Are address bars unphishable?

Question

I've taken, out of curiosity, the Phishing Quiz by OpenDNS that tries to teach the general public about detecting phishing:

Ever wonder how good you are at telling the difference between a legitimate website and one that's a phishing attempt? Take this quiz to find out.

I did it mostly because my phishing detection process basically looks like this:

1. Does the address bar look legit?

...and if it does I'll think the site is legit. That is most likely simplistic, but (spoiler alert!) you can get all 14 questions right just by looking at the address bar. "Yahoo!! is upgrading!!!" from "docs.google.com/spreadsheets"? Yeeeeah, that kind of barely smells like phishing.

Assuming the DNS server is not compromised, is the address bar really that bulletproof, though? If it isn't, how can I detect whether it's been tampered with or not?

Answer 1

The answer depends upon what kind of browser you are using, so I'll break it down.

Mobile browsers. You can't trust anything you see. Sorry. Life on a small screen sucks. That's just the way it is.

(Did you want an explanation why? Any web page can go full-screen, using mobile-specific tricks like scrolling the page down so that the address bar is not showing. Then, it can draw a fake address bar. As a user, there is no reasonable method you can use to detect this forgery by looking at the screen. See also the research paper iPhish: Phishing Vulnerabilities on Consumer Electronics, where the authors implemented this attack and tried it out; they learned that users could not detect it, not even computer science graduate students with knowledge of security, not even when they had been warned in advance of phishing attacks.)

So basically, there is no reliable way to detect phishing attacks on mobile browsers by looking at the screen. The only way to protect yourself is to go straight to the site yourself (e.g., by clicking on a bookmark) before entering your credentials: never get there via a link.

Older desktop browsers. On older browsers, like IE6 or Firefox 2, I don't know whether there is anything you can trust. They are so riddled with security holes that I would not count on them for security. The only way to protect yourself is to simply avoid those browsers: friends don't let friends use IE6. But you said you are not interested in them, so I think we can disregard them.

Modern desktop browsers. This is the nub of the issue, and I suspect what you were most interested in. On modern desktop browsers, there are only a few things you can trust:

• Domain name. You can trust the domain name in the address bar to indicate the site you are currently on.

• Blue/green glow. You can trust the blue/green glow behind the name in the address bar to indicate the presence of SSL. You can also trust the `https://`` schema to indicate the use of SSL, but the glow may be easier to check for.

That's essentially it. You can not trust the icon next to the URL (the favicon), even if it looks like a padlock or something; you cannot trust anything below the address bar; you cannot trust the text in the status bar when you hover over a link before clicking on it. You should not rely upon anything in the URL after the domain name, as the same-origin policy makes no distinction between different URLs on the same domain.

How to protect yourself. Let's put it all together. If you want to be safe when visiting some site -- say, your bank -- there are two viable strategies you can use to protect yourself:

• Prevention: use a bookmark. To prepare, make a bookmark to the login page for your bank. (Make sure it is a https page you are bookmarking.) Then, when you want to log in, click on the bookmark, then enter in your credentials and use the site. Never navigate to your bank's site by clicking on links; if you find yourself on your bank's site from some other source, then make sure you're on the right page by clicking on the bookmark before you use the site. This essentially prevents any opportunity for a phishing attack on your bank credentials.

• Detection: check the address bar. Alternatively, you can try to detect phishing attacks. Every time you visit your bank web site, check to make sure that the domain name in the address bar matches your bank's domain name before entering your credentials or using the site. This will be a pretty reliable way to detect phishing attacks -- as long as you always remember to check the address bar. The primary shortcoming of the approach is the obvious one: you have to always remember to check the address bar. Apart from that caution, this is a viable strategy, too.

  Also, you may want to check that you are currently using SSL, by checking for the blue/green glow (this is especially important when using a wireless network); if you happen to know that your bank has had a green glow in the past, then on subsequent visits make sure the glow is still green. Alternatively, if you use Firefox, you could install HTTPS Everywhere and save yourself from having to check for SSL.

Caveats and attacks. I need to qualify the above remarks a bit. Checking the address bar is not a foolproof defense. There are some sophisticated presentation attacks that could potentially fool you, even if you look at the address bar. Let me outline the major ones:

• Picture-in-picture attacks. Recall that a web page can completely control what pixels are drawn on the portion of the browser window where it is displayed (e.g., by providing a bitmap image, which will be displayed exactly as is). In a picture-in-picture attack, a malicious web page arranges to draw something inside its window, so visually it looks like there a second, smaller browser window has popped up on top (and its outline is completely contained within the outer window). This is hard to describe in words, so here is an example image:

  

  Credits: Fig.2 of An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks by Jackson, SImon, Tan, and Barth.

  In this example, the user is visiting a malicious web page: http://paypal.login.com, as shown in the outermost address bar. The malicious page controls the contents of all the pixels inside this outer window (except for the chrome around the border). In this area, the attacker has drawn an image that replicates the appearance of a second smaller browser window, popped up on top. Since the attacker controls all of the pixels of that image, the attacker can completely control the "address bar" of the "inner window". The attacker has chosen to spoof an "address bar" containing https://www.paypal.com. If you weren't careful, you might conclude that the inner "window" has focus, look at its address bar, conclude you are talking to Paypal, and enter your Paypal password or other personal details into the inner "window". If you do that, you've actually revealed your Paypal password to the attacker.

  This attack can be tricky to mount successfully. It relies upon the user not getting suspicious when a new browser window appears to pop up for no good reason, when they weren't trying to visit Paypal. It also requires significant engineering effort from the attacker to make it look and feel correct. For instance, the attacker would need to use Javascript to identify what browser and operating system you are using, then craft a spoofed image that matches your browser version, and for full fidelity, the attacker might need to implement Javascript handlers to let you drag the inner window around (you won't be able to drag it outside the confines of the outer window), interact with the spoofed chrome of the inner window, and so on.

  For more on this attack, read An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks by Jackson, SImon, Tan, and Bart. I'm only aware of one instance of this sort of attack in the wild.

• Homograph attacks. See "The Homograph Attack" by Gabrilovich and Gontmakher, and "The methodology and an application to fight against unicode attacks" by Fu, Deng, Wenyin, and Little.

• Full-screen attacks. (TBD)

To my knowledge, these attacks are rarely (if ever) seen in practice, and they might have only a partial chance of fooling users, but I wanted to outline them so you are aware of the ways in which browser security is not perfect.

Answer 2

Actually it is possible to programmatically alter the contents of the text in the URL bar with Javascript. The browser is supposed to prevent you from changing the domain name; but you can change the text to something big enough that it may imply some scrolling, so that the text in the URL bar is something like:

http://big.ugly.pirate.com/      https://www.paypal.com/login.html    (spaces...)  .

with enough "spaces" such that the left part "scrolls out" of the bar. I suppose some Javascript could use the window size to infer how many spaces to add so as to get the desired visual effect on a given browser version, assuming "standard" font settings.

Yes, with a keen eye you will spot it. But that might require some training.

(disclaimer: I have not tried it nor seen it done; I do not know whether such scrolling can really be forced. It is worth a try.)

Answer 3

Sort of. The address bar will show you the address of the page you are viewing, but a web page is not the monolithic object of the 1990's. Since web pages use content and code from other locations if the content or code is modified the appearance of items on the page may be modified even if the text in the address bar is the same. The most common example of this is Cross Site Scripting (XSS).

Answer 4

URLs can still be spoofed, but spoofing the entire URL altogether is a whole lot harder.. although possible. Obfuscation and things of the like can conceal an address completely (and turn it into hexadecimal jibberish or a dotless binary address, etc.), will still look odd to a user.

Things like Hosts file poisoning, however, can completely map the domain name to a new IP. When a computer tries to resolve an IP address the very first place it looks is in the HOSTS file. If the address is not in your HOSTS file, your computer automatically goes to the next step in the line to resolve the domain name.

If you have, say google.com, and map it to 127.0.0.1 or localhost in your HOSTS file, instead of taking you to Google you will go to http://localhost or 127.0.0.1 instead. This method, however, is very difficult to implement because in Windows 7 it takes Administrative rights to modify the HOSTS file. I am not able to confirm if it takes administrative rights in XP or Vista.

Answer 5

According to this StackOverflow answer, it is indeed possible to change the URL bar without reloading the page. This would make the URL bar not immune to phishing attempts.

Here's the catch: if you can run Javascript in general, or redirect a user to a malicious link that looks like a legitimate page, you can already do a lot with cross-site scripting and Javascript redirects. In other words, if you've already convinced a user to visit an untrustworthy page, lots of bad things could already be happening - whether it's content or URL redirect, Flash-based malware, drive-by downloads or other attack vectors.

Where this does become interesting is a crafted URL like <a href="http://bad.site">http://paypal.com</a> that then changes the URL bar to PayPal.com. If the user clicked without thinking, then checks the URL bar, he or she might be in for some trouble!

edit: I've been playing with HTML5 pushState, and it looks relatively simple to appear to be browsing a different page on the same host, but not necessarily on a different domain. I'll keep playing with it, but for now if you go to dshaw.net/xss.html, it will change the URL bar to "login.aspx". Note that login.aspx doesn't exist. This could prove useful in an attack scenario in which there is XSS on a page of a given domain, but not the login/enter credentials page. From this perspective, this is a very dangerous feature that could be leveraged to great use.