By Jason McNicholas
Cyber Security Technologist
Over the last few months we have seen a new trend in phishing emails during investigations in our malware lab.
These emails will often link to a login page for a common account such as a Microsoft or Google account. The login pages look identical to the real login pages.
We have found that these are often Microsoft/Google “forms”. Such forms are valid services that allow users to quickly send out an online form / survey, the downside is that criminals can create just two fields (username and password) and dupe users into thinking they are login pages.
An important tell is if the password field does not “star out” when the user is typing and the letters appear in plain text.
Other tell-tale signs to spot for these fake logins include the URL being a long string of random letters and numbers or if it is from an unrelated, compromised, website.
Hackers will use the harvested credentials to log into the victim’s account.
The danger with this form of attack is it circumvents antivirus/endpoint protection as these sites always have a unique URL meaning they can’t be added to a blacklist quickly enough.
The best way to protect against this is by using 2-Factor Authentication, this would mean that even if your credentials are stolen the attacker would not be able to log into your account.
If you are suspicious that you have been duped into entering your login details to a fake form you should change your password immediately.
Contact your IT department or Microsoft support so they can help investigate which services have been accessed by the hacker.