Let’s say you went to a website that allowed you to log in using your Google account:
When you pressed the “Log in with Google” button, you saw this:
You had checked that the pop-up web-browser window is really at Google’s domain (“google.com”) . So, you entered your Google account name (i.e. your Google email), password and 2-step-verification code.
You should be safe and secure right?
It is still possible that you were phished. In this hypothetical example, even using 2-step verification could not save you. As I wrote before in “You can be phished even when you see “facebook.com” in address bar.”
What happened was that the pop-up window was actually not a web-browser window. It was a realistic render of a web-browser window within the web page.
Take a look at this video to see how realistic the rendering of the fake web-browser window can be:
Recently, someone had released a programming toolkit to create renderings of fake web-browser window for the purpose of phishing. This toolkit makes it extremely easy for miscreants to carry out such phishing attacks.
How can I protect myself?
As I wrote before, a password manager can protect you from such phishing attack. Many password managers (e.g. LastPass, 1Password, iCloud Keychain, and even your web-browser’s built-in password manager) can fill in the password field for you. They will only fill in the correct password when you are at the correct website domain. They cannot be fooled by phishing tricks designed to deceive the human eye.