So far I managed to dodge a bunch of these attempts to “catch” my credentials like a Pokemon from a multitude of cyber thugs, despite many of them were quite believable sporting pages designed to resemble the original ones with great attention to the details, such as ad banners and real “internal” links, by just having a professionally trained eye and smelling something phishy.

Today however, they finally got me… I received an email from my host (BlueHost) notifying me that I have more than 6000 (note that the number was actually something like 6043… So kind of plausible) folders in my account and I need to reduce the number to prevent a drop in server performance or my account might be suspended, just click this link http://thehostlink.com/boguspage.php?faketokenpar=mksdkf352lkn52jnkj52311lgbb  login and… I don’t know do something about it!

A few red flags should have gone up, but I just came back from lunch and I was on my Mac which I only use for iOS development and when I saw that my password was not saved in the password manager I figured it was just Apple’s fault… Eheh… I tend to use this excuse a lot lately.

Long story short as soon as I type the username and password and I hit enter of course an error comes up and I automatically look at the URL which reports obviously NOT bluehost.com… but some Russian domain. So now here I am changing all my passwords and just cleaning up the mess.

This is a serious issue and many people don’t realize the gravity of the situation until it’s too late and the damage has been done, also giving time to the thieves to get away with it. A lot of countermeasures have been taken over the years by big companies like Google, Microsoft or Verizon to improve their level of security at the expense of usability such as the various two-steps verification systems however this is getting increasingly frustrating for users and a challenge for developers to implement.

A good solution would be the use of fingerprints since the technology is becoming more and more readily available with Android M implementing native support and also adding a new Smart Lock Password Manager as announced today at the Google I/O in San Francisco. A fingerprint based system would be virtually unbreakable as there is nothing to steal, no emails, no passwords only phalanges… Which come to think of it might be kind of scary…

In any case, the technology is still not quite there yet and even though it would be pretty swell to have a centralized database of fingerprints providing APIs to developers to add support for this kind of login that would add a whole new set of security concerns (I see NSA written all over it)

Bottom line is as users we always have to be aware of what we are doing and keep an eye on that URL bar… Education in this case is the best solution. As developers we need to figure out better ways to improve security without killing the user experience and sometimes a simple, low-tech message above the login form stating “PLEASE MAKE SURE THAT THE FOLLOWING URL IS DISPLAYED IN YOUR URL BAR BEFORE TYPING YOUR CREDENTIAL” could make the difference between catching the phish or not.

The post Gone Phishing appeared first on Yet Another Bug.