Just when you think you are done talking about information security for awhile, the bad actors come along and prove you wrong. The latest is that black hats are targeting users of valuable sites with phishing ad and search engine results on Google and other search engines. The scam is that you search for your favorite website’s login, and the first hit is a phishing site that grabs your login information before forwarding you to the legit site.
In this case, it is users of the password manager “Bitwarden” and 1password that are the targets, but I have seen reports of similar attacks with other password managers, banking sites, and others. Recent research has shown that threat actors are using Google ads to fuel their malware delivery campaigns for initial access to corporate networks, to steal credentials, and for phishing attacks.
What’s interesting to me is that Google, YouTube, and other sites are busy clamping down on reports of the 2020 election, COVID vaccines, and everything else under the sun, but are actively allowing ads on their sites that are actual theft.
The best defense to this is the use of MFA that uses FIDO 2.0 or higher. The article that I linked to above says that hardware keys are cumbersome, but I have thus far found them easy to use, and certainly no more difficult than the authenticator apps that are out there. Another thing the article gets wrong is that all MFA is subject to “man in the middle” attacks. That may be true of authenticator and SMS versions of MFA, but the YubiKey system is not subject to man in the middle attacks, because the system uses the two keys of public key encryption to ensure that both parties are legitimate. I am sure that other hardware keys are available that do the same thing, I just have no experience with them.
You will note that Microsoft warned of this back in July and recommended the use of FIDO (Fast ID Online) 2.0 protocols for MFA. This rules out many authenticator apps as well as SMS methods of MFA. Note that the YubiKey 5 uses FIDO 2.0.
Be very, very wary of the websites that you are using. The crooks are getting more and more inventive every day.
10 Comments
It's just Boris · January 30, 2023 at 9:01 am
1password stores the website address for the login as well as the username, password, etc. If you go a fake site, the browser plugin will generally not find an immediate match to the address you’re requesting password entries for; this is a good clue that something is not right.
Caveat – I use an older version that does not use AgileBits’s bespoke cloud storage for my password files. Hopefully the newer versions have the same behavior.
Divemedic · January 30, 2023 at 3:04 pm
Yeah. Some people don’t do that.
Will Nelson · January 30, 2023 at 9:33 am
You have been happy with Yubikey? Easy to use? Any setbacks?
Divemedic · January 30, 2023 at 3:05 pm
The only real setback is that not many websites use it. For example, almost no banks do.
Steve S6 · January 30, 2023 at 11:42 am
Bookmark your login sites and use the bookmarks, don’t Google for it.
Basic Grumpy Unit · January 30, 2023 at 12:17 pm
Why not just keep a book with l-o-o-o-o-o-o-n-g random passwords written down, and only log into anything actually sensitive on your home network system? That limits the attack surface greatly.
Basically, unless your machine is already pwned, the average attacker has to know that’s how the passwords were stored, find the book, decode the passwords etc, etc, etc. Limits the likely bad actors to family (if you’re dumb enough to let them know that’s how you store your passwords) or particularly switched on burglars.
Long, random passwords for anything sensitive are readily generated by Steve Gibson’s “Perfect Passwords” page (https://www.grc.com/passwords.htm).
I’m not a haxx0r, but those password vault programs must be some of the most tempting targets ever made, and in this age of AI and nation-state type actors seemingly everywhere, I’d treat such software as having built-in secret backdoors.
I suspect the easiest target surface is the “I forgot my password” password reset. At least most sites try to warn you that someone is trying to or has just changed your passwords these days.
If bad actors want to get in, they’ll get in every single time. (Give me your password Mr Bond or you’ll be singing soprano, etc, etc). But employees from super-secret bad actors might want to make a little cash on the side & sell super-secret software back doors to the black market and “boom” your super-secure password manager is toast – despite what Bruce Schneier says.
Password management software is for people who are really too dumb to use computers. FFS – the number of people who use the same password in multiple places, or readily hand out their date of birth, etc, etc, etc shocks me.
Don’t get me started on biometrics for iPhones etc. At least you can change your password when you suspect you might have been compromised. Bloody computers.
Divemedic · January 30, 2023 at 3:03 pm
A book is secure. It also isn’t portable and can’t be used anywhere BUT home. It still has it’s vulnerabilities. Key logging software, for example.
I use a password wallet because it’s relatively secure, allows me to have my hundreds of long, random passwords, and in combination with MFA, is difficult to break.
KurtP · January 30, 2023 at 9:15 pm
I don’t use search engines to find sites generally and when I do- I automatically bypass all the results that are ads (let someone else make them money from clicks)
I only go on sensitive sites from my home desktop that has them bookmarked.
If I get an email from one of my sensitive sites, I never click on an email link, no matter how official it looks.
Rob · January 31, 2023 at 11:21 am
Thanks for all of this continuing information. It’s very valuable, and we appreciate it.
I’ve been using adblockers since forever. Ads have been linked to malware for a long time now. I don’t want to deprive anyone of revenue they deserve. But if their sites are using third-party ads infected with malware, then they care not about me, and I care not about their ad revenue.
My current setup is Fire Fox (having set all its parameters for privacy) with uBlock Origin, Privacy Badger, Canvas Blocker and Cookie AutoDelete.
Roadsnake Roundabout · January 31, 2023 at 4:04 pm
Elders are easy targets with remote desktop turned on and passwords saved in the browser.
Caught a caller scamming with a clot shot victim elder saying you want me to ride with Juan over to the ATM.
A good time to take the phone and rack a slide.
Comments are closed.