Follow

Beware of the glthubs.com phishing attacks. I nearly fell for this one.

glthubs.com/login

The only thing that saved my bacon is that I should already be logged in! Then I noticed the funny-looking domain name.

@lordalveric Write a script that DDoSes it with randomized login attempts.. they wont have any way to verify which logins are real or not without using them at github.com and ultimately get throttled as they use up their IP pool

@freemo Not to mention that I have 2FA set up on that account anyway!

@lordalveric Relying on a password manager that checks domains (eg. the one built into your browser) is a good first step to protect against this sort of thing.

@ssokolow Yep. That's part of what saved my bacon. The browser did not recognize the site, so it didn't fill it in.

Not sure what they expect to gain from cracking my github site, because most things there are already visible to the public anyway. And the stuff that isn't would not be of too much value to them.

@lordalveric Possibly selling access to your projects to aspiring malware peddlers or hoping to gain access to other sites with a "Login with GitHub" option.

@ssokolow You may be right. 2FA would have foiled them in my specific case anyway, but others...!

Github keeps pestering me to engage in other security and recovery measures. Maybe it's high time I did so.

@lordalveric As long as you don't tell them your SMS number.

The reason so many sites are trying to cajole or even force people to add their SMS number is so they can use it as an ad-targeting identifier that's harder to change or have multiple of than e-mail addresses.

@ssokolow Hahaha! I actually have multiple SMS numbers! :)

I rarely give that out, and grow annoyed with how many places that insists on having it.

In these days of aggregation of data, you do NOT want to make that much easier to track you.

Nearly every website you visit has tracker scripts embedded in the pages, as well as ad scripts. Sybu script blocker to the rescue! (there is a similar plugin that works with FireFox)

@lordalveric Yeah. I run a stack of the MVPS HOSTS file, Firefox's built-in tracker blocker, privacy.resistFingerprinting=true, CanvasBlocker, Cookie AutoDelete, Decentraleyes, HTTPS Everywhere, Privacy Badger, Random User-Agent, uBlock Origin, and uMatrix, with the latter two made stricter than default... and, that's just my day-to-day browsing.

When I'm doing private stuff and not logging into the site anyway, I use Tor Browser instead of "New Private Window".

@lordalveric who provided the SSL cert? Happily, Firefox presents a google safe browsing Deceptive Site warning now.

@m8ryx There are places you can get a cert for free with minimal checking.

Sign in to participate in the conversation
Qoto Mastodon

QOTO: Question Others to Teach Ourselves
An inclusive, Academic Freedom, instance
All cultures welcome.
Hate speech and harassment strictly forbidden.