phishing   2504

« earlier    

deceptiveidn
Use computer vision to determine if an IDN can be interpreted as something it's not
phishing  python 
2 days ago by aiefel
How Office 365 validates the From: address to prevent phishing
They will stop accepting messages without the From: starting on Nov. 9th.
email  office365  spam  phishing  work 
4 days ago by ahall
Daring Fireball: iOS Is Ripe for Phishing Password Prompts
Felix Krause...
I’ve been thinking about this for years, and have been somewhat surprised this hasn’t become a problem. It’s a tricky problem to solve, though. How can the system show a password prompt that can’t be replicated by phishers? The best idea I’ve seen is for these system-level prompts to only appear in the Settings app. When the system needs your iCloud or iTunes password while you’re in any other app, that prompt would take you to Settings, where you’d then be prompted for the password. That’s not great, though, because it makes entering your password far more cumbersome. And how would you get back to the original app after entering your password?
Krause suggests one way to protect yourself if you suspect a password prompt might be a phishing attempt: press the home button. If it’s a phishing scam, the dialog box will disappear when you go back to the home screen, because it’s part of the app you’re using. If it’s a real system-level prompt, the alert will still be there.
security  privacy  ios  apps  phishing  appleID  passwords  ui/ue  daring_fireball 
5 days ago by rgl7194
iOS Privacy: steal.password - Easily get the user's Apple ID password, just by asking — Felix Krause
Do you want the user's Apple ID password, to get access to their Apple account, or to try the same email/password combination on different web services? Just ask your users politely, they'll probably just hand over their credentials, as they're trained to do so 👌
Disclaimer
This is just a proof of concept, phishing attacks are illegal! Don't use this in any of your apps. The goal of this blog post is to close the loophole that has been there for many years, and hasn't been addressed yet. For moral reasons, I decided not to include the actual source code of the popup, however it was shockingly easy to replicate the system dialog.
security  privacy  ios  apps  phishing  appleID  passwords  ui/ue 
5 days ago by rgl7194
Can apps steal your passwords? What you need to know! | iMore
Phishing attacks can theoretically come from apps as well as messages and websites. It's been the subject of industry discussion for a long, long time. Now, it's in the spotlight again.
"How would you say would be the easiest way to take a weapon away from a Grammaton Cleric?"
"You ask him for it."
That quote, from the movie Equilibrium, echoes a longstanding issue with security. Namely, no system that includes humans is ever truly secure. We use the same passwords for multiple services. We write them down on our desks at home and at work. We tell our passwords to people who claim to be tech support on the phone or over email.
security  privacy  ios  apps  phishing  appleID  passwords  ui/ue 
5 days ago by rgl7194
Watch Out! Difficult-to-Detect Phishing Attack Can Steal Your Apple ID Password
Can you detect which one of the above screens—asking an iPhone user for iCloud password—is original and which is fake?
Well, you would agree that both screenshots are almost identical, but the pop-up shown in the second image is fake—a perfect phishing attack that can be used to trick even the most careful users on the Internet.
Felix Krause, an iOS developer and founder of Fastlane.Tools, demonstrated an almost impossible to detect phishing attack that explains how a malicious iOS app can steal your Apple ID password to get access to your iCloud account and data.
security  privacy  ios  apps  phishing  appleID  passwords  ui/ue 
5 days ago by rgl7194
Beware of sketchy iOS popups that want your Apple ID | Ars Technica
Benign iOS prompts are indistinguishable from those generated by malicious apps.
One of iOS' rougher edges are the popups it produces on a regular but seemingly random basis. These popups require users to enter their Apple ID before they can install or update an app or complete some other mundane task. The prompts have grown so common most people don't think twice about them.
Mobile app developer Felix Krause makes a compelling case that these popups represent a potential security hole through which attackers can steal user credentials. In a blog post published Tuesday, he showed side-by-side comparisons, pictured above, of an official popup produced by iOS and a proof-of-concept phishing popup. The lookalike popups require less than 30 lines of code and could be sneaked into an otherwise legitimate app that has already found its way into Apple's App Store.
security  privacy  ios  apps  phishing  appleID  passwords  ui/ue 
5 days ago by rgl7194
emails4corporations - corporate email address formats
Won't help with Konami, those guys get random addresses that are reassigned every 6 months...
phishing  hacking  pentesting  security  OSINT  recon  email  address  format  pattern 
6 days ago by asteroza
iOS Privacy: steal.password - Easily get the user's Apple ID password, just by asking • Felix Krause
<p>How can you protect yourself

• Hit the home button, and see if the app quits:
-If it closes the app, and with it the dialog, then this was a phishing attack<br />-If the dialog and the app are still visible, then it's a system dialog. The reason for that is that the system dialogs run on a different process, and not as part of any iOS app.<br />• Don't enter your credentials into a popup, instead, dismiss it, and open the Settings app manually. This is the same concept, like you should never click on links on emails, but instead open the website manually<br />• If you hit the Cancel button on a dialog, the app still gets access to the content of the password field. Even after entering the first characters, the app probably already has your password.

Initially I thought faking those alerts requires the app developer to know your email. Turns out some of those auth popups don't include the email address, making it even easier for phishing apps to ask for the password.

<img src="https://static1.squarespace.com/static/545299aae4b0e9514fe30c95/t/59dca2accf81e0c47e1e7144/1507631811313/" width="70%" />

Proposal

Modern web browsers already do an excellent job protecting users from phishing attacks. Phishing within mobile apps is a rather new concept, and therefore still pretty unexplored.

• When asking for the Apple ID from the user, instead of asking for the password directly, ask them to open the settings app<br />• Fix the root of the problem, users shouldn't constantly be asked for their credentials. It doesn't affect all users, but I myself had this issue for many months, until it randomly disappeared.<br />• Dialogs from apps could contain the app icon on the top right of the dialog, to indicate an app is asking you, and not the system. This approach is used by push notifications; also, this way, an app can't just send push notifications as the iTunes app.</p>


This is still bad, and Apple's security people should have stamped it out ages ago. I suspect they couldn't and so their pivot has been to try to persuade people to enable two-factor authentication on accounts.

But as Krause points out, even if you've got 2FA, that won't protect any accounts where you've used the same username/password combination.
apple  security  phishing  ios 
6 days ago by charlesarthur
iOS Privacy: steal.password - Easily get the user's Apple ID password, just by asking — Felix Krause
Super easy to phish iOS users to type their password in a "Sign In" dialog that looks identical to the system one
Apple  iOS  phishing 
6 days ago by dandv

« earlier    

related tags

"basic  0000  00000  2fhg  address  anomaly-detection  apple  appleid  apps  article  auth"  authentication  badideas  bas  block  breach  browser  bzns  ca  certificate  check  checker  citizenlab  commbank  credit_report  cybersecurity  daring_fireball  data  databreach  day.  deal  def_con  design  dkim  dns  edtech  email  employment  equifax  ethereum  every  experts  exploit  exploits  format  framework  free  from  funny  generator  github  gmail  graphic  hacking  hacks  highered  honey_pot  horrorstories  how  howto  identity_theft  infosec  interface  internet  ios  iphone  isa  it  krebs  lang:en  lasc  lists  lnk  malware  management  msp  netalert  network  networkedmedia  news  office365  official  opensource  opinion  osint  otf  paper  passwords  pattern  payload  pentest  pentesting  personal_net  politics  ponzi  privacy  protect  proxy  psychology  python  ransomware  recon  redteaming  reporting  research  safebrowsing  scams  security  service  site  social_engineering  socialmedia  software  solutions  spam  spoofing  srs  ssl  support  test  tester  tls  to  tool  tor  truffe  trump  trust  typosquatting  ui/ue  ui  uo  url  usa  ux  waterholing  web  webapps  website  who  windows  with  work  xme  yourself 

Copy this bookmark:



description:


tags: