Phishing Attacks via Google translate(blogs.akamai.com)
blogs.akamai.com
Phishing Attacks via Google translate
https://blogs.akamai.com/sitr/2019/02/phishing-attacks-against-facebook-google-via-google-translate.html
16 comments
> One interesting side note relates to the person driving these attacks, or at the least the author of the Facebook landing page - they linked it to their actual Facebook account, which is where the victim will land should they fall for the scam.
Is this based on any evidence or just an assumption? It seems to me that the 'actual Facebook account' could just as readily be either a random or intentional framing of someone else by the one(s) doing the phishing attack or the page designer, in which case it would appear that it worked perfectly in that it apparently convinced Akamai.
Is this based on any evidence or just an assumption? It seems to me that the 'actual Facebook account' could just as readily be either a random or intentional framing of someone else by the one(s) doing the phishing attack or the page designer, in which case it would appear that it worked perfectly in that it apparently convinced Akamai.
I wonder what motivated the article's author to redact the scammer's email address.
> I wonder what motivated the article's author to redact the scammer's email address.
This is good practice to prevent the possibility of revictimization in case the actual motive of the phishing attack was not phishing but to cause reputational damage to the owner of said email.
Consider: if someone wanted to target you and cause you potential legal and employment difficulties, they could launch a phishing attack using amateur code such as this, and have your work email appear as the "scammer's email", and then sit back and wait for the attack to be discovered and reported.
And even if not a reputation attack, the scammer could also simply be using a compromised email account, so once again redaction helps preempt the possibility of revictimization.
This is good practice to prevent the possibility of revictimization in case the actual motive of the phishing attack was not phishing but to cause reputational damage to the owner of said email.
Consider: if someone wanted to target you and cause you potential legal and employment difficulties, they could launch a phishing attack using amateur code such as this, and have your work email appear as the "scammer's email", and then sit back and wait for the attack to be discovered and reported.
And even if not a reputation attack, the scammer could also simply be using a compromised email account, so once again redaction helps preempt the possibility of revictimization.
Just a guess: the author could not be sure that the email address legitimately belongs to the scammer. It could be a hacked account.
The best defense is a good offense. That means taking your time and examining the message fully before taking any actions. Does the from address match what you're expecting? Does the message create a curious sense of urgency, fear, or authority, almost demanding you do something? If so, those are the messages to be suspicious of, and the ones most likely to result in compromised accounts. This is why I never open links directly from an email.
You could explain this over and over to my 65 year old parents, they still would fall for it. They're far from dumb, it's just that it's a lot of information of to handle.
One solution is to set up a free lastpass account, change all the passwords to something random and only use autofill. They have to go out of their way to enter the password into another domain
Sucks if they want to log in using a new or borrowed device
Sucks if they want to log in using a new or borrowed device
I've got my mom using an iPad which also reduces the attack surface, not to mention it's pretty hard for her to screw up the device on her own. I haven't had to help with anything computer related in about 4 years.
What you explain is still defense.
The best defense is to manually enter the url of the domain you need to log on to and log on from there. Never follow links, that what will get you in trouble.
The passwords are broken. Anyone can fall for it regardless of how experienced he/she is. It's just a matter of time/opportunity. We need u2f
> We need u2f
U2F is not immune to phishing attacks, at least not if backup codes are being used: https://youtu.be/rPTI9e-9tBE?t=936
U2F is not immune to phishing attacks, at least not if backup codes are being used: https://youtu.be/rPTI9e-9tBE?t=936
Then let's not use backup codes. If you loose your auth device then you should recover it using an office of authentication (i.e https://travel.state.gov/content/travel/en/legal/travel-lega...)
The public, “ain’t nobody got time for dat!”
They will always continue to fall victim to these scams.
They will always continue to fall victim to these scams.
This is actually the current design of the https://mbasic.facebook.com login page, the version of the Facebook mobile site for lower-bandwidth connections and less-capable devices.