Hope this finds each and everyone of you in a good health and spirit.
First of all thank you very much for this article, it is very useful and will help a lot. On the other hand we want to suggest a tip regarding this thread, I can guarantee that a lot of users (this means many of them) haven’t read this thread and maybe they will not. This is not because they don’t want to, but because they are busy helping their customers, maybe developing new items and a lot of other options.
Our suggestion is to redirect the users after log in to a page that mention this issue and to tell them that this is important to read, on the other hand I think that we should put a banner at the top of Themeforest (and all other Envato stores) to mention this to all users (like the one that we used when we told the users to change their password).
In this case, we will guarantee that around 90% of our users will read this and be aware of it.
Another tip is the “Change Password” process, we are thinking that it should be more secure, a tip for this is adding a mobile No.# for our users to receive a notification regarding this or we can use it to receive the new password. Because the hacker maybe has access to my email but for sure he didn’t has my mobile unless he is on my home/office .
We will update you guys with other tips, hope that we all will work together in order to solve this.
Hi all! Wow, what a response so far! Thank you so much for all the awesome ideas and feedback thus far, please keep those suggestions coming!
Just wanted to specifically respond to the comments about “telling more people about this outside of the forums.” This is definitely our plan – we will be using our Marketplace and Author newsletters and social media for example. I’ll check to see if we need/want to do something more prominent like a header bar or maybe a home page feature. There’s always that trade-off isn’t there – sharing good information with everyone, but not trying to be too invasive. But you are quite right, this is something that will be useful to everyone. I’ll let the team know the feedback and we’ll see what we can do. Great call, thanks everyone who mentioned it!
We have another important tip that will protect Envato from Online Phishing and Scams as the following:
1) Add a new two fields in the Envato Account Settings, (One for a selected image and one for a selected Text).
2) These two fields will be entered from the users and saved on their profile.
** Envato Login process should be seperated into two processes as below:
3) On Envato first login page, it should contain the username field only and a verification code (optional).
4) If the username is valid then redirect to the next page which will contain a password field and the selected image and text that are mentioned in (Step 1
5) Here the user will check that in every login his (selected images / selected text) are retrieved correctly then he is for sure on Envato domain and in the right place.
6) In this case, no way the hacker will guess the selected image / selected text in our profiles So by this approach we minimized the phishing thread.
Kindly see the below screen shot for more details about the suggestion.
Hope this will help.
TigerModules Anti-Phishing Tips
- Email Security – Create a Seal (Like an SSL Seal) that is included in every email sent by Envato. When an authorized email is sent via Envato it will have a seal at the very top of the message. When the user clicks on the seal it redirects them to the Envato site where they can verify that the message was sent by Envato. Upon going to Envato’s website it will show the subject of the message, an a MD5 hash of the content enabling user verification. If these do not match up it is a fake.
- Two Factor Authentication (TFA) – Envato should implement either optional or mandatory a version of TFA. TFA services such as Google TFA app or SMS codes to verify the user.
- Hardware Based Authentication (HBA) – Envato could implement a form of HBA that is optional for users (as each user wanting to take advantage of the service will have to purchase a hardware token). Some services spring into mind such as ViP by VeriSign or Yubikey by Yubico. The plus side to using YubiKey is the keys cost $25 each and do not require Envato to implement any hardware (as you would for the VeriSign option) as YubiCo’s OTP servers are free to access with no limitations.
- Geolocation Login Monitoring – Envato could implement a system where each users IP address are captured upon logging in and stored in a database. Every login after that will be also logged. If a users geographical location changes suddenly (i.e. A user who last logged in from Australia login’s in from China) a flag is raised and the account is locked pending verification (i.e Answering Security Questions, SMS On-Time Password (OTP) etc.)
That was a mouthful now onto the End-User.
- Ensuring software is kept up-to-date – Users should ensure that they their Operating System. Web Browser and Plugins are kept up-to-date. Some good sites to check if they are up-to-date is the Mozilla Plugin Check
- Anti-Virus Software – Users should ensure that they have an anti-virus program with internet security installed on there computer and ensure that it is up-to-date and has a valid license. (I personally use and recommend Kaspersky). Those who use Windows should not rely on the in-built Windows Defender and those who use Macs should not believe that they are not susceptible to viruses.
- Common Sense – Users should use common sense and check that the site in url bar is that of an Envato site and that it has an SSL certificate.
Envato : 4,143,600 community members and 5,860,380 items for sale.
But the website is not HTTPS Secured. This is really bad. Even small startups are using 128 bit SSL Encryption, Why envato is not using this method to secure the website? It would be very helpful to users to identify its a Fake website or real by just looking to the address bar.
So, Add HTTPS As soon as possible.
Also, Try to minimize email ids envato used to contact users. For eg: If its just firstname.lastname@example.org any user can add this to their address book, so they won’t mind emails from other email ids
I think Envato should start 2 step verification like Gmail . Its really helpful
A lot of these ideas will not stop spoofing emails, just makes it harder for authors to login.. I already have enough trouble with an unreadable captcha if I happen to forget my password, or need more than 1 guess.
@surjithctly The login page is already SSL secured. How will having HTTPS throughout the entire site help security? It will only complicate security with warnings to users about some elements (mostly images) being from an insecure source.. Images that authors put on items, profiles, comments and forums will trigger security warnings if there is SSL throughout the whole site. Also, E-mail “from” addresses can be spoofed quite easily.
The best way to prevent spoofing is by having an article like this thread, informing people of the do’s and don’ts.. no matter how much “secure” you think you have, it doesn’t stop anyone who truly wants to do wrong, it will only help prevent legitimate users from entering.
Spoof sites and emails are mostly the result of data miners and copy/paste.. having some measures on the actual site that prevent scraping would help a lot. For example, on one of my products here on CC, I have a hit counter at the bottom of the page.. this appears as a hit counter when viewed on the product page from CodeCanyon, but when you view the product from another site which scraped CodeCanyon, the counter turns into a graphic that says “WARNING: This site is not authorized to represent [my product]”. I did it to prevent other sites from having my product with a misleading “download” button.
Something similar could be done for emails too (but its a lot more tricky).. by adding something to the header (or other) image of an email that is distinct to each user it gets sent to. Something not immediately noticeable, may help track down the ones who are spoofing (if they use the exact image in a spoof email). Options range from watermarking to header manipulation of the image(s) in the email.
The only way to solve it to implement a 2 step login that works with an One Time Password generated with an authenticator or via SMS.
or with a mobile app:
or via SMS:
I’m using a secondary clean machine with a linux os and a virtual keyboard to login in the envato marketplace, i would be happy to get rid of this machine and pay a monthly fee for a physical authenticator or mobile app or one time password via sms.
My advice – Be REALLY CAREFUL even with REAL buyers if you never communicated with them before!
What happened to me lately:
Received an e-mail sent via my profile page contact form from a buyer asking why there is a …. problem on his site.
Being an author for more than 3 years, I have already built a reflex – always checking the purchase confirmation link BEFORE even read the entire mail. Well – this one was a REAL buyer.
My answer was – “I am afraid I can’t just guess what could be wrong. Could you please at least provide a link to your store, so I would be able to check this?”
So far – nothing strange and unusual!
The client answers:
Here is the link to my site …... The front page show a lot of PHP errors!
Well… this is where the fun begins!
Clicking on the link results on immediate anti virus alert and page blocked! Nothing scary as far as your AV software is good enough and up to date. Not even suspicious – there are many sites infected and their owners doesn’t knew about it. There are even themeforest item’s demos infected!
I am answering to the client:
Unfortunately I can’t check your problem as your site is infected with a Trojan Horse and I can’t/won’t open it.
AAAAAND The client answers back:
” :))))))))) May be next time “
Never heard from him again!NEVER let your browsers save ANY passwords and use a paid and reliable AV! It’s worth it!