3

For a user to defend against something like Don't understand how my mum's Gmail account was hacked , they should pay attention to URL bar before typing their credentials.

But how can you make sure it's really the browsers URL bar that you are looking at?

Phishing site could look non-suspicious by:

  • Opening a popup without URL bar and emulating the URL bar functionality;
  • Going into fullscreen mode and emulating URL bar (think mobile device browsers);
  • Possibly many other ways, depending on device where the browser is running.

Is there a common (to different browsers, operating systems) guideline for users to detect such an attack?

Community
  • 1
domen
  • 1,040
  • 10
  • 21

2 Answers2

2

This is a subject that could go on forever, but some common practices against any site that you find suspicious are as follows:

  • Use google to direct you to the same site
  • If it happens to be a log in page, log in with completely fake credentials to ensure that it doesn't let you in. If it says "Thanks for logging in." or something similar, then it's a phishing attempt.
  • Ensure that the link is an https connection (This one is disputed, but it's an early warning sign if you don't see https)

There are many other ways to detect similar phishing sites, but these are my top suggestions.

Jason Higgins
  • 647
  • 4
  • 8
  • 1
    Well... if the URL bar is faked, then hypothetically one could also just fake google web page. Basically, we can get down to emulating a browser as an advanced phishing attack. – domen Feb 28 '14 at 17:18
  • Fair enough. I suppose that a certain amount of browser customization would be able to at least make it harder to emulate. Example, themes, bookmark bars, extensions. Would a phishing scam that emulates a browser be able to collect that data to assist in the emulation? If I saw a chrome browser that didn't have my bookmarks or theme I would be instantly alerted. – Jason Higgins Feb 28 '14 at 17:30
  • Good point with the bookmarks (already mentioned by @Gray also). – domen Mar 03 '14 at 09:02
2

Opening a popup without URL bar and emulating the URL bar functionality;

This would actually be incredibly difficult to pull off. Even ignoring the fact that most modern browsers make this impossible to do, there would have to be some kind of iframe in the page to navigate to other sites (which causes a whole host of problems for the malicious site to actually get any data from there), and you could easily look at the source to tell if this is the case. All of your buttons for browser settings would not work. Your bookmarks/extensions would not show up, and unless your browser was seriously compromised (like... seriously) it would not be able to fake this stuff. Changing your user agent string would most likely confuse an site that tried to do this (showing chrome address bar in Firefox for example).

Going into fullscreen mode and emulating URL bar (think mobile device browsers);

Most of the same things apply. A website cannot hide the top bar if you scroll all the way up, and none of the buttons would function correctly.

Is there a common (to different browsers, operating systems) guideline for users to detect such an attack?

I would say not really. A site that says it is bank.com but is really h4x0r.net and tries to use a certificate would give a big error in your browser. Other tricks using stylesheets/html would just not be convincing to a reasobaly competent user.

Some SO questions that are related:

Community
  • 1
Gray
  • 728
  • 4
  • 15
  • OK, it seems like hiding the URL bar has gotten much harder lately. I remember it not being visible, but after trying now I see that might be a stale memory from some years ago. Also bookmarks, yes. I don't use them, so I keep forgetting about that. – domen Mar 03 '14 at 10:30