Kitz Forum

Chat => Tech Chat => Topic started by: broadstairs on December 11, 2013, 12:06:34 PM

Title: Interesting forum attack seen elsewhere
Post by: broadstairs on December 11, 2013, 12:06:34 PM

Another forum I frequent has today seen an attack where a new user posted a seemingly valid thread with a link to show his problem, when you clicked on this link it displayed an identical page to the standard forum requesting you logged in again attempting to trick the user into thinking they had been logged out, if you entered a user/password and hit enter it took you back to the genuine forum start page. Needless to say if you did check the url it was not the correct one but I wonder how many folks actually always check this at login time. Not sure if they wanted to hijack the forum in some way or merely harvest user/password combinations which may have been used for say a banking application or the like.

Stuart

Title: Re: Interesting forum attack seen elsewhere
Post by: door_bell on December 11, 2013, 12:21:37 PM

I wonder how that works with autocomplete in browsers?

Would it detect the site is different and not autocomplete? I rarely bother to enter passwords anymore, but certainly one to watch out for!!

Title: Re: Interesting forum attack seen elsewhere
Post by: roseway on December 11, 2013, 01:10:35 PM

It sounds like another attempt to harvest people's username/password combinations.

Browser saved passwords are linked to particular web addresses, so I don't think that the dummy site will be able to use them unless the user actually enters them again.

Title: Re: Interesting forum attack seen elsewhere
Post by: broadstairs on December 11, 2013, 10:48:34 PM

Thing is though auto-complete does not ALWAYS function so sometimes I have to enter user and/or passwords... it can be turned off on a web page.

Stuart

Title: Re: Interesting forum attack seen elsewhere
Post by: ryant704 on December 12, 2013, 12:05:20 PM

You could type your passwords in, it isn't a key logger.

It's phishing website as you click 'Login' your Username and Email will be emailed to a email address the phisher has specified. Alternatively it will add a string into his .html file on his FTP server.

Title: Re: Interesting forum attack seen elsewhere
Post by: BritBrat on December 12, 2013, 12:40:46 PM

Don't think that would work with me, as my logins are URL specific.

Title: Re: Interesting forum attack seen elsewhere
Post by: broadstairs on December 12, 2013, 01:08:11 PM

It wont work with any auto complete unless they spoof the address in the url bar some way, however it is possible for a website to stop any automatic filling in of user and password combinations and in this case people can be fooled into doing it manually. The particular forum it happened on does not prevent auto completion so in that case it might raise an eyebrow to the user. I suspect the reason was to harvest user/password combinations which might work elsewhere as so many folks on the net user the same combinations for all their logins.

Stuart