The Future of the Con Is Already Here, It's Just Not Evenly Distributed
27 points by Manishearth
27 points by Manishearth
I don’t understand how just having the password works in this flow. Don’t the attackers also need to control the phone?
Wouldn’t the victim get emails warning them of new logins?
Wouldn’t they see the signed in sessions?
No, they have a session cookie, not just the password: when you logged in to their phishing site they were logging in on their end which triggered a 2fa flow that they mirrored. They can delete or filter the warning emails.
Yes, they would see signed in sessions. Not everyone checks signed in sessions immediately after being prompted to log in. It's not uncommon that I get randomly prompted to relogin to my Google Account, for various reasons.
There are mitigations, including just being more vigilant about the URL bar. The interview process setup is designed to get your guard down, though.
And I'll highlight: the scam the post starts with is one example of a scam that's much easier to automate today than before. It's not the only type of thing to worry about.
If the user is using a password manager, they should realize they are having to enter a password where they shouldn’t, but yes this can be overlooked.
Yeah in my case I'd be protected from this by my password manager
except I don't use the password manager for certain key passwords.
This particular problem is what passkeys are trying to solve, isn't it? No matter how many factors you use, as long as they're proxy-able you can fall for this phishing trap.
I have many concerns around passkeys and so far mostly not used them, but maybe I should take another look.
Yep! But also if my guard was down I might see Google asking me to re log in and not realize. Idk!
I also have concerns about passkeys but I should try them more.
I'm glad I work in public health. A recruitment that smooth would make me instantly suspicious. No local health department has that kind of dough.