Good writeup on UI spoofing attacks
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Sat Aug 23 07:03:40 EDT 2008
The Codinghorror blog has a good writeup on the level of sophistication of UI
spoofing being used in phishing attacks, specifically how a web search for
lilies leads to a pretty convincing social-engineering attack designed to get
users to install their malware:
http://www.codinghorror.com/blog/archives/001164.html
What I'm more concerned about here is how well the user interface was
spoofed. The browser FUI [fake UI] was convincing enough to even make me --
possibly the world's most jaded and cynical Windows user -- do a bit of a
double- take. How do you protect naive users from cleverly designed FUI
exploits like this one? Can you imagine your mother doing a web search on
flowers -- flowers, for God's sake -- clicking on the search results to a
totally legitimate website, and correctly navigating the resulting maze of
fake UI, spurious javascript alerts, and download dialogs?
To pre-empt the inevitable discussions of Noscript and similar measures,
they're all well and good but the very people who need them the most are the
ones who're least likely to have them installed.
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list