Sophos Cloud Optix
After a widely publicised hack or data breach, you’ll often find “password check” sites springing up.
Some of them are legitimate, asking only for your email address and checking it against a list of known data dumps.
→ Dumps are the files that typically circulate on the Underweb after a hack, containing as much or as little personally identifiable information (PII) as the thief cares to share; legitimate password check sites collect these to build a list of probably-hacked email addresses.
But other “password check” sites are as bogus as they sound on the surface.
They ask you to type in your login details, either into a clone of a regular site’s login page, or into a nicely-worded “you can trust us, honest, guv” page of their own.
That sounds like phishing, doesn’t it?
And the reason it sounds like phishing is that it IS phishing!
So, if you don’t know how to recognise legitimate password check sites, assume that they are all bogus, and simply stay away.
Having said that, here’s a password check site which has a sense of humour, as well as teaching a handy lesson.
In the aftermath of the recent Associated Press Twitter hack, and of the Twitter attacks claimed by SEA, the Syrian Electronic Army, it’s not surprising to see a site named ismytwitterpasswordsecure dot com.
It was created by New York based web developer Alastair Coote, and it looks fairly straightforward:
You ought to spot the satirical comments that give you a hint that this is not your ordinary password checker, such as the warning that the recent AP hack was able to:
compel dozens of blogs to write breathless posts about the future of online journalism.
You wouldn’t type a real password or even a user name in there, would you?
You wouldn’t login to Twitter from a cloned login form on a completely different site, as should be obvious from the address bar, would you?
Who knows where your password will end up, except that it will probably be somewhere bad?
So, if you start to enter anything at all on this web page, you get Coote’s unreconstructed warning:
Do you see "twitter.com" in the address bar? No, you don't. Don't ever type your login and password to Twitter on a site that isn't twitter.com. Same with Facebook. And LinkedIn. I guess what I'm trying to say here is, don't be an idiot.
Short, sweet, and clear.
- Don’t click login links in emails.
- Check the address bar.
- And watch out for the HTTPS (secure HTTP) padlock in the address bar whenever you are entering PII of any sort, from passwords to account numbers.
Nicely done, Mr Coote: a fake fake site!
Nice post. But: One wonders how you got to the red page, Mr. Ducklin? (All in the pursuit of your investigative work assignments, of course.)
My guess is that Duck entered some bogus data. After all, it was hardly likely to complain if what he entered *wasn’t* his Twitter password – right? 🙂
Well, there are no T&Cs on the page, so you can put in anything you like, except someone else's PII, I guess.
What actually happened was that some Twitterers were warning about this site, assuming it really *was* was a phish.
I thought I'd take a look, and the satire made it look unphishy to me ("fake fake")…nevertheless, best to check what the site's author planned to do with the data in the login form, eh? So I looked at the source code.
And it is indeed as I reported: if you start to enter anything at all on this web page, you get the NONONONONONO warning.
In the end I just pressed the 'A' key in the username field and took the screenshot.
All in the pursuit of my investigative work assignments, of course 🙂
(I didn't link directly to the page, just so you have to make an active decision to take yourself there.)
I did make the active decision to go to the web page, only to find it was blocked by Sophos Web Protection 🙂 I'm going on the assumption here that the site was hacked, and Alastair Coote isn't trying to spread malware…
In a corporate envirnoment, it makes sense to block this sort of site (or, at least, it does not harm to do so) on the grounds that it deliberately looks like a duck, walks like a duck, quacks like a duck…but isn't.
See below: Microsoft has blocked the site, too.
As @Andy Bellini asks, "Does that count as a false positive?" and I think one has to say, "Not really."
IE reports it as phish site and blocks it! Does that count as a false positive?
legitimate password check sites… SHUDDERS !__YOU MUST BE JOKING RIGHT
Hmmm. With hindsight, I probably should have chosen different words.
They call themselves "password check sites" (or are known by that name), but of course the legit ones do NOT ask for any PII beyond your email address.
The idea is that they use your email address as a lookup key to work out what, if anything, is thought to have been stolen in your name.
They don't need to store the actual breach data, after all – just a hash of your email address plus a list of "compromise flags" to record what PII you may have lost along with your email address…
Sadly someone seems to have reported it as a dangerous site … MS SmartScreen blocked it. Tsk.
Sophos Web Protection is also blocking it as containing Mal/HTMLGen-A
See above…if you disagree with my assessment that this doesn't really count as a false positive, by all means email Sophos Support to say so 🙂
Ha, thanks for the coverage. As others have said, OpenDNS, Sophos and MS have identified it as a 'threat' and are blocking people from accessing it. Shame, but I can see why.
And yes, to be clear: no information ever leaves the page!
Say, can you post a link to a legit password protection site? I'm not sure if this is something I want to trust Google with finding!