Making browsing safe from phishing
TL;DR: skip to the conclusions to see what Alice learned.
The Privacy Problem
In the previous episode, Mallory was thinking about manipulating Alice into installing a malicious browser extension of his making. But how would he do something like that? Well, one idea would be to use phishing.
Phishing is the attempt to obtain sensitive information by creating a fake website that looks nearly identical to a real one and manipulating the victim into using it. The fake website could ask for credentials, store them, and then redirect the user to the real site. If the fake website was well made, Alice would not even notice the trick, and Mallory would be able to get hold of her real password.
If he was able to pull this off with her email account or Facebook, he would have access to enormous amounts of sensitive information. Having access to her email account would allow him to reset passwords for other accounts. Another approach would be to phish her friends, and then impersonate one of them and ask Alice to install the extension. Either attack method could give him access to her Messenger account, with all its history of private discussions with Bob and other close friends.
When an attack like this is carried out against many people, it’s called phishing (pronounced fishing). When a certain individual is targeted, it’s called spear phishing.
Opera’s Safe Browsing solution is called Sitecheck. Sitecheck checks the addresses that users try to visit against a list of known phishing sites. If the address is on the list, a warning message appears. Opera gets the lists from the Anti Phishing Working Group and local suppliers, such as CERT for Poland or Yandex for Russia. Those institutions are a sort of Internet Police, trying to identify and prevent attacks against internet users.
If you click “why was this page blocked?” you’ll be presented with the source that classified the address as fraudulent. If you believe that the warning is a false positive, you can contact the supplier and ask them to remove it from the list.
Sitecheck is not the only thing that makes phishing more difficult for malicious actors. The address bar is the most critical part of the browser. Browsers make it hard to manipulate it in any way, e.g. to cover it with something else or navigate elsewhere when you aren’t looking. There is a long history in the arms race between browser vendors and phishers, but that’s a story for another time. The key takeaway is that you should pay attention to the address bar when attempting to use sensitive sites.
While browsers do a lot to make phishing harder, it’s not technically possible to completely eradicate it. The Mallories of this world can always set up a site meant for spear phishing, lure a single victim into it, and no browser would be able to do anything about it. Also, spear phishing attacks can be carried out entirely via phone, for instance by impersonating tech support and asking directly for credentials. That is why it’s important for everyone to maintain basic security hygiene and exercise caution.
Five Steps To Safe Browsing
Basic security hygiene for safe browsing can be laid out in five steps:
Step 1. Make a list of all your sensitive accounts
Not all accounts are created equal. Some are the key to enormous amounts of information about you, and others, not so much. Sensitive accounts would typically amount to email, social media, financial services, or health services. It is fairly subjective what else should be on the list. Ask yourself, what’s the worst that could happen if this particular account was breached. If the prospect is scary, add it.
Step 2. Get a password manager and learn to use it
This will make it much easier to keep good passwords for each service. Make sure your passwords for the accounts on the list are unique and long. Uniqueness is particularly important, as it limits the damage caused by leaking any single one of them. Password length (e.g. 16 to 20 characters) matters much more than complexity (using letters, numbers and special characters) in the case of mass leakage.
Step 3. Ensure you have two-factor authentication enabled for all your sensitive accounts
Get backup codes and store them somewhere safe – it is your plan B in case your second factor is somehow lost.
Step 4. Be mindful of weird, unusual or unexpected requests asking you to open a web address
Especially those involving sites from your list. If you use bookmarks or speed dials, make a habit of using them for your most precious sites. Resist the temptation to click on, or copy and paste, the URL. Rather, start typing it manually and let your browser suggest the URL that you’ve used before. Doing this will lead you to a trusted site, assuming that your browsing history has not been poisoned with bad URLs. If you have a mess in your history, delete it and carefully start again.
Step 5. If your browser is warning you that a page could be fraudulent, take it seriously
If your browser doesn’t warn you, you should always pay attention to the address bar. This is the only security indicator stating which site you really are looking at.
- Top browsers have anti-phishing solutions that can be effective against mass scale attacks. None of those solutions will protect you from well-crafted spear phishing attacks though.
- Opera gets a list of phishing websites from the Anti Phishing Working Group and local suppliers, such as CERT for Poland or Yandex for Russia.
- The most frequently attacked sites are those that handle money. Banks, payment handlers, e-commerce sites, delivery companies. Be particularly mindful of unusual emails, phone calls or SMS claiming to come from those parties. Another frequent target is social media or webmail.
- The key identifier of a website’s identity is its domain name. Phishers often try to register domain names that are similar to the site they want to impersonate. Then they lure the victim to the fake site in order to steal credentials for the real site.
- Browsers do a lot to make certain kinds of psychological manipulation attacks more difficult to pull off. However, this problem is unlikely to ever be totally eradicated, at least by technical means.
- The most effective way to combat phishing is user education. It is the vulnerability of human nature that gets exploited with phishing, not technology.
- Make a list of your most sensitive accounts (email, social media, etc.) Get a password manager. Ensure you have unique strong passwords. Set up two-factor authentication. Use bookmarks, speed dials or address bar suggestions to access sensitive sites, rather than clicking on links supplied by someone.
- Pay attention to the address bar while using sensitive sites. This is the only security indicator stating which site you really are looking at.
What happened next? Was Alice browsing safe? Did Mallory succeed? Will it take him 24 years of living next door to Alice to tell her how he feels, and maybe get a second chance?
Stay tuned for the next episode to find out.