OWA is vulnerable to Phishing

stacksofplates

I just had a scary thought. Using this idea http://fakeupdate.net/ you could make a fake windows login page and do full screen on users who don't lock their computer when they leave for short amounts of time

Deleted74295

Ummm....as an attacker, why can't I just have a next page fake confirmation which forgets the profile photo (easy to overlook in a hurry) and get the password for google anyway?

Same again for the banking website.

IRJ

@Breffni-Potter said in OWA is vulnerable to Phishing:

Ummm....as an attacker, why can't I just have a next page fake confirmation which forgets the profile photo (easy to overlook in a hurry) and get the password for google anyway?

Same again for the banking website.

It's not easy to clone, because the URL is the same for Google and Online banking. Also Online banking shows an image to confirm your identity and google shows a username on the next page.

Is it possible? I am sure it is. Is it easy? no

Deleted74295

@IRJ said in OWA is vulnerable to Phishing:

@Breffni-Potter said in OWA is vulnerable to Phishing:

Ummm....as an attacker, why can't I just have a next page fake confirmation which forgets the profile photo (easy to overlook in a hurry) and get the password for google anyway?

Same again for the banking website.

It's not easy to clone, because the URL is the same for Google and Online banking. Also Online banking shows an image to confirm your identity and google shows a username on the next page.

Is it possible? I am sure it is. Is it easy? no

Yeah but what if the username is just the email address you typed in something that I know most users would overlook, as for URL checking, not sure about that.

Space Coast Credit Union? If those guys show an image of you that's fine but I know of at least 4 banks in the UK won't do that, I think that's fairly rare.

IRJ

@Breffni-Potter I will post on my blog how I did it and you will see why cloning Google or Online banking is much more difficult.

Like I said, I am sure there is a way to do it if you had to use that as your attack vector. I am going to guess chances are if you steal facebook credentials with a gmail username that the password is probably the same for google for most users.

IRJ

@Breffni-Potter said in OWA is vulnerable to Phishing:

@IRJ said in OWA is vulnerable to Phishing:

@Breffni-Potter said in OWA is vulnerable to Phishing:

Ummm....as an attacker, why can't I just have a next page fake confirmation which forgets the profile photo (easy to overlook in a hurry) and get the password for google anyway?

Same again for the banking website.

It's not easy to clone, because the URL is the same for Google and Online banking. Also Online banking shows an image to confirm your identity and google shows a username on the next page.

Is it possible? I am sure it is. Is it easy? no

Yeah but what if the username is just the email address you typed in something that I know most users would overlook, as for URL checking, not sure about that.

Space Coast Credit Union? If those guys show an image of you that's fine but I know of at least 4 banks in the UK won't do that, I think that's fairly rare.

Space Coast is our competitor. I am not sure if they show an image, but I know our online banking does.

dafyre

You could also spin up a GoPhish server... https://getgophish.com/ (I haven't tried this yet, but it's in my list of things to check).

IRJ

@dafyre said in OWA is vulnerable to Phishing:

You could also spin up a GoPhish server... https://getgophish.com/ (I haven't tried this yet, but it's in my list of things to check).

I gotta try that one.

IRJ

Most of the time having good locks on your doors and windows in your house will keep most bad guys out. Most hackers are the same way and go after easy prey. If a bad guy is specifically scoping out your house and targeting it, then you have more to worry about. The same thing with IT security.

dafyre

@IRJ said in OWA is vulnerable to Phishing:

Most of the time having good locks on your doors and windows in your house will keep most bad guys out. Most hackers are the same way and go after easy prey. If a bad guy is specifically scoping out your house and targeting it, then you have more to worry about. The same thing with IT security.

Nothing wrong with making sure that your locks work well... and fixing the ones that don't. 8-)

IRJ

@dafyre said in OWA is vulnerable to Phishing:

@IRJ said in OWA is vulnerable to Phishing:

Most of the time having good locks on your doors and windows in your house will keep most bad guys out. Most hackers are the same way and go after easy prey. If a bad guy is specifically scoping out your house and targeting it, then you have more to worry about. The same thing with IT security.

Nothing wrong with making sure that your locks work well... and fixing the ones that don't. 8-)

Exactly. My job has become hacking

stacksofplates

@IRJ said in OWA is vulnerable to Phishing:

@Breffni-Potter said in OWA is vulnerable to Phishing:

@IRJ said in OWA is vulnerable to Phishing:

@Breffni-Potter said in OWA is vulnerable to Phishing:

Ummm....as an attacker, why can't I just have a next page fake confirmation which forgets the profile photo (easy to overlook in a hurry) and get the password for google anyway?

Same again for the banking website.

It's not easy to clone, because the URL is the same for Google and Online banking. Also Online banking shows an image to confirm your identity and google shows a username on the next page.

Is it possible? I am sure it is. Is it easy? no

Yeah but what if the username is just the email address you typed in something that I know most users would overlook, as for URL checking, not sure about that.

Space Coast Credit Union? If those guys show an image of you that's fine but I know of at least 4 banks in the UK won't do that, I think that's fairly rare.

Space Coast is our competitor. I am not sure if they show an image, but I know our online banking does.

I forgot you live down there. My wife's aunt works for Florida Community Bank.

DustinB3403

This topic blew up.

Wow.

IRJ

I threw this together really quick. There may be typos, etc. I gotta go run some quick errands.

joelradon.com/phishing-test-employees/

Jstear

I've been doing similar using SPToolkit. When the user clicks on the login/submit/go button it logs their email address and IP, sends them to a webpage that has training on it and explains what they just did and why it is bad, and finally they have to acknowledge that they read the page. I get a report with all of that within the hour. Works great.

momurda

Quick question; How would you go about getting your phishing page to OWA users at a company you were targeting? send them an email with a subject like 'click here to login to your company webmail"? with a link to the fake owa site? They would already have their email open. I suppose it could happen that way, these are users we're talking about.
In the Eternal War on Spam/Malware, what can be done?

Jstear

@momurda said in OWA is vulnerable to Phishing:

Quick question; How would you go about getting your phishing page to OWA users at a company you were targeting? send them an email with a subject like 'click here to login to your company webmail"? with a link to the fake owa site? They would already have their email open. I suppose it could happen that way, these are users we're talking about.
In the Eternal War on Spam/Malware, what can be done?

I've told users they have to change their webmail password. If they fail I explain to them they don't have a special login for webmail and they will get an official email, not a generic change you password one.

marcinozga

I can't believe that everyone here is dead wrong. None of the websites mentioned here or OWA are vulnerable to phishing. Not a single website on Internet is. Users are vulnerable to phishing, not websites. Phishing is a social engineering technique to deceive users, not websites. You can create fake Google login form that has both username and password fields and users will fall for it.

marcinozga

@momurda said in OWA is vulnerable to Phishing:

Quick question; How would you go about getting your phishing page to OWA users at a company you were targeting? send them an email with a subject like 'click here to login to your company webmail"? with a link to the fake owa site? They would already have their email open. I suppose it could happen that way, these are users we're talking about.
In the Eternal War on Spam/Malware, what can be done?

Instant messenger is one option.

aidan_walsh

@Breffni-Potter said in OWA is vulnerable to Phishing:

Ummm....as an attacker, why can't I just have a next page fake confirmation which forgets the profile photo (easy to overlook in a hurry) and get the password for google anyway?

Same again for the banking website.

Thats exactly what happens. You'd be surprised at what passes for phishing attacks, and how many people fall for them. I've seen ones that have asked people "for security purpose" to enter all 50 4-digit code card entries, something a bank would obviously never do.

And yet...