Trick negates ‘check the URL’ advice
A security researcher has demonstrated the potential dangers from a phishing technique that involves simulating a pop-up window in order to spoof a legitimate domain.
The technique highlighted by the researcher, who goes by the online name of mr.d0x, illustrates a known issue that is somewhat underpublicized rather than wholly new hacking trick.
The approach of spoofing a pop-up page login window is nonetheless dangerous because it undermines the standard advice that surfers should “check the URL” of sites.
The major limitation of the so-called ‘browser in a browser’ attack is that a potential target would first need to be tricked into visiting an attacker-controlled website before the pop-up window is displayed.
“But once landed on the attacker-owned website, the user will be at ease as they type their credentials away on what appears to be the legitimate website (because the trustworthy URL says so),” mr.d0x explains.
A technical blog post by mr.d0x explains the technique in more depth
The spoofed pop-up window will not autofill passwords, a potential limitation to the technique which is nonetheless tricksy.
Guarding against this type of malfeasance be default may be difficult for vendors, but browser makers quizzed by The Daily Swig were nonetheless confident that they had the issue well in hand.
A Mozilla spokesperson told The Daily Swig: “It’s important to be aware of the phishing traps. We also recommend using a password manager, like the one that is included in the Firefox browser, and where possible phishing-resistant technologies like WebAuthn.”
Microsoft, which develops the Edge browser, and Google declined to comment.
Automatically detecting if a given program (or webpage) is malicious or not is a problem the IT industry has grappled with for years. Each major browser has an anti-phishing solution based on block lists but this approach is incomplete.
Cezary Cerekwicki, head of product security at Opera Software, makers of the popular Opera browser, told The Daily Swig that “the sad truth about the entirety of so-called social engineering is that it is generally unsolvable on technical grounds”.
Researcher mr.d0x accepted some of the difficulties but argued that browser makers nonetheless ought to do more, partly because users have become used to a browser pop-up window asking for credentials, hence the potential potency of the phishing technique.
“This type of attack is a difficult to detect visually speaking because the fake window looks exactly the same as a real window with a few minor differences that are quite difficult to notice,” mr.d0x told The Daily Swig.
“Something browsers can do is have their windows authoritatively marked with something that can’t be replicated with HTML/CSS. Of course this is easier said than done.”