Your Google account was just used to sign in from London



  • Would you trust this email?

    (^ click for the site)

    Windows? I fucking never use this shit. I'm hacked!

    Looks pretty darn legit.

    The website looks pretty legit, too. In fact, the HTML source is exactly the same as accounts.google.com, when viewed from Turkey with the language set to English.

    The only tip-offs you have are the two domain names involved. supportgoogle.com and settings.googlesecurity.tk.

    Source https://twitter.com/homakov/status/595753080022511618


  • FoxDev

    damn. that's a good fishing email.

    wouldn't have gotten me as i'm in the habit of visiting the site directly when shown a security alert. on the assumption that if it's a security thing then the email could just as well been faked.


  • Grade A Premium Asshole

    Are you sure it is not legit? I got the exact same email yesterday when I signed in to Google Apps, telling me there was a new sign in, OS, browser, etc.

    I got it because it is a new security policy from Google, not a phishing email...



  • The email is coming from supportgoogle.com, which is a parked domain; and the links send you to settings.googlesecurity.tk. It's a phishing email.

    Ya got fooled.


  • Grade A Premium Asshole

    @riking said:

    Ya got fooled.

    I didn't. They are just replicating what Google is already doing.



  • How difficult is for gmail to detect this email as a phishing attempt.

    1. evil delivery time:

    2. fake From field

    3. link show one url, but actual href is to a different domain



  • Speaking of which... https://www.google.com/safebrowsing/report_phish/

    I don't know how they react to "flood" reports by lots of different people, but let's hope it gets looked at fast...


    It is now marked as a phishing site.


    Just tested it with you@gmail.com / you - it actually sends you to the Google account settings. It looks like Chrome & Firefox both do a second check when you submit a form.


  • Grade A Premium Asshole

    @Monarch said:

    How difficult is for gmail to detect this email as a phishing attempt.

    It wouldn't be hard at all, considering that it is absolutely identical to an email that Google already sends out with just the link targets changed. That is pretty shoddy security...



  • @riking said:

    Just tested it with you@gmail.com / you - it actually sends you to the Google account settings. It looks like Chrome & Firefox both do a second check when you submit a form.

    Hey, that gives me an idea - how about those phishing alerts give you an option to jump to the legitimate site?

    Mockup:



  • @Polygeekery said:

    It wouldn't be hard at all,

    multi billion dollars company, and this is how they combat phishing.

    http://www.computerworld.com/article/2509783/security0/google-boosts-gmail-s-anti-phishing-feature.html

    not much changed since 2011


    @riking said:

    how about those phishing alerts give you an option to jump to the legitimate site?
    Mockup:

    How about using this phishing alerts to create a multilayer phishing scam.
    where the "back to safety" button take you to a fake login page, with some clever social engineering you can
    create the illusion that the browser actually protected you, and that will lower your guard.


  • Grade A Premium Asshole

    @Monarch said:

    create the illusion that the browser actually protected you, and that will lower your guard.

    I thought the same thing.



  • Agreed, it should say, "for going back to safety, close the tab or application", since basically such a phishing scam at that layer can do anything (even the back button can be a redirect to their site, but that might trigger an official phishing scam warning that will lead to more confusion).

    I don't trust unsolicited emails that have links asking me to login. I just type it in how I normally access said page.


  • FoxDev

    @Nprz said:

    I don't trust unsolicited emails that have links asking me to login. I just type it in how I normally access said page.

    this.

    if i get an email saying action is needed on my part and i need to log in by clicking this link, i'll go to the site (if i actually do business with them) using my standard browser bookmark and log in there.


  • Fake News

    Do you hear that, Doug? I'm coming to London!

    http://www.youtube.com/watch?v=y6-AGtjsylw



  • @Nprz said:

    I don't trust unsolicited emails that have links asking me to login. I just type it in how I normally access said page.

    Same here.

    (Except, of course, for those links in the emails from the Nigerian prince. I'm sure they're really quite safe. 😃 )

    Addendum: Is it, like, a badge of honor to receive one of those? 'Cause, I never did and I hate to think I'm missing out.



  • @CoyneTheDup said:

    Addendum: Is it, like, a badge of honor to receive one of those? 'Cause, I never did and I hate to think I'm missing out.

    My spam filters those out pretty good these days. I did get a HK business man one not too long back.
    Looking at bogus listings on zillow (house rentals for way under the rate) gets a number of hits, but requires initial contact from the scamee.
    I used to enjoy going over the 419 trolling pages (although that could be as legitimate as bash.org)


  • kills Dumbledore

    Looks like you need this:


  • BINNED

    @Monarch said:

    link show one url, but actual href is to a different domain

    Thunderbird throws a hissy fit about this on emails from Discourse due to mandrill click tracking.

    Evolution doesn't mind, interestingly.



  • Nice try, but this way it's about useless:

    • People who don't know a thing about security, and thus are the ones that would really need it, won't find it nor understand why they should install it.
    • It only protects from phishing against Google, which for most people is not the site that would need most protection. Online banking is.

    I was thinking a tool that would remember (hash of) anything you enter in web forms that looks like username and password and if you type the same combination you normally use for one site in completely different site, would give a warning like:

    You are entering your password you normally use for “Google” to a site that is not “Google”. This may be an attempt to steal your password. If you suspect so, close the tab and enter “Googe” from your normal bookmark.

    1. It is Google.
    2. No, it is not Google. I want to reuse the password for different site though I know it is unsafe.

    The first action would block the attempt and, if enabled, reported a phishing attempt. The second would remember the password is also used for the new site.

    The module would also block network activity from JavaScript that would look like it might be attempt to send of the password one key at a time before the module stops the page.



  • damn. I don't remember ever falling for any phishing, but I would fall for this one, probably.


  • kills Dumbledore

    @Bulb said:

    People who don't know a thing about security, and thus are the ones that would really need it, won't find it nor understand why they should install it.

    Agreed. The fact that you're searching for and installing security based extensions probably means you're less likely to fall for a phishing scam in the first place. I would install something like this if I was setting up a computer for a less tech savvy friend or relative though.

    @Bulb said:

    It only protects from phishing against Google, which for most people is not the site that would need most protection. Online banking is.

    If Google is your main email, then it's the gateway to all of your other online accounts, via "forgot password" links. If someone got into my Google account they'd have various services with my payment details stored, multiple forum accounts and other things that could add up to a fairly easy identity theft, and probably more. My bank is separate because it has proper two factor authentication and doesn't support email for changing details/passwords.


  • Winner of the 2016 Presidential Election

    @Bulb said:

    You are entering your password you normally use for “Google” to a site that is not “Google”. This may be an attempt to steal your password. If you suspect so, close the tab and enter “Googe” from your normal bookmark.1. It is Google.2. No, it is not Google. I want to reuse the password for different site though I know it is unsafe.

    This is a phishing attempt! I can tell because the intention of bringing someone to Google and the action of bringing someone to Googe don't match.


    On a more serious note. I got a fake Paypal Email recently that looked suprisingly realistic as well. This does kinda scare me, as they are - finally - grasping how to confuse people without broken English and being a nigerian prince.

    Filed Under: It's a sad world we live in!


  • 🚽 Regular

    @Monarch said:

    evil delivery time:

    Well, half evil anyway.



  • @Jaloopa said:

    If Google is your main email, then it's the gateway to all of your other online accounts

    True. But I was not saying it's not a problem, I was saying that phishing bank accounts is bigger problem. And that a good solution would protect against phishing attempts against any site (by trying to catch entering credentials to a site where you normally don't).

    Just yesterday newspaper ran a story how bank account phishing is on the rise here. Most banks here use the one-time-password-over-SMS and that makes only for almost-two-factor authentication, because since smart phones it can be attacked by getting the user install a troyan in their phone. Which can be done by suggesting a “security application” in the very phishing mail.


  • ♿ (Parody)

    @Monarch said:

    multi billion dollars company, and this is how they combat phishing.

    Oh, man...we need to start posting this on meta.d every time they suggest removing some bit of information from the UI because google did it.


  • Discourse touched me in a no-no place

    @riking said:

    Hey, that gives me an idea - how about those phishing alerts give you an option to jump to the legitimate site?


    Like clicking Details and then the link that appears?
    Nevermind. Reading fail again. Long day :barrier: reading



  • @Monarch said:

    multi billion dollars company, and this is how they combat phishing.

    Pasted image842x224 50.1 KB

    not much changed since 2011



  • Yes, I want to revive this topic. What is it with you (Discourse) and the "life" of topics?

    Chose this to be the most appropriate topic for this post. For which I have no comment, but an unsatisfied curiosity as to why?


  • Discourse touched me in a no-no place

    VM needed to shift away from the Gmail based service, so they are.
    Google stopped supporting ISPs, although I think VM are the only big UK ISP who use(d) Gmail anyway.



  • I wouldn't trust my ISP to provide email hosting for me.

    This post includes:



  • This of course would be another non-problem if your browser handled website authentication for you.


  • Discourse touched me in a no-no place

    @riking said:

    The only tip-offs you have are the two domain names involved. supportgoogle.com and settings.googlesecurity.tk.

    Well… I don't know about that; what was the Received: header chain? That's usually much fishier<hah!> with a phishing message than with a real one. (And for legit sites that insist on sending emails fishily? Fuck 'em.)



  • You mean like Chrome, Firefox, Internet Explorer, Edge, Opera, Safari, ... already do?


  • Java Dev

    @dkf said:

    And meta.d too!

    Is that why thunderbird thinks mail from wtdwtf is scam? Or is that because of <a href="some_url">some_other_url</a>?



  • I noticed something a little odd1 in the headers, but I think it's mostly the URL misdirection.

     

     

    1 (Another Discourse bug: If I put the rest of this on the same line, Discourse jumbles the text and turns the whole thing into a link.)
    Received: from pmta05.wdc01.mailchimp.com (127.0.0.1) by mail17.wdc04.mandrillapp.com id hrqfi41jvjg7 for <*REDACTED*>; Thu, 27 Aug 2015 05:24:48 +0000 (envelope-from <bounce-md_30152208.55de9f1f.v1-4b1ff211e2f84684b6049aa117b6bc82@mandrillapp.com>)
    Received: from [162.243.208.23] by mandrillapp.com id 4b1ff211e2f84684b6049aa117b6bc82; Thu, 27 Aug 2015 05:24:47 +0000
    Why is pmta05.wdc01.mailchimp.com sending the mail to itself (?) by a different name, mail17.wdc04.mandrillapp.com, I guess?


Log in to reply