Watch out for this sneaky Gmail phishing attack

[Rudi]

There's a new Gmail phishing attack going around, and it's fooling everyone
Tech professionals don't generally fall for phishing attacks: They know what to look for and when to be suspicious. One new attack, however, is even fooling the experienced.

Above quote and details from here.

[HansV]

Thanks, Rudi.

[StuartR]

While you're watching out, there's a cute Amazon phishing attack out there too...
Amazon customers targeted in phishing scam

The con starts when the victim attempts to check out. A message appears stating the product is no longer available, but then the vendor will email the target saying the item is available and can be purchased by clicking on an imitation Amazon link included in the email. The link leads to a fake, but quite real looking, Amazon payment screen where all of the victim's Amazon login, payment and personal information is asked for.

[Roderunner]

ditto.gif

[HansV]

Sheesh...

[StuartR]

The easiest way to protect yourself against many of these attacks is to use 2-factor authentication on every site where you can

[Rudi]

TX Stuart.

[RonH]

Thanks for info Rudi.
... and here's me thinking Gmail is pretty safe compared with Yahoo and suggesting to my daughter to change providers. This attack you describe is very smart.

[HansV]

Gmail offers two-factor authentication. If you use that, and if someone manages to steal your username/password, they would also have to steal your mobile phone and unlock it, otherwise they won't be able to log in...

[RonH]

You persuaded me Hans so I have set it up. Windows & Android devices all function and as I understand it, will continue to not need the extra code.

I avoided this feature previously thinking I would need the code every time I signed in on my devices. It pays to read the instructions

[ChrisGreaves]

There's a new Gmail phishing attack going around, and it's fooling everyone

Today's National Post ran an article that says despite the bank of Canada's defences working, some bank computers are still vulnerable.
This after employee training!
Thanks to the bank’s cybersecurity defences, the vast majority of those emails were filtered out before they reached their intended targets. For the 33 users who did open the emails and attachments, a second layer of the bank’s cybersecurity system kicked in, preventing the malware from transmitting any information to the hackers.
The bank’s employees, however, were not as reliable. Five of the 33 duped users opened the email and attachment even after the bank sent out a notification specifically warning them not to..

[Roderunner]

That will teach them for not being an Eileen's Lounge Member.

[Jay Freedman]

Five of the 33 duped users opened the email and attachment even after the bank sent out a notification specifically warning them not to.

That will go on their permanent record! "Too stupid to live."

[ChrisGreaves]

That will teach them for not being an Eileen's Lounge Member.

but, but ...

They are, apparently, unteachable!

Cheers
Chris

[BobH]

Could someone please help me overcome my ignorance about 2-factor authentication? I've searched and read several articles, but I'm still a bit perplexed. It seems to me that the concept requires divulging information that is not secure, in some cases, as the second factor. For example, the use of the personal mobile phone number as a second factor fails because it is information readily attainable from Internet or other sources and it is exclusively linked to my identity. How can using a personal identity value revealing one's identity be and improvement.

Puzzled in the Great American Midwest.

[HansV]

Hackers would need not only to know your cell phone number, but to have your cell phone in their possession!

Let's take Gmail as an example. When you set up 2-step verification, as Google calls it, you give Google your cell phone number; they send you a text message with a number code that you have to enter on the web page, to prove that you are the user of the cell phone.
From then on, each time you log in to Gmail, Google will send you a text message with another number code after you have entered your username and password, and you have to enter this code on the logon page. As a result, even if someone manages to retrieve your username and password, they won't be able to use them to log in to your Gmail unless they also steal and unlock your cell phone.
(To avoid having to receive a number code on your own computer, tablet or phone each time, you can tick a check box, similar to the check box "Remember me" here in Eileen's Lounge)

[StuartR]

The idea behind 2-factor authentication is that you use two completely different things to prove who you are. The options are usually described as

• Something you know (for example a password)
• Something you have (for example a mobile phone or a smartcard)
• Something you are (for example a fingerprint or your voice)

This means that using two different passwords would NOT be 2-factor, because they are both something you know.

The most common two factors are a password and a mobile phone, but this is no longer considered sufficient by most authorities, because the protocols used by mobile phones are too easy to hack. Someone may be able to access the second factor even though they don't have your phone. This is why the US NIST has said that a phone should be avoided as the second factor (https://pages.nist.gov/800-63-3/sp800-63b.html

Note: Out-of-band authentication using the PSTN (SMS or voice) is discouraged and is being considered for removal in future editions of this guideline.

I use my mobile phone as a second factor for most accounts, because it is all that is available in many cases, and it is MUCH better than just using a password.

[ChrisGreaves]

Could someone please help me overcome my ignorance about 2-factor authentication?.

Thanks, BobH et al. For helping me overcome some (more) of MY ignorance

[BobH]

Thanks for the education.

I agree that the use of a mobile phone as 'something you have' when used with authentication is too prone to hacking to be used reasonably. I read the wiki on 2-factor authentication and could come up with nothing in my sphere would be satisfactory for the second factor. I wonder if retinal scanning (or is it iris scanning) will ever advance to the level of utility in this regard? Of course, photographs have become clear enough at magnification that even your retina/iris can be co-opted by someone else.

[HansV]

While using a mobile phone for two-factor authentication is not 100% safe, it is many, many times safer than NOT using two-factor authentication at all!