[heartsucker]

> What makes an attack like this so effective is that you never expect to see something as convincing as this

I've been working on phishing and counter-phishing recently, and if someone is actually putting any effort in, you have to expect something like this. Very legitimate looking email, the correct signature (complete with up to date font/logo), and a virtually perfect copy of the login page to whatever service they're using. All of this, even just to target a single person, is under 8 hours of work, which is to say, it's a simple task for someone who really wants to phish you.

The article mentions having an IDS and disaster recovery plans, and this is the best you can hope for as pretty much everyone is susceptible to this, and AI still can be beaten.

Source: I've done this, beaten Gmail's anti-scam filters, and phished CTOs.

[tomjen3]

Then you may be able to answer this question: is it really a problem that those people accessed the link but didn't login? Because sure you could put malware on it, but that's possible on any website.

[heartsucker]

Yes, but in theory some sort of MAC could stop it from accessing important files, or anti-virus could detect it and stop it too. But once the password leaves the computer, it's going to take a lot more effort to mitigate the damage. Also, your browser is on your side for protecting against malware, so for example if you have Flash disable, that's a whole vector you can just ignore.

[utefan001]

A friend and I have a private github repo app that does host based DNS whitelisting. Looking for more Electron / node contributors.

Trust the top 10,000 domains, then the user has to allow anything beyond that. Built off of dnsjack. App will point to corporate dns server.

https://twitter.com/mabraFoo/status/790678093618900993