Martín Obiols

Random InfoSec Rants

This is why you cannot battle phishing with user-awareness campaigns

13 Nov 2018 » phishing, awareness

This content was originally posted as a Twitter Thread. Copied here for archive purposes. Please, forgive potential typos and the succinct writing style.


I know anti-phishing is a business that feeds a lot of people but the way this war is fought today just seems a bit off to me.

First, I differentiate targeted phishing campaigns (usually APTs) from massive or moderately massive phishing. I don’t think I need to point out why you can’t fight the former with awareness.

Massive phishing is like mail spam: Cheap, risk-free and thrives under big numbers. Getting 1 user to fall for it for each 100 targets may seem a low turnover but if you have 100k targets from the same company… figures suddenly get grimmer. Still staying cheap for the phisher. But 1% is so distant from real world figures for phishing click-through by regular users.

In one of my past gigs we conducted regular internal phishing campaigns on employees massively. Click-through rates consistently went over 10%. Awareness campaigns ensued to deliver tips to look out for in unexpected emails, not opening attachments nor clicking on links. Results still randomly ranged between 10% and 20% consistently. It was common to hear victims state how coincidental it was that Rachel, the phisher, shared first name with some other Rachel who regularly emailed them. I don’t blame them.

The bait will happen to be believable enough to someone, somewhere. It just happens.

And we are just getting started on the “don’t click on unknown links” typical security adagio you still often get from awareness campaigns.

Yeah right, as if in 2018 you could know where the hundreds of links you click every day take you to. Consider link shorteners, open redirects from trusted domains, lack of status bar preview on touchscreens, TOCTOU, tabnabbing…

If you still believe you can teach users to not click on links brainlessly, consider also that there are links that do not look like links at all.

Exhibit A:

Exhibit B:

Exhibit C:

OK, people brainlessly click on links and it’s hard to stop them. But at least we can teach them not to enter their credentials on untrusted sites right? Well just before you start rolling out your awareness campaign there is some prep work you need to do.

For your awareness campaign to be remotely successful, you need to keep your login pages (that is, the forms where your users put credentials) consistent.

Consistent means you cannot have a myriad of places (URLs, frames, apps) where your users can login (and all with a different UI or CSS). Multiple logins, on different sites, UI dialogs, CSS… it’s just bad security urbanism

You can only have your users putting credentials on a single place. If they are not gonna check the URL properly (or they actually can’t, more on that later) at least give them a fixed familiar form to mentally refer to when things get ugly. e.g. https://accounts.google.com . Teach them it is unusual for random forms popping up in different places to ask them for credentials.

That helps them build mentally a model of “how does it look when this company asks for credentials?”. Also, by doing that you retain control of what your users naturally expect and you can properly notify users of upcoming changes in the way you regularly ask for credentials.

But even if you do that, you still need to give users a way of actually checking whether it is you or some phisher the one asking for the credentials. It turns out there is only one way to do that: The Almighty Browser Address Bar.

So let’s say after your awareness campaign your users actually glance at the address bar (which is assuming a lot). First, are they able to do that? There is a ton of situations where you are just out of luck with no clear indicator of who is actually receiving your credentials

In some other cases, you are being deceived by UI bugs:

In other cases, it’s the size of the screen what matters:

And… it’s not enough to only check the address bar only once, heh, what were you thinking?

Lastly, have you considered Mobile UI design principles? Real state is pricy so the address bar is just not there sometimes:

I could go on but you get the point. How do we effectively fix this in a sustainable manner? Not by focusing on awareness that’s for sure. Some people think the only way forward is down the U2F road. I mostly agree, but time will tell.

UPDATES

  • Update 28-4-2019 - This one exploits Mobile UI optimization of screen space. By hiding the Address Bar, mobile browsers expose themselves to redressing attacks that fool the user with fake Address Bars: The Inception Bar, a new phishing method

There is also a great quote from the Hacker News thread:

I can’t help but think that this was made possible by the complete collapse in common UI standards. ‘Apps’ have stopped being OS-toolkit apps and moved onto the web, and of course each designer needs to have their own special on-brand widget style. This has leaked onto the few remaining desktop apps: Chrome rejects the standard Mac OS widgets and reimplements everything, from buttons to the print dialog. Spotify does its own thing. And lest we think Apple has much respect for UX, iTunes is a mess. I genuinely can’t use it. The result is that users have been trained not to expect consistent UI paradigms. Every UI is hunt-and-peck. And that paves the way for this kind of exploit.

  • Update 14-2-2019 - Another Example of hopelessness: this one is a fake popup resembling the “Login with Facebook” window that is used in most social logins. The popup is actually built as part of the original origin, thus having full access to the login form.