phishing   2623

« earlier    

Certified Malice | text/plain
Phishers use certificates for HTTPS because of course they do. "You could be having a private conversation with Satan."
cybersecurity  phishing  ux 
2 days ago by dsalo
Nope, this isn’t the HTTPS-validated Stripe website you think it is | Ars Technica
How extended validation certificates can be used to scam, not help, end users.
For a decade, some security professionals have held out extended validation certificates as an innovation in website authentication because they require the person applying for the credential to undergo legal vetting. That's a step up from less stringent domain validation that requires applicants to merely demonstrate control over the site's Internet name. Now, a researcher has shown how EV certificates can be used to trick people into trusting scam sites, particularly when targets are using Apple's Safari browser.
Researcher Ian Carroll filed the necessary paperwork to incorporate a business called Stripe Inc. He then used the legal entity to apply for an EV certificate to authenticate the Web page https://stripe.ian.sh/. When viewed in the address bar, the page looks eerily similar to https://stripe.com/, the online payments service that also authenticates itself using an EV certificate issued to Stripe Inc.
authentication  browser  phishing  privacy  scam  security  web 
7 days ago by rgl7194
Twitter
It is getting hard to detect 😓 americanairlinescheckin[.]com

script…
cryptojacking  Phishing  from twitter_favs
8 days ago by AramZS
americanairlinescheckin.com - urlscan.io
It is getting hard to detect 😓 americanairlinescheckin[.]com

script…
cryptojacking  Phishing  from twitter_favs
8 days ago by AramZS
Phishing Dangers in Business and How to Avoid Getting Hooked | The Mac Security Blog
Gone are the days when malware simply rendered a computer useless or deleted files. Instead of creating malware to show off, hackers are now in it for the money. Because of this, most malware these days are designed to collect personal information, such as user names and passwords. Cyber-criminals leverage this information to hack accounts, such as email, Twitter and Facebook accounts, to spam your friends.
But the real jackpot is when hackers can trick you into giving up your banking information or credit card numbers. When that happens, they can drain your money, at least until you block the accounts.
The main way online thieves get these credentials is through "phishing," or sending out emails that look exactly like official emails from your bank, credit card company, PayPal, Amazon or other online companies or services.
Falling for these scams can be detrimental to individuals, but they are even more harmful to businesses. If one of your employees gets fooled by phishing and inadvertently gives up the credentials for your company's accounts, the results could be disastrous. Here's how to detect phishing emails and make sure that you don't get hooked.
security  privacy  phishing  email 
16 days ago by rgl7194
AgileBits Blog | 1Password keeps you safe by keeping you in the loop
This is a story with many beginnings and many threads coming together. The very short read of it is that 1Password’s browser extension has always been designed from the outset to keep you safe from some recently discovered browser based attacks on some password managers.
Researchers at Princeton University’s Web Transparency and Accountability Project were investigating tracking scripts on web pages, and discovered that several of them attack browser-based password managers and extract the email addresses, usernames and sites stored in the browser’s password manager. As I said, 1Password is designed in such a way as to not be vulnerable to the kinds of attacks those scripts used. The scripts that attempt this are from Adthink (audience insights) and OnAudience (behavioralengine).
Whether or not they make malicious use of the passwords they extract, they are certainly learning which sites you have records for in those password managers. I would like to add that we’ve designed 1Password so that we cannot know which sites and services you have logins for.
There is a huge amount to say about the contemptible behavior of these trackers, and I’m hopeful that others will say so clearly. Here, I want to talk more about what all of this illustrates about 1Password’s design and our approach to security.
1password  security  privacy  phishing  dark_patterns 
16 days ago by rgl7194
Twitter
RT : Find out how a compromised internet-connected speaker can be used by attackers for schemes:…
phishing  from twitter
23 days ago by gaelicWizard
Chinese hackers go after think tanks in wave of more surgical strikes | Ars Technica
"The think tank attacks in October and November had all the hallmarks of a Chinese operation. The attackers worked largely during Beijing business hours, used tried-and-true (and widely available) tools, and were highly focused in their attempts to extract data."
china  hacking  security  phishing  dopost 
27 days ago by niksilver
Phishers Are Upping Their Game. So Should You. — Krebs on Security
Not long ago, phishing attacks were fairly easy for the average Internet user to spot: Full of grammatical and spelling errors, and linking to phony bank or email logins at unencrypted (http:// vs. https://) Web pages. Increasingly, however, phishers are upping their game, polishing their copy and hosting scam pages over https:// connections — complete with the green lock icon in the browser address bar to make the fake sites appear more legitimate.
According to stats released this week by anti-phishing firm PhishLabs, nearly 25 percent of all phishing sites in the third quarter of this year were hosted on HTTPS domains — almost double the percentage seen in the previous quarter.
“A year ago, less than three percent of phish were hosted on websites using SSL certificates,” wrote Crane Hassold, the company’s threat intelligence manager. “Two years ago, this figure was less than one percent.”
security  phishing  privacy  krebs 
5 weeks ago by rgl7194
Nope, this isn’t the HTTPS-validated Stripe website you think it is | Ars Technica
How extended validation certificates can be used to scam, not help, end users.
security  phishing  browser 
5 weeks ago by geetarista

« earlier    

related tags

/  (plattsmouth  -  000  00000  1password  2fa  2fhg  advancedsearch  ai  analysis  and  apfs  appleid  appletv  apps  article  authentication  automation  awareness  bias  breach  browser  browsers  ca  camera  certificate  certificates  chatbot  china  chrome  clickman.com  clickman  comodo  countermeasures  crime  cryptojacking  cve-2017-11882  cyber-security  cyber  cybersecurity  dark_patterns  data-breach  data  databreach  digisec  dns  docs  dopost  downloads  dun&bradstreet  edtech  email  encryption  end  engineering  ev  exploit  extended-validation  facebook  fbi  file_system  firefox  fraud  free  gen_z  gmail  google  hack  hacking  howto  https  humor  identity  impersonation  internet  ios  isa  isdp  it  jamesburton  keylogging  krack  krebs  lasc  llc  mac  malware  microsoft  monitoring  ne)  office365  oss  otf  pass  password  passwords  potential_products  powershell  privacy  private  ransomware  reference  report  safari  scam!  scam  scammers  scams  security  sms  social-media  social  socialengineering  solutions  spam  spearphishing  ssl  sudduth  sudduth”  tips  tools  ui/ue  user  utilities  ux  validation  video  web  webapps  webdev  websec  wi-fi  word  words-that-matter-2017  work  “robert  watch 

Copy this bookmark:



description:


tags: