*removed externally hosted image*

  • Godort@lemm.ee
    ·
    3 months ago

    You've got half of it. The hacker's server is acting as a middleman for the real login page. Everything appears legitimate except the URL will be wrong and if you use a password manager, it won't auto-fill

    They access the legit login page and forward it to you, but they're in the middle capturing everything you send.

    When you enter your login details, they will record them and then forward them to the real login window in near real time, effectively logging in as you. They then have a legitimate session token which they can use to access your account without needing to re-authenticate.