Two components to fortifying your protection against online account compromise
One might think that a professional technology geek/nerd/guru/expert puts their feet up on the sofa and sits back with a smug grin on their face, resting easy on the mountain of knowledge accumulated over many years. That’s rarely the case for me. I’m continuously on the lookout for any news that could result in the Nightmare Scenario. Such was the case today. This article from Ars Technica made me go, “Ugh.”
It is worth your time to read, but if you don’t want to, here’s some important information taken from it:
The campaign began with a phishing email with an HTML attachment leading to the proxy server…When the user entered a password into the proxy site [hosted on that proxy server - my words], the proxy site sent it to the real server and then relayed the real server's response back to the user. Once the authentication was completed, the threat actor stole the session cookie the legitimate site sent, so the user doesn't need to be reauthenticated at every new page visited.
Even after I sung the praises of adopting a second layer of security to your online accounts in a previous newsletter, MFA/2FA is not a bulletproof solution if you click on a web link from a phishing email. Here are a couple of things I do to decrease the odds of compromising my accounts.
My professional work web browser contains a folder of bookmarks which contain valid URLs for my workplace email, my workplace intranet, and any other work-related webpage I need to access. When I fire up my work computer in the morning, I right-click on that bookmark folder and select “Open All” in their own tab. I never save my work account credentials in my browser. I always authenticate with my username and password every time I open a web browser. Why, Greyman, why? Because I believe gaining access to our valuable online information should be difficult. If it’s easy for us to access our online accounts, it will be easy for the Adversary as well.
My password manager will auto-fill my username and password into my workplace URL for me based on the valid website URL I authenticated to back when I originally saved this information. This is important. If I mistakenly click on a web link in an email, and my password manager does not auto-fill my credentials in the login screen, I become immediately suspicious, close the tab, and click on a bookmark to visit the real webpage.
Spot a Phish
Web links in phishing emails take you to authentic looking URLs that seem legitimate.
https://accounts.google.com and https://accounts.goog1e.com can look very similar in a small web browser address window. Do we even look at web addresses anymore to confirm validity?
…and they will take you to a very authentic-looking webpage. If you are using a password manager, and your username/password is not auto-filled, you should not manually enter your credentials into the login page. In a growing number of cases, it is not the legitimate website you were intending to access, but a website solely created to grab your username and password by the Adversary.
By modifying our online workflows we can gain more confidence that the websites we visit are legitimate while still maintaining a sharp eye with everything coming at us in our email inboxes.