Attempt to phish 1Password users [only enter account credentials at your 1Password.com sign in page]
When I was doing a certificate transparency log search on crt.sh, I was using "%1password.com" to see how 1Password is managing its certificates, and I came across this domain : endouble-1password.com , which host on a DigitalOcean server and used Let's Encrypt, and it is clearly a fishing website targeting endouble.com user or staff.
Don't know what I found are value or not, just putting it out here.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
@richardevs: Wow. They're very clearly trying to imitate a real 1Password.com sign in page, like this one (for individual accounts):
https://my.1password.com/signin
Definitely always check to make sure you're at the real 1Password.com site before entering any information there. This attack wouldn't be very effective since they don't appear to be attempting to collect the Secret Key, but we certainly don't want them collecting people's Master Passwords either. Thank you for bringing this to our attention!
0 -
@brenty this would help ;)
https://discussions.agilebits.com/discussion/79513/feature-idea#latest
0 -
@prime But a 1Browser is a false thing on Windows or Mac or iOS, not really sure what you are trying to pull off here.
If we really want to have a greater security mindset here, is to check weather your domain ends with 1password.com. Since wildcard EV certificate does not exist.
0 -
My idea is that there would be a setting that 1Password.com would ONLY open in the 1Password browser. So if you click on a hyperlink from and email, and it opens in anything broweser but the 1Password browser, you know it's fake.
Also, education is everything. I tell everyone in my family and my friends to never click on a hyperlink from any message. If they get one that thier (bank, iTunes, email, or whatever) to go into that account on their own and check.
0 -
My idea is that there would be a setting that 1Password.com would ONLY open in the 1Password browser. So if you click on a hyperlink from and email, and it opens in anything broweser but the 1Password browser, you know it's fake.
@prime: Interesting. I think it's a cool idea, even if there are a few pitfalls there. Maybe something we can pursue in the future if there's enough interest, or a specific need for that.
Also, education is everything. I tell everyone in my family and my friends to never click on a hyperlink from any message. If they get one that thier (bank, iTunes, email, or whatever) to go into that account on their own and check.
Yeah, unfortunately the only way to be sure is to navigate to the site manually the old fashioned way: entering the URL with the keyboard. (More on that below.) :(
0 -
If we really want to have a greater security mindset here, is to check weather your domain ends with 1password.com. Since wildcard EV certificate does not exist.
@richardevs: Totally! Being aware and vigilant definitely makes a huge difference with regard to security. I don't think this is quite what you meant, but having
1password.comat the end (orpaypal.com) doesn't necessarily guarantee we're dealing with a legitimate site, as in your example above. Not everyone will distinguish betweenyouraccountsignin-1password.comandyouraccountsignin.1password.com, and only the latter will be associated with a 1Password.com membership from AgileBits.The best way to be sure is to
- Manually type https://1password.com into the browser
- Verify
AgileBits Inc."green" EV (Extended Validation) certificate in the address bar - Click "Sign In" in the top right
- Complete your Sign In Address (if necessary) and login
Thanks again for bringing this up!
0
