Jump to content

Gatehub phishing attempt


namini

Recommended Posts

Hi @namini,

thank you for posting this. We already reported a fraudulent website to a registrar. Hopefully it will be taken offline soon.

39 minutes ago, T8493 said:

GateHub should really use extended validation certificate instead of the current one....

 

Unfortunately EV does not help with increasing security for phishing attacks. What does is that browsers will soon start displaying warning messages for all websites not using SSL. This will greatly increase security once implemented.

 

 

Link to comment
Share on other sites

23 minutes ago, enej said:

Hi @namini,

thank you for posting this. We already reported a fraudulent website to a registrar. Hopefully it will be taken offline soon.

Unfortunately EV does not help with increasing security for phishing attacks. What does is that browsers will soon start displaying warning messages for all websites not using SSL. This will greatly increase security once implemented.

EV certificate can help user distinguish genuine website from the fraudulent one - simply because of the big green button with company name before the URL in address bar. Fraudulent websites won't have this big green button.

Effect of EV certificates on the security is somewhat controversial, but it is really one of the rare things that you can implement as prevention.

 

Quote

What does is that browsers will soon start displaying warning messages for all websites not using SSL.

If you mean that browser warning about "unsecure" websites can increase security against phishing attacks, then I think you're wrong. Phishing website can simply obtain regular (but not EV) certificate and browsers won't complain at all. Some phishing websites already use (wildcard?) regular certificates and SSL. I think one of the recent phishing websites for gatehub.net used TLS/SSL (with maybe self-signed certificate).

 

 

 

 

 

 

Edited by T8493
Link to comment
Share on other sites

23 minutes ago, T8493 said:

EV certificate can help user distinguish genuine website from the fraudulent one - simply because of the big green button with company name before the URL in address bar. Fraudulent websites won't have this big green button.

Does anyone know why chrome mobile does not display EV any different than regular ssl?

Considering that most people open their mail from their mobile, that's quite a drawback, because you can't warn users in the login form, to always check for green address bar.

Link to comment
Share on other sites

21 minutes ago, T8493 said:

EV certificate can help user distinguish genuine website from the fraudulent one - simply because of the big green button with company name before the URL in address bar. Fraudulent websites won't have this big green button.

Effect of EV certificates on the security is somewhat controversial, but it is really one of the rare things that you can implement as prevention.

 

If you mean that browser warning about "unsecure" websites can increase security against phishing attacks, then I think you're wrong. Phishing website can simply obtain regular (but not EV) certificate and browsers won't complain at all. Some phishing websites already use (wildcard?) regular certificates and SSL. I think one of the recent phishing websites for gatehub.net used TLS/SSL (with maybe self-signed certificate).

 

 

 

 

 

 

@T8493 True, a big green certificate bar would help users distinguish between the real GateHub and phishing websites, although the latest phishing website did not use a certificate at all and my personal opinion is that people unfortunately pay little attention to that.

@namini Thank you for letting the users know about the phishing email here on the forum. I would argue that the email was not "well done", note how the grammar is all broken, especially the bold part.

There are several preventative measures in GateHub's pipeline which I look forward to, such as:

- Mandatory 2fa

- Email login verification when logging in from an unknown location (fast travel + new location rules)

Best regards,

Luka (GateHub Security)

Link to comment
Share on other sites

31 minutes ago, lucky said:

Does anyone know why chrome mobile does not display EV any different than regular ssl?

Considering that most people open their mail from their mobile, that's quite a drawback, because you can't warn users in the login form, to always check for green address bar.

It looks like all mobile browsers don't show different icon when website uses EV certificate. But Firefox at least shows company name when you tap on the padlock.

Link to comment
Share on other sites

1 hour ago, gatehub said:

There are several preventative measures in GateHub's pipeline which I look forward to, such as:

- Mandatory 2fa

- Email login verification when logging in from an unknown location (fast travel + new location rules)

Phishing website can probably bypass 2fa security by requesting the same 2fa authentication code on the phishing website.

Email verification when logging in from an unknown location is questionable. 

Phishing website knows your location and they can use "similarly looking" IP address. This is harder to achieve, but not technically impossible (public/private SOCKS proxies, VPNs,  tor, jondo, botnets, etc.).

Now that we have multisign maybe the right approach is the use of multisign transactions. First signature comes from the GateHub UI, another signer signs the transaction after the transaction is confirmed by some other method (2fa or email). 

Something like confirmation emails that Bitstamp sends.

 

Edited by T8493
Link to comment
Share on other sites

1 hour ago, T8493 said:

Now that we have multisign maybe the right approach is the use of multisign transactions. First signature comes from the GateHub UI, another signer signs the transaction after the transaction is confirmed by some other method (2fa or email).

This seems like a promising idea and one we will definitely try to implement one way or another.

 

 

Link to comment
Share on other sites

For a criminal to invest time and energy into creating a full phishing site might mean that some users were / or will be actually fooled, otherwise it's not profitable. 

Yet I've not heard of any successful attack.  I suppose if the criminal gets their login info, and secondary auth is not enabled, they might be able to do something malicious. 

Activate your Secondary authentication, people. 

Link to comment
Share on other sites

8 minutes ago, Hodor said:

Yet I've not heard of any successful attack.  

There were some reports of thefts on this or maybe previous forum. I don't know if they have anything to do with Gatehub or not.

Edited by T8493
Link to comment
Share on other sites

6 hours ago, Hodor said:

For a criminal to invest time and energy into creating a full phishing site might mean that some users were / or will be actually fooled, otherwise it's not profitable. 

Yet I've not heard of any successful attack.  I suppose if the criminal gets their login info, and secondary auth is not enabled, they might be able to do something malicious. 

Activate your Secondary authentication, people. 

Many people have been fooled and lost their xrp. Even two factor authentication isn't 100% with man in the middle attacks. 

https://www.schneier.com/blog/archives/2005/03/the_failure_of.html

Link to comment
Share on other sites

4 hours ago, MundoXRP said:

Many people have been fooled and lost their xrp. Even two factor authentication isn't 100% with man in the middle attacks. 

True.  A good fishing attempt might fool a nobel prize winner who is short on sleep, or distracted for some reason.  Being swindled doesn't mean you're dumb - it means you've been swindled by a convincing con man (or woman).  If a forum member has been swindled, the best thing to do is admit it so that the other members can assist them

My point was to do what we can on this forum to protect our members, at least - and that is to encourage enabling the security feature that Gatehub has - secondary authentication

Link to comment
Share on other sites

1 hour ago, Hodor said:

True.  A good fishing attempt might fool a nobel prize winner who is short on sleep, or distracted for some reason.  Being swindled doesn't mean you're dumb -

Not agreed. When you leave the house unlocked and get robbed everyone says: shame on you. We learned several habitudes to protect ourselves against criminal acts and thieves. Why can't we ask the same on cyber?

BTW I also think that it's rather the fisher that cybercrime protection has to go after. Putting a lock on a lock on a lock and never trying to punish the thieves is what's wrong. Why can't all those security efforts not for some part go in the other direction? Must be not to hard to find them I guess. Of course they hide in some banana republic, but civilized governments should be strong enough to put pressure on those countries to fight that crime internationals. This is something that they can take into international trading agreements I guess. No cooperation? None or bad trading agreements as a result....

I just think it's crazy and sad to put so much efforts in cyberprotection and none in cybercrime punishment....

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...