15 September 2009

Picture-in-Picture Phishing Attacks and Operating System Styles

Phishing attacks are often targeted at organisations where login credentials can be used to gain financial reward, and these web sites almost always use SSL to allow users to authenticate the identity of the site and to protect data in transit from alteration or copying.

A recent paper Crying Wolf: An Empirical Study of SSL Warning Effectiveness from Carnegie Mellon University discussed the results of a survey of over 400 internet uses. The conclusion - users ignore warnings about invalid SSL certificates.

The subject of trust user experience (TUX) was discussed during the Workshop on Security and Human Behaviour (SHB 2009) at Cambridge University this summer, and summarised here. This included a discussion on how users, who are trained to be sensitive to warnings, become more susceptible to picture-in-picture attacks. These are where an image of a (fake) browser, perhaps with a graphical representation of a green extended validation address bar is displayed inside the user's real browser window, such as in the example mock-up below. This is most effective when the real browser is displayed at the full screen resolution.

Partial mock up of a picture-in-picture attack where the real browser has a malicious web site address, but within the browser is a background identical to the desktop and a picture of another browser with what appears to be a valid SSL certificate - the content of the inner image are a form that submits the user's login credentials to the malicious web site

Therefore I was interested to read about how web designers can use CSS to access operating system style settings (the "chrome" of Linux, Windows, Mac, etc) and use these to apply matching fonts and colours to web design elements. This means if users have a customised desktop colour scheme, the fake browser in the picture-in-picture attack doesn't need to be in standard desktop colours, but could pick up on the user's own settings, to confuse them further.

See also my comments about Colour Overload with IE8 Tab Grouping.

Posted on: 15 September 2009 at 07:49 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

Comments

Comments are filtered automatically and should appear shortly after they been checked.

Post a comment
Confirm acceptance and understanding of the terms of use
New posts to this thread will be sent to your email address
Picture-in-Picture Phishing Attacks and Operating System Styles
http://www.clerkendweller.com/2009/9/15/Picture-in-Picture-Phishing-Attacks-and-Operating-System-Styles
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/2009/9/15/Picture-in-Picture-Phishing-Attacks-and-Operating-System-Styles
Requested by 50.17.176.149 on Thursday, 24 April 2014 at 16:43 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2009-2014 clerkendweller.com