Attempt to phish 1Password users [only enter account credentials at your 1Password.com sign in page]

richardevs
richardevs
Community Member
edited June 2017 in Lounge

When I was doing a certificate transparency log search on crt.sh, I was using "%1password.com" to see how 1Password is managing its certificates, and I came across this domain : endouble-1password.com , which host on a DigitalOcean server and used Let's Encrypt, and it is clearly a fishing website targeting endouble.com user or staff.

Don't know what I found are value or not, just putting it out here.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @richardevs: Wow. They're very clearly trying to imitate a real 1Password.com sign in page, like this one (for individual accounts):

    https://my.1password.com/signin

    Definitely always check to make sure you're at the real 1Password.com site before entering any information there. This attack wouldn't be very effective since they don't appear to be attempting to collect the Secret Key, but we certainly don't want them collecting people's Master Passwords either. Thank you for bringing this to our attention!

  • richardevs
    richardevs
    Community Member

    @prime But a 1Browser is a false thing on Windows or Mac or iOS, not really sure what you are trying to pull off here.

    If we really want to have a greater security mindset here, is to check weather your domain ends with 1password.com. Since wildcard EV certificate does not exist.

  • prime
    prime
    Community Member
    edited June 2017

    My idea is that there would be a setting that 1Password.com would ONLY open in the 1Password browser. So if you click on a hyperlink from and email, and it opens in anything broweser but the 1Password browser, you know it's fake.

    Also, education is everything. I tell everyone in my family and my friends to never click on a hyperlink from any message. If they get one that thier (bank, iTunes, email, or whatever) to go into that account on their own and check.

  • AGAlumB
    AGAlumB
    1Password Alumni

    My idea is that there would be a setting that 1Password.com would ONLY open in the 1Password browser. So if you click on a hyperlink from and email, and it opens in anything broweser but the 1Password browser, you know it's fake.

    @prime: Interesting. I think it's a cool idea, even if there are a few pitfalls there. Maybe something we can pursue in the future if there's enough interest, or a specific need for that.

    Also, education is everything. I tell everyone in my family and my friends to never click on a hyperlink from any message. If they get one that thier (bank, iTunes, email, or whatever) to go into that account on their own and check.

    Yeah, unfortunately the only way to be sure is to navigate to the site manually the old fashioned way: entering the URL with the keyboard. (More on that below.) :(

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited June 2017

    If we really want to have a greater security mindset here, is to check weather your domain ends with 1password.com. Since wildcard EV certificate does not exist.

    @richardevs: Totally! Being aware and vigilant definitely makes a huge difference with regard to security. I don't think this is quite what you meant, but having 1password.com at the end (or paypal.com) doesn't necessarily guarantee we're dealing with a legitimate site, as in your example above. Not everyone will distinguish between youraccountsignin-1password.com and youraccountsignin.1password.com, and only the latter will be associated with a 1Password.com membership from AgileBits.

    The best way to be sure is to

    1. Manually type https://1password.com into the browser
    2. Verify AgileBits Inc. "green" EV (Extended Validation) certificate in the address bar
    3. Click "Sign In" in the top right
    4. Complete your Sign In Address (if necessary) and login

    Thanks again for bringing this up!

This discussion has been closed.