phishing-awareness

Phishing Awareness Tool

The fact that you are reading this page means that you could have potentially fallen victim to a phishing attack! Thankfully this is NOT a malcious site, and is simple designed to be a awareness tool to alert people to the potential dangers of phishing and fake login pages. If you did visit the previous page, you may have entered your email address associated with your Google account. If this were a phishing site and you were not aware of this, you may have carried on and entered your password. Please note that NONE of your details have been captured or recorded. The email box is simply an input box and details entered into the box are not transmitted anywhere. Additionally details of the login page have been subtly altered as to help differentiate it from the authentic Google login page.


Methods to help combat phishing attempts

Thankfully there are a few things which you can do to help prevent phishing attempts:

Be vigilent

Do NOT click on any links which you are unsure about.

Pay attention

Where possible pay close attention to the URL when entering sensitive information such as login credentials. I’ve made the URL for this site obvious as a non-authentic Google login page, however criminals will attempt several attempts to make their URL appear as close to the real thing as possible. The authentic Google login page is on https://accounts.google.com/signin/v2/identifier, some examples of similar domain names in phishing which attackers might attempt:

Also pay close attention to the details on the page. There may be content missing (such as a password reset link) or spelling errors on the page.

Password managers

Use a password manager. These tools can help combat phishing attempts since they tie loging credentials to a specific host and domain. They will not suggest or complete your login credentials for a phishing site (you may have noticed this on the previous page), giving away that the page is likely a fake login page. You can see this in a video which I created about password managers: https://youtube.com/playlist?list=PLIqq2rDQ30OrNROVbsmxsRSCEC96wrLtq

Use multifactor authentication

Having multiple forms of authentication means that even if an attacker is able to obtain your login credentials via a phishing site, they still need to compromise additional steps in order to gain access to your account. However, be aware that as attackers are becoming more and more advanced they are starting to even phish this aspect. This is where hardware tokens can help, since they cryptographic tie a site to the key, meaning that the key will not work on a phishing site.

Example

Below is an example showing a comparison between the original/authentic Google login page, and a spoofed/phishing login page (potentially the page which you used to get to this page). The read boxes in the screenshot to the right highlight where the differences are in the phishing login page:

Comparison between an original login page and a phising login page


About me

Who am I?

I’m an application security researcher/professional who enojoys tinkering around with applications and sytems. I also have a love for TLS related topics (including certificates). You can find out all about myself and blogs which I have written on my personal blog: https://blog.sean-wright.com/

Why this?

I’ve decide to do this to help raise awareness around the problem of phishing, with the hope of helping others and preventing them having their credentials compromised via a phishing attack.