Beware Twitter "password check" sites - there are fakes, and there are fake fakes!

[JMH]

Beware Twitter "password check" sites - there are fakes, and there are fake fakes!

After a widely publicised hack or data breach, you'll often find "password check" sites springing up.
Some of them are legitimate, asking only for your email address and checking it against a list of known data dumps.

→ Dumps are the files that typically circulate on the Underweb after a hack, containing as much or as little personally identifiable information (PII) as the thief cares to share; legitimate password check sites collect these to build a list of probably-hacked email addresses.

But other "password check" sites are as bogus as they sound on the surface.
They ask you to type in your login details, either into a clone of a regular site's login page, or into a nicely-worded "you can trust us, honest, guv" page of their own.

That sounds like phishing, doesn't it?
And the reason it sounds like phishing is that it IS phishing!

Beware Twitter ?password check? sites ? there are fakes, and there are fake fakes! | Naked Security

 

[AceInfinity]

Re: Beware Twitter "password check" sites - there are fakes, and there are fake fakes

Haha, put your password inputted for any website into a 3rd party site's database and you deserve to be hacked. (edit: No, that may be a bit harsh as some people really have no clue... And the onus is not on them for that if they just don't know.) I've been making it my goal to get people to realize that the majority of today's attacks are really down to "trickery". Unfortunately, and this is the bad part that I don't like, people fall for it... You don't have to be a genius to get someone's password, just utilize socially engineered attempts like these guys are doing and you'll probably get lots more passwords! I should write a long detailed blog post about good practices to avoid things like this happening to you, and it's really simple especially for the obvious ones like this. If it's not the main site, on a subdomain, main domain, or some subdirectory of the main site, do not give out your password. Do a sanity check on the information that you do see first.

If someone came up to your door and said that you needed to pay your taxes, and you were behind, yet this person was in socks, had a raggy shirt, and didn't look professional at all, how could you believe that this was someone associated with the government? Same idea here.

:beerchug2: