This Twitter Bot Will Tell You if a Login Page is Phishing

@isthisphish takes submissions from users, then generates a report on how suspicious the domain seems to be.

|
Sep 13 2018, 3:34pm

Image: U.S. Forest Service, Pacific Northwest Region

Update: Claudio Guarnieri, the creator of the bot, temporarily took the bot offline after users caused it to visit websites that may result in Twitter suspending the account. On Friday, he put it back up. The original story follows below.


It may not be as technically interesting as a fancy iPhone exploit chain, or a sophisticated piece of malware, but phishing is the real threat for plenty of different people. Activists, journalists, politicians, and ordinary consumers trying to keep hackers out of their accounts all have to worry about dodgy domains posing as login pages.

Now a Twitter bot may be able to help you decide if that Outlook, iCloud, or Gmail login page is legitimate. Called ‘Is This Phishing?’ (@isthisphish), users just need to tweet a domain at the bot, and it will analyze the URL, provide an assessment, and even reply with a screenshot too.

“This webpage seems suspicious. Be very cautious when opening it!” the bot wrote in response to a query on Thursday. “It might be a #phishing page impersonating Microsoft!” Claudio Guarnieri, a technologist and activist, created the bot.

The bot also tells users if the page does not appear to be dodgy. Motherboard tweeted the real Apple iCloud login page at the bot shortly after it launched on Thursday.

“The link points to what appears to be a legitimate Apple website,” the bot replied, along with a thumbs up emoji. (The bot did not reply when Motherboard tweeted “thanks mate,” indicating it has been coded to ignore tweets that don’t contain a URL).

Got a tip? You can contact this reporter securely on Signal on +44 20 8133 5190, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

Hackers are constantly thinking of devilish ways to make their targets click. On Sunday, University College London PhD student Mustafa Al-Bassam tweeted a video of his own phishing proof-of-concept. The phishing page appears in a smaller pop-up, meaning the target can’t immediately view the full page URL, and instead only sees “accounts.google.com.” The page also has an encryption certificate, meaning browsers will load the portal with the distinct green padlock and “Secure” label.

But really crafty hackers don’t only make convincing looking domains. In 2017, Guarnieri authored a report on how hackers used a network of convincing Facebook profiles to entice journalists and activists to give up their Gmail passwords.