Quote:
Originally Posted by ChinaLamb
Check this out... Hackers targeting journalists, including those using 2FA (which is simple 2 factor authentication -- ie. authenticator codes)...
|
It appears that in that
example, the phishing method is for the hacker to cause a message or prompt to appear on a users device which is intended to make the user change their password for a particular application - specifically by clicking a link provided by the hacker..
Quote:
Amnesty International said the group of hackers they've been tracking pulls this off by sending out fake but convincing security alerts that look like they came from Google or Yahoo. The alerts will claim the victim's account may have been breached and provide a link to an official-looking login page to initiate a password reset.
|
Presumably, if you don't click this link, but instead navigate to the original web site to check the security status and any messages , eg on your Google account, then you won't be feeding the hacker with your 2FA code when you log in.
It seems that if you avoid clicking such notification links, and instead type in the URL into a web page for the site in question, you can avoid the phishing attempt - is this assumption correct?