Loaf With Mama

Malwarebytes

All Gmail users at risk from clever replay attack

All Google accounts could end up compromised by a clever replay attack on Gmail users abusing Google infrastructure.

Cybercriminals are abusing Google’s infrastructure, creating emails that appear to come from Google in order to persuade people into handing over their Google account credentials. This attack, first flagged by Nick Johnson, the lead developer of the Ethereum Name Service (ENS), a blockchain equivalent of the popular internet naming convention known as the Domain Name System (DNS). Nick received a very official looking security alert about a subpoena allegedly issued to Google by law enforcement to information contained in Nick’s Google account. A URL in the email pointed Nick to a sites.google.com page that looked like an exact copy of the official Google support portal.

As a computer savvy person, Nick spotted that the official site should have been hosted on accounts.google.com and not sites.google.com. The difference is that anyone with a Google account can create a website on sites.google.com. And that is exactly what the cybercriminals did. Attackers increasingly use Google Sites to host phishing pages because the domain appears trustworthy to most users and can bypass many security filters. One of those filters is DKIM (DomainKeys Identified Mail), an email authentication protocol that allows the sending server to attach a digital signature to an email. If the target clicked either “Upload additional documents” or “View case”, they were redirected to an exact copy of the Google sign-in page designed to steal their login credentials. Your Google credentials are coveted prey, because they give access to core Google services like Gmail, Google Drive, Google Photos, Google Calendar, Google Contacts, Google Maps, Google Play, and YouTube, but also any third-party apps and services you have chosen to log in with your Google account. The signs to recognize this scam are the pages hosted at sites.google.com which should have been support.google.com and accounts.google.com and the sender address in the email header. Although it was signed by accounts.google.com, it was emailed by another address. If a person had all these accounts compromised in one go, this could easily lead to identity theft.

How to avoid scams like this

Don’t follow links in unsolicited emails or on unexpected websites.

Carefully look at the email headers when you receive an unexpected mail.

Verify the legitimacy of such emails through another, independent method.

Don’t use your Google account (or Facebook for that matter) to log in at other sites and services. Instead create an account on the service itself.

Technical details Analyzing the URL used in the attack on Nick, (https://sites.google.com[/]u/17918456/d/1W4M_jFajsC8YKeRJn6tt_b1Ja9Puh6_v/edit) where /u/17918456/ is a user or account identifier and /d/1W4M_jFajsC8YKeRJn6tt_b1Ja9Puh6_v/ identifies the exact page, the /edit part stands out like a sore thumb. DKIM-signed messages keep the signature during replays as long as the body remains unchanged. So if a malicious actor gets access to a previously legitimate DKIM-signed email, they can resend that exact message at any time, and it will still pass authentication. So, what the cybercriminals did was: Set up a Gmail account starting with me@ so the visible email would look as if it was addressed to “me.” Register an OAuth app and set the app name to match the phishing link Grant the OAuth app access to their Google account which triggers a legitimate security warning from no-reply@accounts.google.com This alert has a valid DKIM signature, with the content of the phishing email embedded in the body as the app name. Forward the message untouched which keeps the DKIM signature valid. Creating the application containing the entire text of the phishing message for its name, and preparing the landing page and fake login site may seem a lot of work. But once the criminals have completed the initial work, the procedure is easy enough to repeat once a page gets reported, which is not easy on sites.google.com. Nick submitted a bug report to Google about this. Google originally closed the report as ‘Working as Intended,’ but later Google got back to him and said it had reconsidered the matter and it will fix the OAuth bug.

AND DO YOU HAVE ANY MCSR FIC RECS. FORGOT TO ASK

thank you for the asks! i mostly do my mcsr stuff on my sideblog but since you’re here anon i do have a few (and i will get to the other ask in a bit) i hope you don't mind incomplete fics, because i have quite a few of those in here. anyways, in no particular order:

A Field Guide to Speedrunners by loanword. honestly you should go and read all of tri's stuff but this is the fic that got me. snappy writing style and a great grasp on characterization

Grave Digging by sumactic is an ongoing fic in their pjo au and i am so fascinated by what is going on with their nerdi and k4. good writing and a very interesting dynamic and i cant wait to see more

into this world in wonder from a starlight sky by confusedkestrel is a fun read and i love how they wrote the dynamic between poundy and fein. you should go read all of their mcsr fics tbh

coffee beans, fein-ly ground by igneousarchive and *megamind meme* no villains? by justpressX are two (unrelated) oneshots that i thought were fun.

[FILE: FALLEN ANGEL ET AL VS. SHOCKWAVE ET AL] by weareallstardustfallen is set in a superhero au and also makes use of mixed-media (or, text-based simulations of it), which i am always a big fan of

and now, time for a bit of hashtag self promo but my current ongoing series is outfished. its an au making use of my oc universe setting and can best be described as a modern-day fantasy with a focus on worldbuilding and intrigue. i also play around a bit with css formatting and in-universe documents if you're into that sort of thing.

there's a lot of good fics out there in the tag that i haven't listed here so when you have the time i would recommend just going through the entire tag. its not a terribly huge tag (though it is growing) so its a pretty manageable browse imo. (then again, my perception of reasonable may be a bit skewed. iykyk.)

Top surgery recovery has involved an onslaught of emotions that I'm still figuring out how to express, but this grief was not something I anticipated would be part of it.

made another zine :3

tumblr is full of phrases that we are all so desensitized to that they're just normal, but if you say it to a person in real life its so funny to them its a one-hit insta kill

Something to watch for, which I learned from stage magic but which is extremely relevant to detecting scams as well:

The magician or scammer will *tell you* how he is going to prove his honesty.

The magician rifles through the deck until you say "stop", then he says, "Are you sure? I'll keep going if you want." and asks "Now, you agree that you could have stopped anywhere you wanted, so there's absolutely no way I could know which card you got" and because it's a magic show and you aren't paying close attention you didn't notice he didn't deal a card from where you stopped, he dealt the bottom card of the deck.

The magician doesn't ask you, "What would it take for you to believe this" because you might say, "I'd need you to use a sealed deck" or "I'd have to personally shuffle the deck" or some other proof that would make the trick impossible.

Magicians say "You agree that if I did *this*, it would mean *that*, right?" and you say yes, and it feels like you are the one who got to verify things, but of course the magician is lying and the proof is nothing of the kind.

Scammers do the same thing. A really concrete example is phone scammers pretending to be working for the government will say, "Look, I see you're skeptical if I'm who I say I am, I'm going to hang up and call back, and you'll see on the caller ID it says, 'FBI' and that tells you that I'm really working for the government."

Now, caller ID can be spoofed pretty easily, so it doesn't prove anything at all.

But it *feels* to you like you demanded proof and the scammer was willing to give you the proof.

But you didn't tell the scammer what out would take to prove it to you, the scammer told you what the proof would be.

This is actually like a really basic thing to look for if you want to start decoding magic tricks and scams.

i had a dream i worked in an underwater restaurant and people kept ordering ice in their drinks and then getting mad at me when it would float away. and i’d tell them beforehand that the ice would float away & they’d be like lol no that’s not how it works just give me the ice. I’m fighting customer service battles never seen before

really enjoying all the videos Muslims have been posting of their cats looking like this

when the humans are up at 4 am for suhoor

end of season design for divorcesteal arch :3 start of season ref under the cut for comparison