|
| ▲ | jasode 5 days ago | parent | next [-] |
| > In hindsight, the fact that his browser did not auto-complete the login should have been a red flag. >A huge red flag. It won't be a red flag for people who often see auto-complete not working for legitimate websites. The usual cause is legitimate websites not working instead of actual phishing attempts. This unintended behavior of password managers changes the Bayesian probabilities in the mind such that username/password fields that remain unfilled becomes normal and expected. It inadvertently trains sophisticated people to lower their guard. I wrote more on how this happens to really smart technical people: https://news.ycombinator.com/item?id=45179643 >So are there mobile password managers that don't even check the URL? I dunno how that works... Strongbox pw manager on iOS by default doesn't autofill. You have to go settings to specifically enable that feature. If you don't, it's copy&paste. |
| |
| ▲ | cosmic_cheese 5 days ago | parent | next [-] | | Even standard autofill (as in that built into Safari, Firefox, Chrome etc) gets tripped up on 100% legit sites shockingly often. Usually the cause is the site being botched, with mislabeled fields or some unnecessarily convoluted form design that otherwise prevents autofill from doing its thing. Please people, build your login forms correctly! It’s not rocket science. | |
| ▲ | diggan 5 days ago | parent | prev | next [-] | | > It won't be a red flag for people who often see auto-complete not working for legitimate websites. The usual cause is legitimate websites not working instead of actual phishing attempts. Yeah, that's true, I hit this all the time with 1Password+Firefox+Linux (fun combo). Just copying-pasting the username+password because it doesn't show up is the wrong approach. It gives you a chance to pause and reflect, since it isn't working, so in that case you lookup if it's actually the right domain, and if it is, add it to the allowed domains so it works fine in the future. Maybe best would be if password managers defaulted to not showing a "copy" thing at all for browser logins, and not letting users select the password, instead prompting them to rely on the autofill, and fix the domains if the autofill doesn't work. Half the reason I use password manager in the first place is specifically for this issue, the other half is because I'm lazy and don't like typing. It's really weird to hear people using password managers yet do the old copy-paste dance anyways. | | |
| ▲ | jonhohle 5 days ago | parent | next [-] | | Thr reason to use a password manager should be because passwords now need to be unique per login. Domain binding is a close second. Unfortunately, as bad as phishing is, service providers have leaked more plain text passwords than a phisherman could ever catch. | | |
| ▲ | diggan 5 days ago | parent [-] | | Well yeah, that too. But I was doing that manually before anyways, didn't really change when I started using a password manager, except the passwords of course got a lot stronger since there is no need to remember anything. But the domain binding just isn't possible without technical means, hence I see that as my own top reason, I suppose :) |
| |
| ▲ | chrisweekly 5 days ago | parent | prev [-] | | > "It's really weird to hear people using password managers yet do the old copy-paste dance anyways." Thankfully there are many reasons to use a password manager. Auto-fill is just one. |
| |
| ▲ | nightski 5 days ago | parent | prev [-] | | This hasn't been my experience at all. I regularly check the bitwarden icon for example to make sure I am not on the wrong site (b/c my login count badge is there). In fact autofill has saved me before because it did not recognize the domain and did not fill. | | |
| ▲ | IshKebab 5 days ago | parent [-] | | Yeah nor mine. Chrome's password manager / autofill is very reliable and very few sites don't work with it or have multiple domains with the same auth. The only one I can think of is maybe Synopsys Solvnet, but you're probably not using that... |
|
|
|
| ▲ | hiccuphippo 5 days ago | parent | prev | next [-] |
| My guess is their password manager is a separate app and they use the clipboard (or maybe it's a keyboard app) to paste the password. No way for the password manager to check the url in that case. |
| |
| ▲ | stanac 5 days ago | parent | next [-] | | You are probably right. Still browser vendors or even extension devs can create a system where username hash and password hash are stored and checked on submit to warn for phishing. Not sure if I would trust such extension, except in case it's FF recommended and verified extension. | |
| ▲ | 0cf8612b2e1e 5 days ago | parent | prev [-] | | I use a separate app like this because I do not fully trust browser security. The browser is such a tempting hacking target (hardened, for sure) that I want to know my vault lives in an offline-only area to reduce chance of leaks. Is there some middle ground where I can get the browser to automatically confirm I am on a previously trusted domain? My initial thought is that I could use Firefox Workspaces for trusted domains. Limited to the chosen set of urls. Which I already do for some sites, but I guess I could expand it to everything with a login. | | |
| ▲ | bobbylarrybobby 5 days ago | parent [-] | | You could run two password managers, with a fake one that's a clone of the real one but with fake passwords. Only the fake one is connected to the browser. If the browser suggests a password from the fake pw manager, you go to the real one and copy it in. Not actually suggesting this as it sounds like quite a big headache, but it is an option. | | |
| ▲ | 0cf8612b2e1e 5 days ago | parent [-] | | Honestly, that’s not a terrible idea. There are only a half dozen accounts which actually matter, so there is not even that much initial configuration burden. If I get phished for my HN account, oh well. Think my only blocker would be if the browser extension fights me if I try to register a site using a broken/missing password. Does feel like a bit of a browser gap. “You have previously visited this site N times”. If that number is zero, extra caution warranted. Even just a bit of extra sophistication on bookmarks if the root domain has previously been registered. Thinking out loud, I guess I could just lean on the browser Saved Passwords list. I’ve never been comfortable with the security, but I could just always try to get it to save a sentinel username, “YOUHAVEBEENHEREBEFORE”. |
|
|
|
|
| ▲ | jve 5 days ago | parent | prev | next [-] |
| > Normally they're full of spelling mistakes and unprofessional grammar. The domain was also plausible. I don't get these arguments. Yeah, of course I was always surprised phishing emails give itself away with mistakes as maybe non-native speakers create it without any spellcheck or whatever and it was straight forward to improve that... but whatever the text, if I open a link from email the first thing I look at is domain. Not how the site looks. The DOMAIN NAME! Am I on trusted site? Well .help TLD would SURELY ring a bell and involve research as whether this domain is associated to npm in any way. At some point my bank redirected me to some weird domain name... meh, that was annoying, had to research whether that domain is really associated to them.. it was. But they just put their users under risk if they want domain name not to mean trust and just feed whatever domains as acceptable. That is NOT acceptable. |
| |
| ▲ | jonhohle 5 days ago | parent | next [-] | | Nearly every email link now goes through an analytics domain that looks like a jumble of random characters. In the best case they end up at the expected site, but a significant number go to B2B service provider of the week’s domain. There are more than a few instances when I’ve created an account for a service I know I’ve never interacted with before, but my password manager offered to log me in because another business I’ve used in the past used the same service (medical providers, schools, etc.). Even as a technically competent person, I received a legitimate email from Google regarding old shadow accounts they were reconciling from YouTube and I spent several hours convinced it was a phishing scheme.it put me on edge for nearly a week that there was no way I could be sure critical accounts were safe, and worse yet, someone like my parents or in-laws could be safe. | |
| ▲ | bluGill 5 days ago | parent | prev | next [-] | | Unicode means that domain names can be different and look the same unless you really look close. Even if you just stick to ascii l (letter) and 1 (number) look so close that I would expect many people to not see the difference if it isn't pointed out. (remember you don't control the font in use, some are more different than others) | | |
| ▲ | 400thecat 5 days ago | parent [-] | | I think, firefox allows you to display url without uncicode | | |
| ▲ | mdaniel 4 days ago | parent [-] | | Given a test of https:// news.ycombınator.com [1] it seems that no, hovering over the URL shows it in its rendered form data:text/html,<meta charset="utf-8"><body><a href="https://news.ycomb%C4%B1nator.com/login">login to news.ycombinator.com</a></body>
and only by clicking it and getting an NXDOMAIN does one see the Punycode:> We can’t connect to the server at news.xn--ycombnator-1ub.com. 1: Ironically HN actually mutated that link, I pasted the unicode version news.ycombınator.com (which it seems to leave intact so long as I don't qualify it with a protocol://) |
|
| |
| ▲ | 400thecat 5 days ago | parent | prev [-] | | more alarming than .help domain is the domain registration just few weeks ago.
I got scammed just last week when paying with credit card online, and only later when investigating discovered several of identical eshops with different .shop domains registered just months ago
if domain is less that year old, it should raise red flags |
|
|
| ▲ | ecshafer 5 days ago | parent | prev | next [-] |
| > Normally they're full of spelling mistakes and unprofessional grammar. This is the case when you are doing mass phishing attacks trying to get the dumbest person you can. In these cases, they want the person that will jump through multiple loops one after another that keeps giving them money. A more technical audience you wouldn't want to do so, if you want one smart person to make one mistake. |
|
| ▲ | sunaookami 5 days ago | parent | prev | next [-] |
| Nothing is plausible about this phishing mail - writing "update your password now" would be understandable but "update your 2FA now"? Never EVER seen this on any real site and it doesn't make sense (rotating passwords doesn't make sense either but not everyone got the memo). |
| |
| ▲ | yawaramin 4 days ago | parent | next [-] | | I literally, just a couple of days ago, got an email from Microsoft Azure asking me to update my 2FA. And I had already set up a passkey, so 2FA shouldn't even have been needed! | |
| ▲ | Macha 4 days ago | parent | prev [-] | | I wonder how well this correlates with people for whom 2FA adoption was not a choice they made in the first place, but a thing that "NPM insists we do". For them, this email is not all that different from the emails that required them to set up 2FA in the first place. | | |
| ▲ | sunaookami 4 days ago | parent [-] | | I hope this is not true for those that made packages which are downloaded a million times per week. |
|
|
|
| ▲ | worble 5 days ago | parent | prev | next [-] |
| > Normally they're full of spelling mistakes and unprofessional grammar. Frankly I can't believe we've trained an entire generation of people that this is the key identifier for scam emails. Because native English speakers never make a mistake, and all scammers are fundamentally unable to use proper grammar, right? |
| |
| ▲ | pixl97 5 days ago | parent | next [-] | | I mean most of the time it's the companies themselves that teach people bad habits. MyBank: "Don't click on emails from suspicious senders! Click here for more information" { somethingweirdmybank.com } -- Actual real email from my bank. Like, wtf. Why are you using a totally different domain. And the companies I've worked for do this kind of crap all the time. "Important company information" { learnaboutmycompany.com } -- Like, is this a random domain someone registered. Nope, actually belongs to the place I work for when we have a well known and trusted domain. Oh, and it's the best when the legit sites have their own spelling mistakes. | |
| ▲ | IshKebab 5 days ago | parent | prev [-] | | I don't see why you're surprised. It is a key identifier for scam emails. Or at least it was until recently. I don't think anyone was under the impression that scammers could never possibly learn good English. |
|
|
| ▲ | quitit 5 days ago | parent | prev | next [-] |
| For regular computers users I recommend using a password manager to prevent these types of phishing scams. As the password manager won't autofill on anything but the correct login website, the user is given a figurative red flag whenever the autofill doesn't happen. |
|
| ▲ | tom1337 5 days ago | parent | prev [-] |
| At least 1Password on iOS checks the URLs and if you use the extension to fill the password anyway you get a prompt informing you that you are filling onto a new url which is not associated with the login item. |
