Any creative solution to make it harder for hackers to copy your IdP login page?
Wessel, Keith
kwessel at illinois.edu
Mon Mar 26 15:47:56 EDT 2018
Hi, all,
We've had a couple recent phishing attempts where hackers have hosted their own stolen copy of our IdP login page in order to trick users into giving them their usernames and passwords. Our move toward MFA is going to make this much more difficult (I'm not naive enough to say impossible), but we're hoping to make it harder for this trick to work in the meantime. Our security folks asked if we could add some javascript that would bring up an impossible-to-close pop-up if the hostname didn't match what it should be. This is, of course, possible but also easy for a hacker to remove.
We already have text at the bottom of our IdP login page stating what the hostname should be in the address bar, but nobody reads that part. Amusingly, the hackers didn't even change that part in their login page knock-offs. But our security folks didn't even notice that text until I pointed it out to them.
I'm wondering if anyone has come up with creative solutions to slow down hackers from doing this kind of thing.
Thanks for any thoughts,
Keith
More information about the users
mailing list