Do you ever use an online service that gives you multiple ways to sign in? For example, there’s the online storage service Dropbox which lets you login with your Google credentials, Yahoo credentials, Office 365 credentials and others. Seems very convenient, because you don’t have to remember as many login credentials. Well guess what? Attackers know that and they’re now using it to phish you.
According to the folks over at Information Security Buzz, they’ve “uncovered an alarming type of phishing attack that is based on so-called replica sign-in pages for federated account log-ins. This type of attack works by playing into the human brain’s tendency to give priority to well-known visual icons. Replica phishing pages carefully duplicate the logos, colors and fonts from popular global brands such as Google, Microsoft, Dropbox and Yahoo. These imitations are often so realistic that they lure users into giving away their credentials.”
You can login to Dropbox using any credentials you want because the attackers have created a fake phishing login page for all of them. And how realistic are these phishing login pages? “Some of these log-in pages come complete with a functional Password Reset option. Others include requests for secondary email accounts, mobile phone numbers, or one’s answers to security questions to ostensibly provide enhanced security.” Yeah, that realistic.
The article goes on to correctly conclude, “Many security professionals try to offset the risk from these sorts of attacks by training their employees on how to identify and avoid such fake sign-in pop-ups and web pages. However, the attackers are creating more sophisticated and legitimate-looking phishing attacks every day, which can be quite hard to detect – such as in the examples above. And despite a growing focus on user awareness and training sessions, a distracted, multi-tasking workforce is still fallible, and will still make mistakes.”
In other words, you can’t “train” you way out of these attacks. They’re too sophisticated and some employees are going to fall for them. So, what should you do? Get yourself some protection that doesn’t fall for any of these tricks, no matter how clever they are. Get yourself Phishing Protection from DuoCircle.
Phishing Protection from DuoCircle is cloud-based email security software with real-time link click protection. So, no matter how clever the attack, Phishing Protection doesn’t fall for it because it doesn’t look at the realistic looking logos, it looks at the underlying HTML code. And the code doesn’t lie.
Try Phishing Protection from DuoCircle risk free for 30 days. It takes just 10 minutes to set up, works with all email services and costs only pennies per month per user. You’re no match for these types of phishing attacks, but DuoCircle is. Start protecting your users today.