2 factor authentication is key here. The ubikey is a gold standard for business - no one should do serious business without it!<p>For everyone else, I think the new 2fa Google App approach is better. When you go to login, your Google App pushes a notification to your phone and you have to click on it. This raises the bar to doing a simultaneous login, which isn't impossible, but even if it weeds out a large number of attacks for now, it's worth it!
Google provides a Chrome extension that alerts you (and an administrator) if you accidentally enter your Google password on a site that isn't accounts.google.com: <a href="https://github.com/google/password-alert" rel="nofollow">https://github.com/google/password-alert</a>
This article seems great at describing how phishing actually works in practice, especially to people without much exposure to technology. I've gone through at least a couple of training emails from IT departments about phishing, and this was way more effective. A realistic case-study with a really clear description is valuable!<p>This article could definitely augment the anti-phishing education at your organization—the only downside is that it's a bit long, so busy people probably won't want to read it :/.
The beginning of the story is missing. PZ clicked on the link in the email because it was <i>"received [...] from a familiar mailing list"</i>.<p>Did PZ trust a mailing list where anyone could post? Or did the attackers spoof the "from" field? The former may have been prevented by employee training, the latter by SPF or similar technologies.
Many people won't check the url when signing in if everything looks to be on the up and up. This is why I really liked one of the things Yahoo did which was create a sign-in seal. Every time you signed in Yahoo would display a custom image that you set and if that image wasn't there then something was probably wrong.
We also got hit by this a few months back. It also got send to all of your company's contact. We had to mail all of them back and lost face.<p>One hour in or so Google made it so that the emails (even those already received and opened) were blocked. It helped to mitigate the issue. Most of the outside contact that would have received the mail received it in their spam.<p>We learned from it and have better security now.
It seems to me that browsers could be smarter about this kind of thing. Like, "Hey, you just put your Gmail credentials into a non-Gmail login form, did you really mean to do that?"<p>Obviously in the HN-type crowd, you know to always carefully check the URL of links and form submissions. But I just don't know how realistic it is for that to be expected of an average user.
Google needs to add some optional intelligence to Chrome so that when it comes across a site with suspiciously similar design as key google urls by on a unrenognized url, it should warn the user.
I recently saw a link, that I unfortunately can't find, where someone senior affiliated with Defcon or black hat nearly got phished. He was rushing packing in the midst of a flurry of amazon shipments to travel to some conference and got a very well timed phishing email asking him to confirm some sort of shipment details for amazon. He fortunately noticed it was the wrong product, but I seem to remember had started typing his info already.<p>If someone like that can get nearly fooled, there's little hope for the rest of us or our families.<p>It's time to give up preventing phishing and start working on amelioration.<p>ps -- if anybody knows the story I'm talking about, I'd love the link.
At my company we get these things 2-3 times a year.
Surprisingly many people understand that there is something fishy. But "Surprisingly many" is not enough.<p>2FA is not enough here a user that does not have the required knowledge to see what is phishing and what is not will most likely enter the 2FA key giving the bad guys the auth tokens anyway.
> What makes an attack like this so effective is that you never expect to see something as convincing as this<p>I've been working on phishing and counter-phishing recently, and if someone is actually putting any effort in, you have to expect something like this. Very legitimate looking email, the correct signature (complete with up to date font/logo), and a virtually perfect copy of the login page to whatever service they're using. All of this, even just to target a single person, is under 8 hours of work, which is to say, it's a simple task for someone who really wants to phish you.<p>The article mentions having an IDS and disaster recovery plans, and this is the best you can hope for as pretty much everyone is susceptible to this, and AI still can be beaten.<p>Source: I've done this, beaten Gmail's anti-scam filters, and phished CTOs.
I fell for this one :( The signs were there but the simplicity of the email I think is what lowered my guard.<p><a href="http://blog.greggman.com/blog/getting-phished/" rel="nofollow">http://blog.greggman.com/blog/getting-phished/</a>
Ok, this article is great and I'd like to share it with all my friends. BUT, it says nothing about how to mitigate against phishing and so ... would leave the average internet user just vaguely paranoid, which is not helpful.<p>I'd like to contact the author and get him to append something about "check the url". But I guess they are not advertising their email addresses anymore :-)
This just shows that password-based authorization doesn't work for normal (not computed engineers) people and needs to be replaced with physical cryptographic keys. This is a script kiddie level attack any teenager can do and it succeeded.
It's surprising that a dedicated phisher would go so blatantly overboard, knowing it would stand like a sore thumb. This wasn't spearphishing, it was regular phishing in a pond.
It's worth nothing the new user-image-before-password-input for Google is an anti-phishing feature. Of course, most people won't think that deeply when prompted with a password request and a similar UI.