Today I googled integrate "open graph" in-house analytics and the first result is actually a phishing site (still is as of this writing).
I just didn't expect the first result in google would be a phishing website and I actually tried logging in to facebook through the site. The phishing site actually took my info and logged me in to facebook, but facebook immediately warned me that I had logged in from a domain that wasn't facebook and that I needed to change my password.
I did the same thing doing some Facebook development last week. First time I've ever been phished. I felt so embarrassed. I wanted to flag it on Google, but I don't think Google has a flag feature.
Interesting... maybe it's not really a malicious website, but it did take my username/password and facebook did warn me to change my password immediately after logging in, so I didn't hesitate in doing so!
It doesn't look like phishing at all, indeed. Hope nobody reported the guy to google. See whois or simply go to www.saverpigeeks.com to know more about it.
Hopefully you changed that password everywhere you use it. They have it now and will probably try your email/pwd combination on amazon, ebay, gmail, etc.
I work at a digital advertising agency and we're researching the best ways to quantify the value of integrating open graph into our clients websites, and facebook marketing in general.
This shows another benefit of always logging in using a password manager like 1Password. Even if I were fooled and tried to login on this phishing form by pressing Cmd+|, 1Password wouldn't fill my password because the URL doesn't match... which would lead me to think something is definitely wrong.
Also another win for Single-Site Browsers like Fluid and Prism. I wouldn't expect to see Gmail in my main browser window.
I would have totally fallen for this attack. My mind is blown. My father has been raving about 1Password forever, but I use a unique password "algorithm" in my head which has served me well so far. Now I'm actually considering 1Password. Anyone else what to share their experience with it? Good idea? Bad idea?
And for those, like me, who had not heard of Single-Site Browsers, here are some links:
I use 1Password for pretty much everything and I love it. I have its database on Dropbox, so it's synced and can be used from different computers. I also have the iPhone app, so I can get my passwords anywhere if the need arises out and about.
However, I'm at a point where I need to figure out a recovery plan, because, you see, my Dropbox password is in 1Password as well, and my email password too. So, I could imagine a scenario where something gets compromised and I have a hard time getting it back…
1Password being Mac only and no cloud sync doesn't work for me.
I've been using LastPass for the last week. It has Chrome extensions which on my personal Macs and work Windows machines. The Chrome extension UX is a bit too rough for me to recommend it to non-techies but I think the idea and execution is sound.
Recommended. I don't use it for Gmail or banking passwords of course.
I had never heard of LastPass before but from their website, it seems very interesting: some extra features, some features lacking, but overall probably cheaper. (one 1Password license is worth about 3 years of LastPass)
I would have to try it, but this looks good. Thanks for the tip!
added bonus:my wife has access to my password file because of dropbox, so when i add a new password for some service she may need, it immediately and securely shows up on her mac.
Does that mean that your wife only use 1Password for your passwords, or can 1Password manage multiple DBs at the same time?
I don't think I've seen the latter, though I would love to see some way of sharing just a part of my DB with my wife. (she has a pretty weak master password, so one shared DB would not work well for me)
I don't know of a way to handle multiple at the same time, but you can choose which one is loaded. It'd be worth requesting on their forums though, they're pretty responsive, and it might get rolled in some time. Though there's still no AppleScript support :\
not sure but she could never handle two different files - even remembering the ONE complicated password for the file is annoying to her. so she gets only my file...
Similar to others, I've had an excellent experience with it. The Chrome plugin is a bit sub-par, but it's still in development, and does fill passwords reliably. Capturing doesn't always work, however - a guaranteed way to save a password is to use Safari / WebKit (never had a problem with the webkit nightlies) / Firefox, which all have more "full" plugin capabilities, and mature plugins.
My personal favorite feature: the keychain-package is just a folder / bundle, and it contains a website... which is capable of decrypting your passwords, given your master password. Which means you can recover your passwords without the application, on any machine with a web browser. Including through the Dropbox web interface, without needing to download it locally.
Yeah, I've been having problems with it offline too, not sure what to make of it. Launching it within Dropbox's website keeps working though, so I'm not really bothered.
If you're on a Mac and use Gmail/Google Apps, I'd recommend Mailplane - it's essentially an SSB tuned precisely to Gmail, and providing some interesting OS integration features. It also handles multiple accounts relatively well.
I've never used a single-site browser, but I generally do make sure that my email is the only thing open when I'm visiting it (and clear private data to avoid anything weird in the cache beforehand).
Between that and noscript (and enough savvy to spot even slightly-wrong websites), I haven't had any problems. I don't think this attack would work on me because I've long kept email segregated from normal web browsing due to other attacks, which rely on you clicking malicious links while logged into the site they want to get your information from. So I would, if anything, just think I'd clicked on the wrong shortcut and close out of it rather than logging in. Score one for paranoia? I've never been infected by spyware/viruses/etc.
You might be able perform the same attack using hanging HTTP requests to load a stylesheet and favicon at the bottom of the page. Defer completion of the requests for several minutes until it's likely the user has moved on to another tab. Stylesheet displays the hidden phishing UI, favicon is loaded. Bam, same effect.
Alternatively use a meta refresh tag to simply redirect to an entirely different page.
> Alternatively use a meta refresh tag to simply redirect to an entirely different page.
That was going to be my suggestion too. In fact that would be my preferred attack because you could change the URL to something that looked "kosher" as well.
Thank you, I obviously had not checked in a while. Time to give Chrome another run as my New Favorite Browser.
[edit]
The "no javascript" control is under "Options / Under the Hood" click the "Content Settings" button. I see the ability to disable javascript and add exceptions. Javascript can be enabled by clicking on the icon at the right-hand side of the address bar. Cool!
Works for me in Firefox 3.59 on OpenSuse 11.2. OpenSuse for some reason also seems to have more compatibility with my workplace's web-based internal tools than other coworkers running Ubuntu or Fedora.
I'm using Chrome 5.0.375.38 on Mac OS X and the site didn't work for me either and I'm not running any kind of "NoScript" style extensions, just an out of the box Chrome.
I use Chrome and I have an "application shortcut" for gmail. On win7 gmail is its own separate icon on the taskbar, so this sort of attack wouldn't work on me at all.
Now I guess phishing attacks need to move to simulated password managers. :)
Its a never ending problem owing to the nature of computers being easily programmed... its lucky phishers are so extremely bad at what they do - it certainly within reason to abuse existing websites far beyond what we see regularly - if you can find and use the right type of exploit then you can actually just use google or whatever to provide the exact login page, with correct URL etc, then just steal the input. Although saying that... it can be done so well that I wouldn't actually know if it ever happened... maybe there are some smart ones out there and the swarms of poor attempts are just a distraction from a much more serious potential problem?
it can be done so well that I wouldn't actually know if it ever happened
yes, i think you're just seeing what the bad ones do and the good ones never enter your consciousness. good bank robbers and jewel thieves have never been caught, and i'm sure good virus writers and phishers have probably never even been detected. think of a gmail login phishing attack that, after capturing your information, re-posted it to google's servers so it actually logged you in. by the time you stopped to think about what just happened, your browser is already at mail.google.com with a green everything's-ok address bar.
i was thinking much cleverer than that... imagine mail.google.com /the real deal/ but there are hooks in the API to catch what you put in the login boxes - the only give away is a miniscule extra bit of local processing - no traceable network usage required. one attack could collect usernames/passwords from a user for every big site they use.
the phishing site that plants the stuff could even get away with being massively obvious - so long as people look at it they could be infected.
of course finding such exploits is non-trivial... but people are doing it with some regularity.
(EDIT: incidentally the only way I log in to Google Mail or anything I log into is by typing in the URL specifically, e.g."mail.google.com", so this is pretty much the only way to hit me up with this sort of attack - if I get "magically" logged out then I might get stung, but it seems doubtful... its just too suspiscious)
Then that's not phishing — that's installing a keylogger on the user's computer. Also bad for his security, but a completely different form of attack. It's also something that actually does happen.
windows would be the best target probably, and hooks might not be the best idea, but you can capture all kinds of input with the apis documented on msdn.
for example. although i'm not sure how good they are these days... i honestly can't remember exactly which technique i used but i managed to make a keylogger with excel/vba once with apis i randomly looked up on msdn - it was just to prove a point though, i haven't really done anything more elaborate than that.
the difficult bit is really getting code to run. that i have no idea about, but i've heard about exploits from time to time, usually when they are fixed :)
I must confess I 'cheated' - I picked this bank because their web site seemed well done (worked in FireFox with no Flash, etc). Also not too intent in nickel-and-diming users.
Their 'password' security is pretty good, too. They have two levels of 8-digit PINs (one to 'read' the account, then another to 'write', i.e. move money out). They only ask for input of 4 out of those 8 digits (randomly, e.g. 3rd, 5th, 6th, 8th), using a on-screen pad (defeats key-logging).
Related to this, I recently was wishing I could separate some|all of my Google services with extra or different passwords.
I'm not exactly sure what I want as far as design vs. usability but it feels bad right now to have one password for the amount of data that it's protecting, especially when I have to enter it occasionally for more "fluffy" services.
This is the number one reason I don't use Google for OpenID (which, I swear, could not be designed better to encourage phishing if you tried: "Get in the habit of automatically typing your holiest of holy credentials right after clicking the link on a site you've never been at before").
I wouldn't really mind getting my Reader account broken into. But AdWords, with mounts of sensitive data and the ability to inflict huge charges on me? Google Checkout, with names and addresses of half of my customers a finger-flick away? Gmail, which could probably be bootstrapped into a password reset at my brokerage, bank, or GoDaddy? shudder
Google, if you want more of my money, I'll happily pay for a dongle. If you don't know how to make one, have somebody break out the petty cash drawer and buy Blizzard, I hear they have one for critically sensitive information like WoW characters.
Even worse, if you've got multiple Google accounts, you can't use them at the same time. So if you've got a separate junk email throwaway account, you can't be logged into there and Adwords or Docs at the same time. You can skirt this a little bit with Google Apps and have an email + other Google services open, but kind of a pain in the neck, especially if you manage a couple different businesses/projects/whatever that should have their own email addresses.
Hmm, I think I've already developed habits that offer me SOME immunity to this. I keep my main gmail in the leftmost tab, Almost always logged in. When I have tabs for gmail or Google docs that show me being logged-out, I hit reload. Rarely would I log in a second time if I know I'm logged in.
Other google services like adsense require password confirmation even when logged into gmail, but I'd be less apt to 'forget I was trying' to log in to that, and it would be less likely that random people would be users, so it would attract more suspicion.
However, the article also mentioned that this could be used to immitate services other than gmail. I still buy the idea that people don't always look at the url when they switch back to a tab.
Do you have the same practices with facebook and your bank account as you do with gmail?
I go one beyond with banking, PayPal, and other financial sites. I login with a single tab open. I log out when I'm done, and then I close the browser.
Still, it's a pretty clever phishing attack, and I bet it would fool a lot of people. What I didn't get from the article was whether this was something Aza Raskin has seen, or a is it something that he thought up. If the later, then I'm not too sure about the scruples of publishing this trick while promoting the password manager in FF.
Facebook might get me, but I find it annoying. They would need to guess my bank first, and guessing wrong would set off alarm bells. (Moreso now than before I heard of this)
Slightly related: I think new tabs should inherit history, so that I can clearly see how I got somewhere. If I don't remember having a tab with my bank login in it, and I see that I got there from reddit, I know things are very wrong. As it is, Most things I find on reddit open in tabs with no history, so they'd look exactly like I opened the directly.
Another reason to use randomly generated passwords and a password manager like 1Password. I don't know 99.9% of my passwords and instead rely on 1Password to fill them in.
The nice thing about a password manager with form fill is that it would prevent this "attack" because the domain name does not match the spoofed site. I wouldn't even have the ability to have it fill my Gmail password in for me.
I feel totally vindicated for my tab-closing OCD now. I'd like to think the lack of auto-filled username/password forms would have tipped me off but in a hurry I'm not totally confident of that. It would be even more effective for sites you expect to be logged out of after a period of inactivity.
I guess I'm OCD in the fact that my Gmail tab is always my far-left tab - I know exactly where it is. It's the only Google feature that I really use (apart from Reader on my phone), and I'm pretty fussy about where I type passwords in.
Nice. With a phishing site that gets a URL close to Gmails, or just makes one of those ridiculously long sub domains to make it look like you're at gmail.com and you've got a solid attack.
Is there any password manager for Chrome like the proposed one coming out for Firefox?
When I click on a tab my eye is on that spot of the screen. Just above the URL.
You'll have to get a very similar address to fool me, and good luck making the page look exactly the same as the original. The rounded buttons and differently aliased text on the attack page were enough for my red flags be raised.
It is not that hard to make it looks exactly the same. Just doing a "save page as" in most browsers will automatically store all the html, css, and images needed to render a page to your hard drive.
The only reason you noticed the different buttons and different text is cause the author decided to save himself some time and just replaced the page with a screenshot of how gmail is rendered on their computer.
That is a really effective phishing attack that I have not seen yet...at least I don't think...and if I see it again I am pretty sure I would not notice. Kind of scary that this information is now in the hands of countless phishers.
One would hope this will cause banks and the like to rethink disabling having the browser's password manager enter your password. On sites where the browser normally automatically fills in my password i'd immediately be suspicious if i got a screen without my credentials already filled in. My banks, however, always require me to fill in the fields so i wouldn't be any the wise.
My bet though is they won't become so wise and will instead just rely on displaying my private image and phrase on the login screen.
I don't see how I would fall for this. My credentials are automatically filled in by Safari on gmail, so that would be my first clue something was up, and the URL hasn't changed and I ALWAYS double check that before entering credentials anywhere.
However it is an extremely clever new attack vector, and I don't know how browser manufacturers can stop this attack.
Interesting. Doesn't work for me, because I tend to associate tab content with where the tab is relative to other tabs.
For example, I don't normally have gmail open in a tab (I prefer to use mutt as my email client), so, to see "Gmail: Email fro..." - as I currently see in the tab directly left of this one - is disorienting for me. I expected the article on phishing.
However, even without it, this attack isn't exactly mature. Different browsers will render the javascript differently. My browser tried to execute the page-changing javascript as it was loading the page, and I was viewing the page. Obviously, in a few months or so, this will change, but for the first reason, I remain firm in my stand that this attack doesn't really mean much.
It wouldn't work for me for several reasons; one, I always keep g-mail in the left-most tab, two, I use 1Password to fill in all my passwords, which obviously wouldn't work with the wrong URL.
But the 1Password thing is a recent thing; I could easily have fallen for one of the bank attempts, since I usually leave them open in another tab while it's loading, or if I get bored, so it's not unusual for me to tab over and be surprised by a "you've been logged out!" screen.
I open tabs in the background all the time -- this doesn't seem any different than one of those being a phishing site. It's pretty simple imho, don't type in a password unless you also typed in the url or used a bookmark. That's the advice I usually give family/friends.
just tried it. wow. best phishing attack ever. that really does almost hypnotize you into filling in the Gmail login form quickly and submitting, without even thinking. Luckily I'm also one of those guys who always has my Gmail tab in the same position. For folks that don't do that, and don't use SSB's, etc. this could be very dangerous.
The original title of the article is "A New Type of Phishing Attack". There's nothing about "savvy users", since a savvy user would note that the URL is completely wrong. Savvy users are also likely to be running NoScript, using form-filling password managers, etc.
I'd consider myself a savvy user. I don't run NoScript, nor do I always notice when the auto-password feature doesn't work because I use multiple browsers and they don't all have the same credentials. Nor do I (think I) always scan the URL when I switch tabs-- though surely I'll do more of that now.
This won't work against most savvy users on their best days. It will probably work against most savvy users on any given bad day.
What's interesting to me is that it'd be pretty easy for a site owner to target very specific users who visit their site. I could easily see this being used by a rogue employee at a web company to gather credentials/info on a specific target VIP and then covering their tracks later.
The idea is that a savvy user may notice the url when they first surf to the site, but are less likely to do so when they return to a tab they have previously opened.
I just didn't expect the first result in google would be a phishing website and I actually tried logging in to facebook through the site. The phishing site actually took my info and logged me in to facebook, but facebook immediately warned me that I had logged in from a domain that wasn't facebook and that I needed to change my password.