspwnens14
Ahh. I see it now. Pretty sneaky.

------
x0x0
I recently saw a link, that I unfortunately can't find, where someone senior
affiliated with Defcon or black hat nearly got phished. He was rushing packing
in the midst of a flurry of amazon shipments to travel to some conference and
got a very well timed phishing email asking him to confirm some sort of
shipment details for amazon. He fortunately noticed it was the wrong product,
but I seem to remember had started typing his info already.

If someone like that can get nearly fooled, there's little hope for the rest
of us or our families.

It's time to give up preventing phishing and start working on amelioration.

ps -- if anybody knows the story I'm talking about, I'd love the link.

------
misiti3780
2-factor would have prevented this - no ?

~~~
agwa
Only if you use a U2F hardware token. 2FA using SMS or a smartphone app merely
raises the bar for phishing: the attacker can forward the password along to
the real service, prompt the user for the 2FA code, forward that along too,
and then get a session cookie which they can use to access the account later.

~~~
Throwaway23412
I've been thinking about buying a YubiKey. Could you elaborate on how U2F
protects against MitM and phishing?

~~~
agwa
U2F knows what domain you're using it with, and won't send an authentication
token for google.com to phisher.com.

~~~
k_sh
A password manager will do the same thing for you.

(I'm not arguing that PMs are >= to hardware 2FA, but they both will keep this
exact thing from happening)

~~~
agwa
Indeed it will. In fact, I'm not convinced U2F adds any meaningful security
over a good password manager.

~~~
closeparen
You know when your U2F device has been stolen because it's not in your
possession anymore. The hardware is meant to be at least tamper-evident, if
not tamper-resistant, so an attacker can't just steal the internal secret and
put the device back where they found it.

Bytes in a password manager are hard to steal, but if you do steal them, the
legitimate owner won't necessarily ever know.

------
callesgg
At my company we get these things 2-3 times a year. Surprisingly many people
understand that there is something fishy. But "Surprisingly many" is not
enough.

2FA is not enough here a user that does not have the required knowledge to see
what is phishing and what is not will most likely enter the 2FA key giving the
bad guys the auth tokens anyway.

~~~
ryanobjc
That's why yubikey is important - it does it's own verification of the site.
You can't MITM it.

~~~
mackmgg
Newer Yubikeys support U2F, which I haven't seen any way to phish yet, but the
Yubikey protocol is still possible to phish.

To do this, the fake login page says that the token was incorrect the first
time (which would possibly alert some people, but certainly not everyone), and
then when the user submits a second token, the phishing site sends the first
one to the real site. They now have an unused token which can be used up until
the user logs into another website (thus invalidating the 'unused' one).

------
heartsucker
> What makes an attack like this so effective is that you never expect to see
> something as convincing as this

I've been working on phishing and counter-phishing recently, and if someone is
actually putting any effort in, you have to expect something like this. Very
legitimate looking email, the correct signature (complete with up to date
font/logo), and a virtually perfect copy of the login page to whatever service
they're using. All of this, even just to target a single person, is under 8
hours of work, which is to say, it's a simple task for someone who really
wants to phish you.

The article mentions having an IDS and disaster recovery plans, and this is
the best you can hope for as pretty much everyone is susceptible to this, and
AI still can be beaten.

Source: I've done this, beaten Gmail's anti-scam filters, and phished CTOs.

~~~
tomjen3
Then you may be able to answer this question: is it really a problem that
those people accessed the link but didn't login? Because sure you could put
malware on it, but that's possible on any website.

~~~
heartsucker
Yes, but in theory some sort of MAC could stop it from accessing important
files, or anti-virus could detect it and stop it too. But once the password
leaves the computer, it's going to take a lot more effort to mitigate the
damage. Also, your browser is on your side for protecting against malware, so
for example if you have Flash disable, that's a whole vector you can just
ignore.

------
greggman
I fell for this one :( The signs were there but the simplicity of the email I
think is what lowered my guard.

[http://blog.greggman.com/blog/getting-
phished/](http://blog.greggman.com/blog/getting-phished/)

------
mathgenius
Ok, this article is great and I'd like to share it with all my friends. BUT,
it says nothing about how to mitigate against phishing and so ... would leave
the average internet user just vaguely paranoid, which is not helpful.

I'd like to contact the author and get him to append something about "check
the url". But I guess they are not advertising their email addresses anymore
:-)

------
codedokode
This just shows that password-based authorization doesn't work for normal (not
computed engineers) people and needs to be replaced with physical
cryptographic keys. This is a script kiddie level attack any teenager can do
and it succeeded.

------
ASalazarMX
It's surprising that a dedicated phisher would go so blatantly overboard,
knowing it would stand like a sore thumb. This wasn't spearphishing, it was
regular phishing in a pond.

------
joeblau
Like others, I use a password manager. As soon as I hit command + \ and
nothing happened - I would have known something was up.

------
space99
I have seen the infosec future and the future is going to be domain
whitelisting. Banks are already doing it.

~~~
jlgaddis
In my vision of the future, most devices will not have a default gateway.

Instead, everything will be forced through application layer proxy servers
which inspect the traffic and decide whether to let it pass. This would
include domain whitelisting, as you mentioned, content filtering and
inspection, and/or anything else the {company,"protection service",user}
wanted to add.

I have no doubt that eventually, someday, we will live in a world where our
electronic devices default to deny.

------
elchief
Yubikey + Chrome solves this.

You should get two though. Register both. Put one somewhere very safe, like a
safe-deposit box.

------
bcjordan
Why isn't there some browser-level identity / authentication you allow access
to like oauth?

------
cloudjacker
I haven't read anything this interesting since the Milw0rm days, post more
from that perspective

------
minimaxir
It's worth nothing the new user-image-before-password-input for Google is an
anti-phishing feature. Of course, most people won't think that deeply when
prompted with a password request and a similar UI.

~~~
agwa
How does it help? Can't the attacker make a query to Google for the user image
and display it on the phishing page?

~~~
minimaxir
No. There is no email-to-profile-pic mapping endpoint for unauthenticated
users, to my knowledge.

~~~
agwa
Then how does the image consistently display before the password has been
provided? No matter what the answer is, I don't see how it could be an anti-
phishing feature.

~~~
gog
Because the image location is stored in a cookie from before the attack and
this cookie will not be sent by a browser to a phishing site.

Try from the incognito windows in your browser the image should not show up
since no cookies are being sent in the incognito window.

~~~
zaroth
I use fresh incognito tabs constantly. So I guess I'll never see the image,
and never know something is amiss.

By I also _never_ click an email link to login unless it's a plain text
password reset. I receive authentic looking and topical Dropbox share requests
from actual contacts (who have been hacked) trying to phish my Dropbox
credentials maybe 4-5 times a year so I'm always on the lookout for it. This
is a classic attack. Always check the URL!

------
botto
This is why SQRL just needs to be completed and everyone should move to it.

~~~
DvdGiessen
I never heard of SQRL specifically before, so I just spent some time
researching it. From what I can find, it has some significant flaws[0], and it
doesn't seem these can be addressed without defeating the few advantages this
SQRL approuch has.

[0]: [http://security.blogoverflow.com/2013/10/debunking-
sqrl/](http://security.blogoverflow.com/2013/10/debunking-sqrl/)

