Gatehub phishing attempt

[namini]

I just received a very well done phishing email imitating gatehub website.

IF YOU RECEIVE THIS EMAIL: DO NOT CLICK ON LINKS, DO NOT ENTER YOUR LOGIN INFORMATIONS

 

Edited July 25, 2016 by namini

[T8493]

GateHub should really use extended validation certificate instead of the current one....

 

[enej]

Hi @namini,

thank you for posting this. We already reported a fraudulent website to a registrar. Hopefully it will be taken offline soon.

39 minutes ago, T8493 said:

GateHub should really use extended validation certificate instead of the current one....

 

Unfortunately EV does not help with increasing security for phishing attacks. What does is that browsers will soon start displaying warning messages for all websites not using SSL. This will greatly increase security once implemented.

 

 

[T8493]

23 minutes ago, enej said:

Hi @namini,

thank you for posting this. We already reported a fraudulent website to a registrar. Hopefully it will be taken offline soon.

Unfortunately EV does not help with increasing security for phishing attacks. What does is that browsers will soon start displaying warning messages for all websites not using SSL. This will greatly increase security once implemented.

EV certificate can help user distinguish genuine website from the fraudulent one - simply because of the big green button with company name before the URL in address bar. Fraudulent websites won't have this big green button.

Effect of EV certificates on the security is somewhat controversial, but it is really one of the rare things that you can implement as prevention.

 

Quote

What does is that browsers will soon start displaying warning messages for all websites not using SSL.

If you mean that browser warning about "unsecure" websites can increase security against phishing attacks, then I think you're wrong. Phishing website can simply obtain regular (but not EV) certificate and browsers won't complain at all. Some phishing websites already use (wildcard?) regular certificates and SSL. I think one of the recent phishing websites for gatehub.net used TLS/SSL (with maybe self-signed certificate).

 

 

 

 

 

 

Edited July 25, 2016 by T8493

[Guest]

23 minutes ago, T8493 said:

EV certificate can help user distinguish genuine website from the fraudulent one - simply because of the big green button with company name before the URL in address bar. Fraudulent websites won't have this big green button.

Does anyone know why chrome mobile does not display EV any different than regular ssl?

Considering that most people open their mail from their mobile, that's quite a drawback, because you can't warn users in the login form, to always check for green address bar.

[GateHub]

21 minutes ago, T8493 said:

EV certificate can help user distinguish genuine website from the fraudulent one - simply because of the big green button with company name before the URL in address bar. Fraudulent websites won't have this big green button.

Effect of EV certificates on the security is somewhat controversial, but it is really one of the rare things that you can implement as prevention.

 

If you mean that browser warning about "unsecure" websites can increase security against phishing attacks, then I think you're wrong. Phishing website can simply obtain regular (but not EV) certificate and browsers won't complain at all. Some phishing websites already use (wildcard?) regular certificates and SSL. I think one of the recent phishing websites for gatehub.net used TLS/SSL (with maybe self-signed certificate).

 

 

 

 

 

 

@T8493 True, a big green certificate bar would help users distinguish between the real GateHub and phishing websites, although the latest phishing website did not use a certificate at all and my personal opinion is that people unfortunately pay little attention to that.

@namini Thank you for letting the users know about the phishing email here on the forum. I would argue that the email was not "well done", note how the grammar is all broken, especially the bold part.

There are several preventative measures in GateHub's pipeline which I look forward to, such as:

- Mandatory 2fa

- Email login verification when logging in from an unknown location (fast travel + new location rules)

Best regards,

Luka (GateHub Security)

[T8493]

31 minutes ago, lucky said:

Does anyone know why chrome mobile does not display EV any different than regular ssl?

Considering that most people open their mail from their mobile, that's quite a drawback, because you can't warn users in the login form, to always check for green address bar.

It looks like all mobile browsers don't show different icon when website uses EV certificate. But Firefox at least shows company name when you tap on the padlock.

[T8493]

1 hour ago, gatehub said:

There are several preventative measures in GateHub's pipeline which I look forward to, such as:

- Mandatory 2fa

- Email login verification when logging in from an unknown location (fast travel + new location rules)

Phishing website can probably bypass 2fa security by requesting the same 2fa authentication code on the phishing website.

Email verification when logging in from an unknown location is questionable. 

Phishing website knows your location and they can use "similarly looking" IP address. This is harder to achieve, but not technically impossible (public/private SOCKS proxies, VPNs,  tor, jondo, botnets, etc.).

Now that we have multisign maybe the right approach is the use of multisign transactions. First signature comes from the GateHub UI, another signer signs the transaction after the transaction is confirmed by some other method (2fa or email). 

Something like confirmation emails that Bitstamp sends.

 

Edited July 25, 2016 by T8493

[enej]

1 hour ago, T8493 said:

Now that we have multisign maybe the right approach is the use of multisign transactions. First signature comes from the GateHub UI, another signer signs the transaction after the transaction is confirmed by some other method (2fa or email).

This seems like a promising idea and one we will definitely try to implement one way or another.

 

 

[Hodor]

For a criminal to invest time and energy into creating a full phishing site might mean that some users were / or will be actually fooled, otherwise it's not profitable. 

Yet I've not heard of any successful attack.  I suppose if the criminal gets their login info, and secondary auth is not enabled, they might be able to do something malicious. 

Activate your Secondary authentication, people. 

[T8493]

8 minutes ago, Hodor said:

Yet I've not heard of any successful attack.  

There were some reports of thefts on this or maybe previous forum. I don't know if they have anything to do with Gatehub or not.

Edited July 26, 2016 by T8493

[MundoXRP]

6 hours ago, Hodor said:

For a criminal to invest time and energy into creating a full phishing site might mean that some users were / or will be actually fooled, otherwise it's not profitable. 

Yet I've not heard of any successful attack.  I suppose if the criminal gets their login info, and secondary auth is not enabled, they might be able to do something malicious. 

Activate your Secondary authentication, people. 

Many people have been fooled and lost their xrp. Even two factor authentication isn't 100% with man in the middle attacks. 

https://www.schneier.com/blog/archives/2005/03/the_failure_of.html

[kanaas]

Phising does not work w/o cooperation of the fish. Best solution is educate the fish. Theyve been educated to handle and use house and carkeys too...

[Hodor]

4 hours ago, MundoXRP said:

Many people have been fooled and lost their xrp. Even two factor authentication isn't 100% with man in the middle attacks. 

True.  A good fishing attempt might fool a nobel prize winner who is short on sleep, or distracted for some reason.  Being swindled doesn't mean you're dumb - it means you've been swindled by a convincing con man (or woman).  If a forum member has been swindled, the best thing to do is admit it so that the other members can assist them. 

My point was to do what we can on this forum to protect our members, at least - and that is to encourage enabling the security feature that Gatehub has - secondary authentication. 

[kanaas]

1 hour ago, Hodor said:

True.  A good fishing attempt might fool a nobel prize winner who is short on sleep, or distracted for some reason.  Being swindled doesn't mean you're dumb -

Not agreed. When you leave the house unlocked and get robbed everyone says: shame on you. We learned several habitudes to protect ourselves against criminal acts and thieves. Why can't we ask the same on cyber?

BTW I also think that it's rather the fisher that cybercrime protection has to go after. Putting a lock on a lock on a lock and never trying to punish the thieves is what's wrong. Why can't all those security efforts not for some part go in the other direction? Must be not to hard to find them I guess. Of course they hide in some banana republic, but civilized governments should be strong enough to put pressure on those countries to fight that crime internationals. This is something that they can take into international trading agreements I guess. No cooperation? None or bad trading agreements as a result....

I just think it's crazy and sad to put so much efforts in cyberprotection and none in cybercrime punishment....