dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2120
share rss forum feed


jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
USA
kudos:24

1 recommendation

reply to Snowy

Re: Using the HTML5 Fullscreen API for Phishing Attacks

Nope. Not a chance, but I still feel that 90% of others might.



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 edit
reply to Snowy

"Because after analyzing tens of thousands of phish campaigns from start to finish I've never seen a 1% return rate or anything even close to 1% which makes any discussion of 10% irresponsible."

Now put that in real words..not just your % thingie..what is "return rate" and tell us about "tens of thousand"..and define what you mean by "campaigns"..and I am not trying to pull your chain..but since you used that to make a statement that you thought the authors 10% was wrong and he knew nothing about phish...I have no idea what you are talking about..and I still think at least 10% and maybe more of the peeps that saw a real exploit like the one he just did this POC (proof of concept)..would be clicking away.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/



therube

join:2004-11-11
Randallstown, MD

2 edits
reply to Snowy

Does not work (fully) in SeaMonkey.
You get a bit of bouncing, the music, & the Phish warning, but BoA is never displayed.

Now on visiting his website with NoScript, that gives you a pretty good clue that something is amiss.

> I bet at least 10% of web users would get phished (probably many more)

I would bet on the "probably many more" part, actually.

Very good POC IMO.

I typically don't use FF & have never seen a "fullscreen" warning like that. If I had not, & in particular if I had no idea what feross.org was, & to top it off if I were in the ranks of the clueless (I want to belong :sad:) I can see that Phish catching a LOT of fish.



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to Snowy

Social responses
One strategy for combating phishing is to train people to recognize phishing attempts, and to deal with them. Education can be effective, especially where training provides direct feedback.[59] One newer phishing tactic, which uses phishing e-mails targeted at a specific company, known as spear phishing, has been harnessed to train individuals at various locations, including United States Military Academy at West Point, NY. In a June 2004 experiment with spear phishing, 80% of 500 West Point cadets who were sent a fake e-mail from a non-existent Col. Robert Melville at West Point, were tricked into clicking on a link that would supposedly take them to a page where they would enter personal information. (The page informed them that they had been lured.)[60]

Recent phishing attempts
Experiments show a success rate of over 70% for phishing attacks on social networks.

»en.wikipedia.org/wiki/Phishing

Praetorian was hired by a private equity firm to create a phishing campaign against end users to evaluate their employees' susceptibility and the company's responsiveness. To prevent any skewing of the results, only senior management had knowledge of the upcoming test.
The first step of the engagement was to devise a plan of execution. For this scenario, Praetorian decided the highest probability for success would be a phishing campaign that masked itself as an internal company initiative. To that end, Praetorian registered a domain confusingly similar to the company's domain (e.g. www.abc.com and www.abcsecurity.com) and created a site that mimicked the look and layout of the company's official website.
Praetorian then harvested valid employee emails through social networking and sales sites such as LinkedIn and JigSaw. Once the list of harvested accounts was approved by the client, Praetorian sent targeted phishing emails to convince users the company was performing an anonymous, random security audit of user passwords and requested their account credentials to test password strength. Of the random user sample targeted, Praetorian had a twenty two percent success rate where users voluntarily provided their usernames and passwords.With the credentials in hand, Praetorian could move deeper into the organization infrastructures via a SSL VPN portal that did not employ two-factor authentication.
The results of the assessment highlighted a need for user awareness and security training as well as the utilization of additional controls such as two-factor authentication. In addition, the equity firm requested follow-on phishing campaigns for metrics and trending analysis as a way to measure the success of the new employee training initiatives.

»www.praetorian.com/penetration-t···-testing
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


therube

join:2004-11-11
Randallstown, MD
reply to jaykaykay

said by "jaykaykay" :
this one really makes me, as almost a lay person, very uncomfortable
Agreed.


therube

join:2004-11-11
Randallstown, MD
reply to Snowy

quote:
I've never seen a 1% return rate or anything even close to 1% which makes any discussion of 10% irresponsible.
1%, 10%, 90%, I have no clue, & it is really immaterial.

But as some else said earlier, "Very good POC IMO", & "I can see that Phish catching a LOT of fish" & to me that, & not 1 or 10%, is the point.


therube

join:2004-11-11
Randallstown, MD

1 recommendation

reply to Name Game

Click for full size
What we look like with NoScript (in both SeaMonkey & FF):


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to therube

We would hope the various browsers out there would on their own alert the user as to the full page mode and that would tip off many..have not checked Opera yet or some of the others...and we all know that peeps do not always Update even the browser they are using..I see people in this forum not updating cause they don't like the new features of their chosen. But I know for a fact that the average user..unless the developer pushes it on them..would also not update..mainly because"if it is not broken..don't fix it."

I even have friends that tell me by phone in casual conversation " Oh..BTW..I got an message that my java or browser..or whatever..is out of date or there is an update..BUT I am not going to do that until you get back"


--
Gladiator Security Forum
»www.gladiator-antivirus.com/



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable
reply to Name Game

said by Name Game:

Now put that in real words..

You have a funny way of saying that you are unable to find any reference whatsoever to a 10% success rate on phish content.
Zero, zippo, nada, nothing.
The difference between you & I that is creating conflict is that while I accept that I'll make a mistake you'll just try to BS your way out.
Good luck Mr. Perfection!, that's a heavy but unnecessary load to carry.
I'm done with this thread, I'm conceding that your BS is superior to my tolerance for same.

Edit to add: Your Praetorian example was not an "in the wild" event but a controlled study. Get real, as in real events.


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 edit

Your musings over for me..you mix apple with oranges and you get bananas...but feel free to make a comment at his site like others have done..

»feross.org/html5-fullscreen-api-attack/

And tell him why he is irresponsible in saying ..

Humans are terrible at spotting subtle changes

If this attack were used in the wild, I bet at least 10% of web users would get phished (probably many more).

and doesn't speak well to his knowledge of phishing.

"Because (you) after analyzing tens of thousands of phish campaigns from start to finish I've never seen a 1% return rate or anything even close to 1% which makes any discussion of 10% irresponsible."

I think he will respond to you.
There is already 127 comment
»news.ycombinator.com/item?id=4629906

»news.ycombinator.com/item?id=4630156

--
Gladiator Security Forum
»www.gladiator-antivirus.com/


sivran
Opera ex-pat
Premium
join:2003-09-15
Irving, TX
kudos:1

1 recommendation

reply to Name Game

said by Name Game:

We would hope the various browsers out there would on their own alert the user as to the full page mode and that would tip off many..have not checked Opera yet or some of the others...

Opera 12.10 does not support HTML5 Fullscreen.
--
Think Outside the Fox.

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

1 recommendation

reply to Name Game

I got it on Fx 10 ESR. But it was obvious it was a fake for three reasons. One, my tabs disappeared (they are vertical on the left side), two I immediately clicked on the fake icon to get cert information, and instead got a popup aboutthe whole thing being fake, and third, I didn't call full screen and the site did not bother to ask me first if I wanted full screen.

I would be extremely pissed if some site took it upon itself to force full screen when I had NOT called full screen! My reaction would be to think who the hell is this crap site that pulled a full screen (which I hate in the first place) without minding their manners and asking me if I would like full screen display. If a bank did something like that, I'd be on the phone immediately giving their internet tech support department hell.

If sites start abusing HTML5 by pulling full screen without asking the user first then my reaction will be to disable HTML5 and if I can't do that then I will just use an old browser (like my Fx 4) that can't do HTML5. If HTML5 becomes shit crap like Flash has become I won't have it even if that means using a older browser.

But what did that author mean about hovering your mouse over the URL? Nothing happens on Fx 4 or 10 ESR when I do that.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to sivran

said by sivran:

said by Name Game:

We would hope the various browsers out there would on their own alert the user as to the full page mode and that would tip off many..have not checked Opera yet or some of the others...

Opera 12.10 does not support HTML5 Fullscreen.

Thanks..had not checked it out yet..

HTML5 and Web Standards
Opera is the browser that began the HTML5 specification that is transforming the web, so it's only natural that we'd be adding more support for the latest standards.

Opera 12.10 beta adds partial support for the Fullscreen API that allows video, games or web pages to use the whole screen to remove distractions like browser chrome that can divert your attention from skateboarding kittens or shooting aliens. (We say "partial" because new "HTML5 the living-on-the-edge standard" specs chop and change. This beta implements the Fullscreen API editors' draft 7 February 2012, while the standard has now mutated in the latest July 2012 version.)

There's also partial support for the Page Visibility API that allows a tab to know if it isn't visible so, for example, it could suspend resource-hungry animations or pause HTML5 audio/video until the tab returns to view.

Now that security concerns with the Web Sockets spec are addressed, we've turned on this functionality by default in Opera 12.10 beta.

»my.opera.com/ODIN/blog/whats-new···-10-beta
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to Name Game

As I recall reading Safari supports it. and you will get the full page phish without any warning or indications..but the keyboard is then frozen so that would mitigate any clicking maybe.



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to Mele20

Probably don't want to do it again when you have no tabs open at all and your browser is closed down..and then have that link be the first place you go since I am sure you are busy with tabs stuff..but wonder what would happen then...on the third reasons you could tell it was fake. ... I think that might escape some user.


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

1 edit
reply to Name Game

If Safari freezes the keyboard, how would you leave? The test tells you use the Escape key to get out of the full screen page. Safari has another way out?

IE 8 (which, of course, it wouldn't work on) does nothing when you try to click on the link. Opera 12, when you click on the link, produces a popup, as I said, about it not working on Opera. The popup says nothing about IE. Does it work on IE 9? On both Opera and IE, when I first go to the page, I see the trick BOA site superimposed, but not full screen, on top of the page where you are supposed to click on the link in order to get the full screen BOA page. So, it really doesn't work on IE or Opera.

What do you mean that link would be the first place a browser (Fx) would go to if it had been shut down? Browsers let you choose to continue from before (load all tabs that were there when you shut the browser down) or go to a particular page like a chosen home page or to about:blank. So, are you wanting to see what happens on Fx if you use about:blank as the home page and you set Fx to show either home page or blank page when started and so you have a blank page, and you go to this test site on that one tab that is blank, and no other tabs open, and you click on the test link (of course assuming it does the full screen thing on the first address you enter as that is what would happen if this was malicious exploit and not a test)?

I think, in that case, some would be fooled and even I would have to look closely...but staying alert to possible malicious behavior is something that needs to be engrained so it is almost habit and then you would see it was fake because it wouldn't have cert information right?

It doesn't work at all on Sea Monkey latest version which is odd. SM won't even go to the test site.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to therube

What version of Sea Monkey? I can't get SM 2.12.1 to even go to the test site.



therube

join:2004-11-11
Randallstown, MD

My screenshot was from Aurora, though it loads just the same in 2.12.1 or 2.13.


Curiosity

join:2001-10-01
Dawson Creek, BC
reply to Name Game

That trick did not even work on any of my browsers. I did not see the fake Bank of America screenshot, and the browsers did not enter full screen mode. I disabled that in Firefox so websites can not force Firefox into that mode. It does not work on Opera 11, or Safari 5.1.7.


Curiosity

join:2001-10-01
Dawson Creek, BC
reply to Name Game

said by Name Game:

We would hope the various browsers out there would on their own alert the user as to the full page mode and that would tip off many..have not checked Opera yet or some of the others...

I should think that the disappearance of the toolbars would be noticed. Since I do not have the browser window covering the whole desktop, full screen mode is even more noticeable to me.

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

1 recommendation

reply to Name Game

I got this on Fx10. But I should NOT have since Fx10 ESR has what appears to me to be protective settings in about:config to stop this exploit:

full-screen-api.allow-trusted-requests-only;true
full-screen-api.warning.enabled;true

So, the protective settings are buggy and don't work??? Since they don't seem to work one needs to do this:

full-screen-api.enabled;false
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson