Authenticator repeats this cycle every 30 seconds, which means that an attack has considerably less than this on average to conduct any phish of the code entered by the user. TOTP works by combining a secret shared key held by the server with the current time, an operation which is repeated on the device before the output from the two is checked to see they match. Second, even if users had handed over their usernames and passwords to the phishing site their credentials would not be enough to give the crooks access to their 2FA-protected accounts on the real Reddit site.īut might TOTP codes not also be vulnerable to being phished? First, the phishing site had no prompt for the six-digit TOTP code, which would hopefully alert users that something is wrong. It sounds like a job for two-factor authentication (2FA) which, by coincidence, Reddit finally implemented late last month using the time-based one-time password (TOTP) protocol.Īnyone who had enabled this and found themselves trying to log in to the Reddit clone would have discovered two benefits. What, if any, precautions can users of sites like Reddit take against this kind of typosquatting? Almost 24 hours later and the fake site was still reachable although by the morning of 7 February, Google had started blocking it. Muffett said he reported the page to Google’s Safe Browsing. Trademark holders are usually also careful to register similar-looking domains to protect themselves. ![]() co is the country code top-level domain (ccTLD) for Colombia – one might have assumed the registrar appointed to manage these would not have allowed it to be combined with such an obvious trademark as Reddit. co registry permitted it to be registered, is beyond me… Muffett found the site by accident, which is exactly how anyone would discover a site that is reached by mis-typing the correct domain by a single letter. Registered in July 2010 as (notice the missing ‘m’), it’s reportedly been used to host Flash games, a porn cam, and has spent a long time parked and for sale to anyone who might want to buy it.Įarlier this week, security engineer Alec Muffett noticed that had turned into something altogether more troubling – a clone of, most likely intended to phish user credentials. Unbeknownst to Reddit users, the site that likes to call itself the “front page of the internet” has acquired an unwanted evil twin they’d do well to avoid.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |