On 10/2/2019 1:16 PM, Ronald Crane via dev-security-policy wrote:
On 10/1/2019 6:56 PM, Paul Walsh via dev-security-policy wrote:
New tools such as Modlishka now automate phishing attacks, making it
virtually impossible for any browser or security solution to detect -
bypassing 2FA. Google has admitted that it’s unable to detect these
phishing scams as they use a phishing domain but instead of a fake
website, they use the legitimate website to steal credentials,
including 2FA. This is why Google banned its users from signing into
its own websites via mobile apps with a WebView. If Google can
prevent these attacks, Mozilla can’t.
I understand that Modlishka emplaces the phishing site as a MITM. This
is yet another reason for browser publishers to help train their users
to use only authentic domain names, and also to up their game on
detecting and banning phishing domains. I don't think it says much
about the value, or lack thereof, of EV certs. As has been cited
repeatedly in this thread, most phishing sites don't even bother to
use SSL, indicating that most users who can be phished aren't
verifying the correct domain.
-R
Some other changes that might help reduce phishing are:
1. Site owners should avoid using multiple domains, because using them
habituates users to the idea that there are several valid domains for a
given entity. Once users have that idea, phishers are most of the way to
success. Some of the biggest names in, e.g., brokerage services are
offenders on this front.
2. Site owners should not use URL-shortening services, for the same
reason as (1).
3. Site owners should not use QR codes, since fake ones are perfect for
phishing.
4. Browser publishers should petition ICANN to revoke most of the gTLDs
it has approved, since they provide fertile ground for phishing. There
appear to be ~1900 such gTLDs [1]. I doubt that even the largest
corporations have registered their base domains under every such gTLD.
Where does "www.microsoft.somenamethatICANNmightaddasagTLD" go? I sure
don't know where "www.zippenhop.[pick a non-.com gTLD] goes.
[1] Search for "delegated" status at
https://newgtlds.icann.org/en/program-status/delegated-strings .
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy