A Google search landed me on api dot em tee arr dot pub (not linking to avoid improving rankings), which seems to be a github phising site. And I fell for it and logged in :(
Luckily I have 2fa enabled and don’t reuse that password. And they didn’t present me with a 2fa box (I guess they could have done if they’d passed my password on pretending to be me?), they just said there was an API error or something. So probably not a problem?
I’ve changed password. I wonder if it’s possible to see whether anyone tries to log in. And I wonder if there’s anything useful I can do. There’s a “send feedback on this info” on Google which I used, dunno if anyone will see it.
(it wasn’t the first search result, it was after two results on github and “images”. I opened it in a new tab out of curiosity, then didn’t notice when I was in that tab instead of a github tab.)
An interesting thing here is, I often don’t have my browser remember passwords. On my work laptop that’s company policy (but we use lastpass), on my personal laptop it’s a possibly-overly-paranoid (and inconsistently applied) defense against someone with access to my laptop (or e.g. to a backup of my files).
So I wasn’t surprised when the github login form didn’t autofill my password. (Even though I think github actually is saved.) If I had been surprised, I wonder if I’d have noticed.
This might be an example of “things which are in theory more secure might be less secure in practice”.
For logins such as Github, the trick is to have a password that’s complex enough that it’s only in the password manager and not in your brain, so you can’t be tricked into just typing it out.
Then, if the password doesn’t get filled, it’s about starting the password manager and letting the password manager fill it in.
I take it you mean “if the password manager doesn’t fill it in, that’s a sign you’re on the wrong site”? The password manager I use on my personal laptop isn’t integrated with my browser, so that wouldn’t have helped in my case, but yeah.
(I don’t use an integrated one partly because I’ve never properly looked into browser extensions. I don’t know what’s available and I haven’t thought about the tradeoffs.)
I do see integrating the password manager is important. Especially with a service like PayPal where it often happens that the side where you are shopping is opening a new window for PayPal it’s quite easy for it to give you a fake window.
For those who don’t want to look (in a sandbox VM or at least private browser), it visually appears identical to https://github.com/, but with a letsencrypt certificate (not visibly different unless you look). It presumably exists to get people to type in their github credentials, to be used later for nefarious purposes.
It’s a good reminder of just how good phishing sites have gotten.
A Google search landed me on api dot em tee arr dot pub (not linking to avoid improving rankings), which seems to be a github phising site. And I fell for it and logged in :(
Luckily I have 2fa enabled and don’t reuse that password. And they didn’t present me with a 2fa box (I guess they could have done if they’d passed my password on pretending to be me?), they just said there was an API error or something. So probably not a problem?
I’ve changed password. I wonder if it’s possible to see whether anyone tries to log in. And I wonder if there’s anything useful I can do. There’s a “send feedback on this info” on Google which I used, dunno if anyone will see it.
(it wasn’t the first search result, it was after two results on github and “images”. I opened it in a new tab out of curiosity, then didn’t notice when I was in that tab instead of a github tab.)
An interesting thing here is, I often don’t have my browser remember passwords. On my work laptop that’s company policy (but we use lastpass), on my personal laptop it’s a possibly-overly-paranoid (and inconsistently applied) defense against someone with access to my laptop (or e.g. to a backup of my files).
So I wasn’t surprised when the github login form didn’t autofill my password. (Even though I think github actually is saved.) If I had been surprised, I wonder if I’d have noticed.
This might be an example of “things which are in theory more secure might be less secure in practice”.
For logins such as Github, the trick is to have a password that’s complex enough that it’s only in the password manager and not in your brain, so you can’t be tricked into just typing it out.
Then, if the password doesn’t get filled, it’s about starting the password manager and letting the password manager fill it in.
I take it you mean “if the password manager doesn’t fill it in, that’s a sign you’re on the wrong site”? The password manager I use on my personal laptop isn’t integrated with my browser, so that wouldn’t have helped in my case, but yeah.
(I don’t use an integrated one partly because I’ve never properly looked into browser extensions. I don’t know what’s available and I haven’t thought about the tradeoffs.)
I do see integrating the password manager is important. Especially with a service like PayPal where it often happens that the side where you are shopping is opening a new window for PayPal it’s quite easy for it to give you a fake window.
For those who don’t want to look (in a sandbox VM or at least private browser), it visually appears identical to https://github.com/, but with a letsencrypt certificate (not visibly different unless you look). It presumably exists to get people to type in their github credentials, to be used later for nefarious purposes.
It’s a good reminder of just how good phishing sites have gotten.