Chrome And Safari Alert: This Sign Means You’re Hacked
▼ Summary
– Hackers are using a deceptive “rn” typo trick in URLs to impersonate companies like Microsoft and Marriott, creating fake websites that appear nearly identical to legitimate ones.
– These homoglyph attacks exploit visually similar characters and are highly effective for phishing, making it difficult for users, especially on mobile screens, to spot the fakes.
– A critical defense is to never log into accounts via links from messages or emails, and instead use official apps or directly navigate to known websites.
– Password managers like 1Password are adding protection by refusing to auto-fill credentials on websites whose URLs don’t match those stored in the user’s vault.
– The phishing threat is widespread, with recent campaigns targeting over 100 organizations across various sectors using sophisticated methods like live phishing panels to intercept login credentials and multi-factor tokens.
A new and particularly deceptive phishing technique is putting millions of users at risk, especially those browsing on smartphones. This threat exploits the difficulty of reading small text on mobile screens, where a simple typographical trick can create convincing fake websites. Cybercriminals are now using the letters “r” and “n” side-by-side to mimic the letter “m” in web addresses, a tactic known as a homoglyph attack. This makes domains like “rnicrosoft.com” appear almost identical to the legitimate “microsoft.com” at a glance, leading unsuspecting users to enter their login credentials on fraudulent pages.
Recent campaigns have specifically targeted major brands like Microsoft and Marriott. The objective is straightforward: steal valuable account credentials. In the case of Microsoft, a successful phishing attempt could give attackers access to a user’s entire digital ecosystem, including email, cloud storage, and professional tools. The most critical defense is behavioral: never log into any account by clicking a link received in an email or message. Always navigate directly to the official website or use the dedicated application. Furthermore, enabling passkeys and two-factor authentication (2FA) on all critical accounts adds an essential layer of security that can stop attackers even if they obtain your password.
Thankfully, technological solutions are emerging to combat this threat. Password managers are stepping up their game. For instance, 1Password has introduced a new feature designed to block these attacks automatically. The system works by comparing the URL of the site you are visiting with the web address stored in your vault for that login. If the addresses do not match, 1Password will refuse to auto-fill your credentials and will display a clear warning about the suspicious site. This built-in protection removes the burden from users to visually inspect every URL for subtle character tricks, a task that is notoriously difficult on a small phone screen.
However, the phishing landscape is evolving beyond simple fake login pages. A broader cybercrime campaign has been identified, targeting over one hundred organizations across software, finance, healthcare, and other critical sectors. This sophisticated operation uses a “Live Phishing Panel,” which allows a human attacker to intercept login credentials and multi-factor authentication (MFA) tokens in real-time. This method provides immediate and persistent access to corporate systems, moving far beyond just stealing a static password. Despite the advanced tactics, these attacks still often begin with a fraudulent domain designed to trick users.
This escalation highlights the persistent vulnerability of employee credentials as an entry point into corporate networks. It also underscores a worrying gap in basic security hygiene. Many users, both at home and in the workplace, have still not adopted fundamental protections like multi-factor authentication. While tools like advanced password managers provide a powerful defense, the combination of user vigilance and robust security settings remains the most effective shield against these increasingly clever and dangerous online threats.
(Source: Forbes)
