Most of us have way more usernames and passwords than we can remember. Thankfully, our browsers can store these for us, but using single sign-on is even more convenient, as it avoids creating credentials for each and every site we visit. The most popular one around is Google’s solution, which lets you use your Gmail username and password to connect to any website that supports it. However, as the solution is widely used, some malicious sites embed login pages which can capture the user’s credentials and even their 2FA token. To protect users from such attacks, Google is now blocking sign-in attempts from embedded pages.
This phishing attack is known as MITM (Man in the middle), where the actual login page is embedded inside another one that acts as a relay. What this means it the first one can not only capture your username and password, but get access to your authentication token even if you used two-factor authentication to log in. From there on, the attacker will be able to copy your cookies and impersonate you.
Unlike more traditional malicious sites, this method doesn’t try to replicate the authentication page, but instead uses the actual one and acts as a proxy to capture the exchanged data packets, which makes it much harder to spot. The safest way to know if you’re on the actual sign-in page is by looking at URL you’re on, and not the green lock icon, which merely indicates whether the site uses an SSL connection. Because embedded pages do not display the web address, Google is now preventing users from logging into its service from embedded pages.
While this makes the process more secure for Gmail users, bear in mind the phishing process can be used with any site, so you should always check the address before entering your credentials. For example, a site could impersonate Outlook’s login page using a similar-looking URL like 0utlook.com (the first character being a zero instead of an O), so it’s essential to pay close attention to the address bar when signing in, even if you’re using 2FA.