body { -ms-overflow-style: scrollbar; overflow-y: scroll; overscroll-behavior-y: none; } .errorContainer { background-color: #FFF; color: #0F1419; max-width: 600px; margin: 0 auto; padding: 10%; font-family: Helvetica, sans-serif; font-size: 16px; } .errorButton { margin: 3em 0; } .errorButton a { background: #1DA1F2; border-radius: 2.5em; color: white; padding: 1em 2em; text-decoration: none; } .errorButton a:hover, .errorButton a:focus { background: rgb(26, 145, 218); } .errorFooter { color: #657786; font-size: 80%; line-height: 1.5; padding: 1em 0; } .errorFooter a, .errorFooter a:visited { color: #657786; text-decoration: none; padding-right: 1em; } .errorFooter a:hover, .errorFooter a:active { text-decoration: underline; } #placeholder, #react-root { display: none !important; } body { background-color: #FFF !important; }

JavaScript is not available.

We’ve detected that JavaScript is disabled in this browser. Please enable JavaScript or switch to a supported browser to continue using twitter.com. You can see a list of supported browsers in our Help Center.

Terms of Service Privacy Policy Cookie Policy Imprint Ads info © 2023 X Corp.

Conversation

Mustafa Al-Bassam

Quick phishing demo. Would you fall for something like this?

Embedded video

10:36 PM · Sep 9, 2018

144

Bookmarks

Nah, I don’t thinks so. but it looks very well done... so not sure. On the other hand 2fa FTW

2

14

Mustafa Al-Bassam

How would you tell it's phishing?

7

2

Show replies

(this is why we reduce passwords and encourage the use of 2fa on primary accounts - using that button in most cases *won't* and *shouldn't* ask for a password)

2

3

81

Mustafa Al-Bassam

Couldn't a sophisticated phishing page make requests to Google behind the scenes, and make you type your 2FA code on the phishing site?

6

1

58

Show replies

Ioan Popovici @ MEM.Zone

I wouldn’t. I use 1 password with autocomplete. If it doesn’t autocomplete I become instantly suspicious. I encountered this kind of phishing before, 1p FTW :). Still all my passwords are unique, 30 characters long with symbols, case and numbers. Also I use 2FA where available...

2

30

Show replies

That’s complicated. Now try figuring out which of these two has an L: MICROSOFT.com MlCROSOFT.com (This is why phishing is hard for humans. And easier for computers to catch at

.)

16

cc/

This is where Safari got it right. It shows the primary domain in the URL bar.

I wonder why the browser wouldn’t warn users with a subdomain like that

1

One more reason why password managers are important: they wouldn’t fall for it.

That's certainly one of the better ones I've seen. I could see many people just quickly clicking through.