OWA is vulnerable to Phishing

marcinozga

I can't believe that everyone here is dead wrong. None of the websites mentioned here or OWA are vulnerable to phishing. Not a single website on Internet is. Users are vulnerable to phishing, not websites. Phishing is a social engineering technique to deceive users, not websites. You can create fake Google login form that has both username and password fields and users will fall for it.

marcinozga

@momurda said in OWA is vulnerable to Phishing:

Quick question; How would you go about getting your phishing page to OWA users at a company you were targeting? send them an email with a subject like 'click here to login to your company webmail"? with a link to the fake owa site? They would already have their email open. I suppose it could happen that way, these are users we're talking about.
In the Eternal War on Spam/Malware, what can be done?

Instant messenger is one option.

aidan_walsh

@Breffni-Potter said in OWA is vulnerable to Phishing:

Ummm....as an attacker, why can't I just have a next page fake confirmation which forgets the profile photo (easy to overlook in a hurry) and get the password for google anyway?

Same again for the banking website.

Thats exactly what happens. You'd be surprised at what passes for phishing attacks, and how many people fall for them. I've seen ones that have asked people "for security purpose" to enter all 50 4-digit code card entries, something a bank would obviously never do.

And yet...

scottalanmiller

@Breffni-Potter said in OWA is vulnerable to Phishing:

Ummm....as an attacker, why can't I just have a next page fake confirmation which forgets the profile photo (easy to overlook in a hurry) and get the password for google anyway?

Same again for the banking website.

Especially as real OWA makes you go to a second page and doesn't take the password on the first one. It's a dead field.

scottalanmiller

@aidan_walsh said in OWA is vulnerable to Phishing:

@Breffni-Potter said in OWA is vulnerable to Phishing:

Ummm....as an attacker, why can't I just have a next page fake confirmation which forgets the profile photo (easy to overlook in a hurry) and get the password for google anyway?

Same again for the banking website.

Thats exactly what happens. You'd be surprised at what passes for phishing attacks, and how many people fall for them. I've seen ones that have asked people "for security purpose" to enter all 50 4-digit code card entries, something a bank would obviously never do.

And yet...

Partially that's because real banks have done that traditionally.

stacksofplates

@scottalanmiller said in OWA is vulnerable to Phishing:

@aidan_walsh said in OWA is vulnerable to Phishing:

@Breffni-Potter said in OWA is vulnerable to Phishing:

Ummm....as an attacker, why can't I just have a next page fake confirmation which forgets the profile photo (easy to overlook in a hurry) and get the password for google anyway?

Same again for the banking website.

Thats exactly what happens. You'd be surprised at what passes for phishing attacks, and how many people fall for them. I've seen ones that have asked people "for security purpose" to enter all 50 4-digit code card entries, something a bank would obviously never do.

And yet...

Partially that's because real banks have done that traditionally.

Like AMEX. I needed a password reset and they asked all of the info on my card, other than my name and expiration.

scottalanmiller

@stacksofplates said in OWA is vulnerable to Phishing:

@scottalanmiller said in OWA is vulnerable to Phishing:

@aidan_walsh said in OWA is vulnerable to Phishing:

@Breffni-Potter said in OWA is vulnerable to Phishing:

Ummm....as an attacker, why can't I just have a next page fake confirmation which forgets the profile photo (easy to overlook in a hurry) and get the password for google anyway?

Same again for the banking website.

Thats exactly what happens. You'd be surprised at what passes for phishing attacks, and how many people fall for them. I've seen ones that have asked people "for security purpose" to enter all 50 4-digit code card entries, something a bank would obviously never do.

And yet...

Partially that's because real banks have done that traditionally.

Like AMEX. I needed a password reset and they asked all of the info on my card, other than my name and expiration.

Yeah, it definitely still happens. And I've had huge security gaps that I've told a bank was not secure and they didn't care. I said... I literally have no means to tell if you are really my bank or not and they are just like "so, we don't care."