Any creative solution to make it harder for hackers to copy your IdP login page?
Liam Hoekenga
liamr at umich.edu
Mon Mar 26 15:52:24 EDT 2018
We had played with the idea of replacing all of the images or css files for
the login page if the referrer wasn't the login page.. but referrer isn't
the most reliable data.
On Mon, Mar 26, 2018 at 2:47 PM, Wessel, Keith <kwessel at illinois.edu> wrote:
> Hi, all,
>
> We've had a couple recent phishing attempts where hackers have hosted
> their own stolen copy of our IdP login page in order to trick users into
> giving them their usernames and passwords. Our move toward MFA is going to
> make this much more difficult (I'm not naive enough to say impossible), but
> we're hoping to make it harder for this trick to work in the meantime. Our
> security folks asked if we could add some javascript that would bring up an
> impossible-to-close pop-up if the hostname didn't match what it should be.
> This is, of course, possible but also easy for a hacker to remove.
>
> We already have text at the bottom of our IdP login page stating what the
> hostname should be in the address bar, but nobody reads that part.
> Amusingly, the hackers didn't even change that part in their login page
> knock-offs. But our security folks didn't even notice that text until I
> pointed it out to them.
>
> I'm wondering if anyone has come up with creative solutions to slow down
> hackers from doing this kind of thing.
>
> Thanks for any thoughts,
> Keith
>
> --
> For Consortium Member technical support, see https://wiki.shibboleth.net/
> confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180326/b80db472/attachment.html>
More information about the users
mailing list