| ▲ | andrewmcwatters 4 days ago |
| @junon, if it makes you feel any better, I once had a Chinese hacking group target my router and hijack my DNS configuration specifically to make "amazon.com" point to 1:1 replica of the site just to steal my Amazon credentials. There was no way to quickly visualize that the site was fake, because it was in fact, "actually" amazon.com. Phishing sucks. Sorry to read about this. Edit: To other readers, yes, the exploit failed to use an additional TLS attack, which was how I noticed something was wrong. Otherwise, the site was identical. This was many years ago before browsers were as vocal as they are now about unsecured connections. |
|
| ▲ | littlecranky67 4 days ago | parent | next [-] |
| How did they get a valid ssl cert though? |
| |
| ▲ | dns_snek 4 days ago | parent | next [-] | | Before HSTS you didn't need a valid certificate. When you typed "amazon.com" in the address bar your browser would first connect to the server unencrypted on port 80 which would then redirect you to the HTTPS address. If someone hijacked your DNS, they could direct your browser to connect to their web server instead which served a phishing site on port 80 and never redirected you, thus never ran into the certificate issue. That's part of the reason why browsers started warning users when they're connecting to a website without HTTPS. | |
| ▲ | klysm 4 days ago | parent | prev [-] | | Could've been a while ago when SSL certs failures weren't as loud in the browser |
|
|
| ▲ | bix6 4 days ago | parent | prev | next [-] |
| Any write up? I would like to learn more to avoid. |
| |
| ▲ | dns_snek 3 days ago | parent [-] | | The exact attack they described is less of an issue these days due to HSTS and preloading, but: - make sure you're connected to the expected official domain (though many companies are desensitizing us to this threat by using distinct domains instead of subdomains for official business) - make sure you're connected over HTTPS (this was most likely their issue) - use a password manager which remembers official domains for you and won't offer to auto-fill on phishing sites - use a 2FA method that's immune to phishing, like passkeys or security keys (if you do this, you get a lot of leniency to mistakes everywhere else) |
|
|
| ▲ | dboreham 4 days ago | parent | prev | next [-] |
| How did that get past TLS checks? They used Unicode characters that visually looked like amazon.com ? |
|
| ▲ | nixosbestos 4 days ago | parent | prev | next [-] |
| That's not... how that works, unless you clicked through a very loud, obvious TLS warning. |
| |
| ▲ | jowea 4 days ago | parent [-] | | Yeah that sounds weird. Certificate pinning and HSTS should protect from that, right? |
|
|
| ▲ | thehamkercat 4 days ago | parent | prev [-] |
| What about SSL? |
