You've probably seen a phish page which looks similar to the below at some point in your life:
There are multiple targets on display, but Gmail is often the default account asked for whenever a multi-headed phish such as the above comes around. That's before we mention the huge slice of Google specific phish pages out there in the wild. Well, Google are trying to do something about it with the launch of Password Alert:
The extension, which only becomes functional once you've signed into your Google account, will throw up the metaphorical emergency flares whenever it notices you've entered your credentials into a rogue website.
Reset your Gmail passwordOf course, infosec never remains stationary for long and indeed while writing this very blog the following issue with Password Alert came to light:
Your Gmail password was just exposed to a non-Gmail login page. You should immediately reset your password to keep your Gmail account secure. Also, please make sure your Gmail password is not reused on other services.
The above code looks for a warning banner every 5 milliseconds then removes it if found. You may have quick eyes, but unfortunately this method is quicker. A brave effort, then, but unfortunately there are issues in Password Alert land and you may wish until a later date to install it.
Bypassing #Google #PasswordAlert with 7 lines of code. #infosec #fail #phishing cc @gcluley @jleyden @EduardKovacs pic.twitter.com/SEb4EMQDQ4— Paul Moore (@Paul_Reviews) April 30, 2015
Fortunately Google accounts have a few more levels of protection to wade through before making off with a swag bag of pilfered logins. If you're using 2 Step Authentication / Security Key then even with your password to hand, the attacker won't be able to login unless they also have your mobile (in the case of using Google's Authenticator app, for example). The lesson here? Always use 2 step.
Password Alert aside, what else could you add in to make things a little safer?
* Adblock Plus: Does what the name implies, which is block pretty much any and all adverts on the web. Some people strongly object to ad blocking as it impacts revenue streams and can make it difficult to maintain a website; others point to the endless wave of Malvertising exploits and are happier not taking the risk. The choice, as they say, is yours.
* Ghostery: This one will let you take a peek at who is tracking you when you visit a website, discover the kind of information they collect and opt-out should you so desire. There was a spot of controversy a few years ago, but their Ghostrank functionality is turned off by default so you don't need to use it if you don't want to. You can also take a look at some stats related to the main blockers / privacy tools and compare the results.
* Web of Trust: Crowdsourced opinions on the good / bad / runaway-ness of the websites you visit.
* HTTPS Everywhere: This one might be (slowly) on the way to the browser extension retirement home as more and more websites continue to adopt https instead of regular http traffic. Google already lean towards sites which use https, and many of the major social networks have adopted it wholesale. For those instances where https isn't available yet, you may wish to install this extension.
* LastPass: One of the most well-known password managers, and it comes with a lot of features including secure login sharing, two factor auth and even allow / deny logins by country.
With the above on board and a layered defence which may include Antivirus, Anti-Malware and Anti-Exploit you'll be well on the way to avoiding any potential Chrome mishaps (or any other browser, for that matter).
Hopefully Google will address the new-found bump in the road for Password Alert and you'll have yet another tool in your bag of "Don't phish me" tricks.
[Update] - They have indeed fixed the issue.