Getting people to hand over their credentials has never been easier. As a new phishing toolkit shows, Chrome single sign-on (SSO) pop-ups are incredibly easy to spoof, and a login box’s URL may not indicate whether a website is truly legitimate.
You know how to log into some websites with your Google, Apple, Facebook or Amazon account? This is an SSO login – it’s a valuable time saver as it reduces the number of usernames and passwords you have to remember.
Here’s the problem; Hackers can perfectly replicate these SSO windows in Chrome, even down to the URL. A new phishing kit from dr.d0x, a security researcher, comes with a ready-made template that novice hackers or white hats can use to quickly create a convincing SSO popup. (Other templates may already be floating around in hacker circles.)
Hackers using these fake SSO windows will embed them into all types of websites. For example, a hacker can email you about your Dropbox account and ask you to visit a specific link. This link could lead to a fake Dropbox website with SSO login options for Google, Apple, and Facebook. All information you input into these fake SSO boxes like your Google login will be collected by the hacker.
Of course, pirate video sites (and other sites offering “free” content) may be the most common target for these fake SSO windows. For example, a hacker can create a pirate video website that requires SSO login, effectively forcing users to hand over their Google or Facebook credentials.
To be clear, dr.d0x did not invent the SSO or browser-in-browser phishing exploit. Hackers started faking SSO login windows a few years ago. This phishing kit simply shows how such exploits work. Additionally, organizations can use this kit to test their employees’ ability to detect phishing schemes.
It can be difficult to avoid a phishing attack. I suggest you start by installing a password manager, which often detects phishing attempts and helps you use unique credentials for each website (reducing the damage from a successful phishing attack). You should also avoid opening links in emails or text messages, even if they look legitimate.
Source: mr.d0x via BleepingComputer
This article was previously published on Source link
