They make the login page at "bank.evil" look like the one at "bank.com"
Whenever a victim goes to "bank.evil" it connects to a server, that connects to an automation-tool, that connects to "bank.com"
Whatever the victim does at "bank.evil", the phisher's browser does at "bank.com".
Any solution that has you perform an action on the site that initiated the request might just be the evil site asking for your information for the legit site.
Are there any techniques or products that foil this threat?
- OTP, SMS, Push, etc would fail I think because you're putting the proof that you own the account into a tainted site.
- WebAuthn might work because of the SameOrigin rule
- E-Mail might work because you sever the instructions from the spoofed browser
Thanks!
(edit: formatting)
If I login to my bank, it's usually either from my home IP or my cell provider's IPs.
If suddenly a login is from Russia, that's likely suspect.
However, even if you detect it, how do you "solve" it? That's harder, because anything you "put up" the customer will just put into the evil site.
Your best bet is to have email verification (side channel) for big ticket things. Assume all the above has done, and bank.evil stays logged in after the customer has left, and they try to transfer money - it now asks for a code sent to the customer email with a you are making a transfer in the email - that should get the customer excited enough to call and find out what is happening.