Clarification: Be wary of password checking sites
Fake sites target public uncertainty after hacks and breaches
Watch out for scam sites that claim to test your logon details for popular sites such as Twitter, LinkedIn, Facebook, Hotmail and Gmail.
Links to password checking sites often circulate on social media and email after publicised hacking events or breaches – such as the hacking of the Associated Press’s Twitter account – a time when checking the strength or security of your own account might seem appealing.
These fake sites are phishing for your user name, password and other personal information.
Always be suspicious of sites asking for your user name, password or personal information. If you are uncertain about whether the site is real or fake, don’t take the chance.
Your best advice is to never enter your username and password anywhere except on the site it is intended for.
Don’t use links in emails or social media messages that take you to a log in page. Navigate there yourself independently to make sure you are on the legitimate site’s logon page.
Make sure the addresses of the websites you use are correct.
When logging on to a website, check for HTTPS (or a padlock) in the address bar. This is the secure form of HTTP. Websites that don’t offer HTTPS at logon are unsecured.
Always be suspicious of unsolicited emails, especially those seeking personal or financial information.
About password checking sites
Although some password checking sites are legitimate and well intentioned, some of these legitimate sites have been copied, with fake sites popping up in response to publicity surrounding hacks.
Legitimate sites can use minimal information supplied by you, such as your email address (not your password!) to check your address against lists of stolen information found in data dumps on hacker sites.
Other legitimate sites may offer to simply test the strength of your password.
Fake sites may be very difficult to distinguish from legitimate ones, and will simply collect your details—someone now has everything they need to access to your account.
Don’t take this risk. Only enter your username and password information on the sites you have signed up for.
Always use a strong and unique password.
If you think you might have entered details into a fake site, change your password immediately.
If you use the same logon information elsewhere you should also change these passwords, ensuring you create a unique password for each service.
Advice about setting and using strong passwords.
More on passwords.
Security vendor Sophos recently posted about this issue in relation to Twitter.
Information provided by Sophos.
Thank you to those subscribers who have provided feedback to our Alerts, Advisories and Newsletters. We are very interested in your feedback and where possible take on board your suggestions or requests.
This information has been prepared by Enex TestLab for the Department of Broadband, Communications and the Digital Economy ('the Department'). It was accurate and up to date at the time of publishing.
This information is general information only and is intended for use by private individuals and small to medium sized businesses. If you are concerned about a specific cyber security issue you should seek professional advice.
The Commonwealth, Enex TestLab, and all other persons associated with this advisory accept no liability for any damage, loss or expense incurred as a result of the provision of this information, whether by way of negligence or otherwise.
Nothing in this information (including the listing of a person or organisation or links to other web sites) should be taken as an endorsement of a particular product or service.
Please note that third party views or recommendations included in this information do not reflect the views of the Commonwealth, or indicate its commitment to a particular course of action. The Commonwealth also cannot verify the accuracy of any third party material included in this information.
Host of subscription service
The Commonwealth has engaged Ladoo Pty Ltd to host the Stay Smart Online Alert Service. All URL links should show the domain send.ladoo.com.au at hover over. URL links related to the administration of the service ('View online', 'Update your profile preferences' and 'unsubscribe') should direct you to web pages hosted by Ladoo Pty Ltd.
Email: staysmartonline [at] dbcde.gov.au
You are receiving this message at the address robert.novelli [at] communications.gov.au.
Update your profile preferences
If you no longer wish to receive the SSO newsletter, you can unsubscribe.
© 2012 Australian Government. All rights reserved