Comments

Priit Pirita March 17, 2017 7:06 AM

Google should force user to select one e-mail from incoming folder as a proof. Then when user tries to log in into that account, that e-mail is shown below credentials box as a proof that this is legit Google login screen, as only Google knows which e-mail you choose.

Geert March 17, 2017 7:33 AM

@Priit Pirita,
Before you are logged in, the google login page cannot know from who the email should be taken, and if it takes it after entering the email address,
then everybody would be able to see at least one email from any random other gmail user. And if it’s displayed after being logged in, then it’s already too late.

Olaf March 17, 2017 8:01 AM

Simple solution: brain+communication.

Before opening attachments you didnt expect to get contact shown as sender by mail/phone/sms/whatsapp/…

“Hi, did you recently send me a mail with an attachment?”

Best two-step authentication ever.

Mervyn Bickerdyke March 17, 2017 8:08 AM

Showing an email would be an additional 2nd step during login. But users can also turn on – as recommended in the linked article – 2 factor authentication.

While it would be possible to phish for classic login credentials and the current 2 factor code, this would only give access to the account once (ok, bad enough) but at least not let the attackers take over the account by editing owner information or resetting password. This requires an additional 2 factor authentication.

-.5SIGMA March 17, 2017 8:13 AM

How cruel to target people who are stupid enough to trust Google with their correspondence.

jbmartin6 March 17, 2017 8:24 AM

Google made a change to Chrome,they can’t do anything about how other browsers behave. But I wonder if there isn’t a better fix. Maybe they could strip out data URIs in messages, or put in some sort of speed bump before passing them to the browser. I also wonder if the same technique could be used against other web based mail services. I don’t see why not.

Daniel March 17, 2017 9:27 AM

I am not sure if it is the same attack, but recently (January) the Minister of Security of Argentina fell from a similar scam: she received something from apparently the Embassy of Bolivia, with a pdf attached, she or some member of the staff clicked on it, and was asked to reenter the Gmail password. The hackers took control of the account, and from the Gmail account they took control of the Twitter account and started sending tweets like “I’m a disgrace of a minister and should resign”, “I’m drunk”, and insults to the President.
(She retook control of the accounts later)

Who? March 17, 2017 9:42 AM

@ -.5SIGMA

How cruel to target people who are stupid enough to trust Google with their correspondence.

What about people that does not trust Google (or Apple, Facebook, Microsoft, Twitter, …), never signed an “agreement” with them to sell their privacy very cheap to these evil corporations, but needs to answer an email sent by one of these stupid apes that do not care about their privacy (nor others privacy either) and write from a @gmail.com address?

Lot of time ago I stopped answering emails coming from Google email accounts except to say “do not write me from that account.” My correspondence is not their business (literally) and I do not want my emails scanned by that abomination just because I replied to some moron that accepts any license agreement without even reading it (or, even worse, reading it and not caring).

Is it even legal for Google scanning emails received as a reply to someone that does have a @gmail.com account? If that people that wants a cool @gmail.com address signs these agreement terms that is ok to me. It is not ok that their signing affects my private and highly valued correspondence.

Clive Robinson March 17, 2017 10:23 AM

And people wonder why I did not hand out my email address when I had one, and why I don’t have a personal email address any longer…

There are better ways these days if you know what you are doing, but they are not “glance and click” techniques.

Duncan March 17, 2017 11:07 AM

The big general problem here is that browsers don’t make it easy for users to know which entity they are communicating with. Just try making up a message to send to your friends and family to tell them how to avoid falling for this attack (which I just did). Sure, you can tell them not to click on attachments – but that’s not useful – you might as well tell them not to use the internet at all. No, you have to tell them to look at the address bar (if they even know what that is), make sure it begins with https:// (which probably has their eyes glazing over already), make sure it doesn’t have anything in front of the https, and on and on. Really impossible, in other words, for the average user to know what to look for.

I have an idea that I think would really help, as follows: Every browser should display, in a prominent location that’s clearly separate from the page being viewed, exactly WHO the user is communicating with. I’m not talking about a domain name here, I’m talking about a plain language name of the organization, so the user knows, that they are sending information to “Google, inc.” or “The Alaska state government”, or “Boeing Employees Credit Union (BECU)”, or “Fred’s Online Shopping, Inc.”. This would require that the certificates used in HTTPS contain useful information about the organization to whom the certificate has actually been issued. Ideally, there would be much stronger vetting involved when these certificates are issued, and measures to prevent people from getting certificates with identities intended to trick people, like “gooogle”, and so on. For http connections the browser should display a message telling the user that he/she could be talking to anyone.

Some browsers are sort of moving in this direction. For examplem, safari on mobile devices doesn’t display the address at all, it just displays the domain name and a little lock icon. I think for most users that’s an improvement, although personally I’d rather be able to see the actual full URL I am visiting. But still, this is displaying DNS information, which isn’t what users really need to know – they need to know the identity of the organization that owns the page they are communicating with, and that identity should be given the way humans normally identify organizations – in other words the organization or individual’s proper name.

Elliot March 17, 2017 11:17 AM

This article claims that technically savvy individuals are calling for this, however, I would argue that if you fall for this, you are by definition not technically savvy. In what world does opening an attachment bring up the google login page? It doesn’t work that way. Never has, never will. If opening an attachment brings up a login page, you’re being phished. If you don’t intuitively grasp this concept, you are not technically savvy. Only exception is if your login session has expired. Obviously, sessions don’t expire while you’re in the middle of opening up an email. Unexpected session termination is a red flag.

Randy Stegbauer March 17, 2017 11:41 AM

@Elliot, While I agree with you that the logon page should be the first sign, I always look first at the URL. Hopefully, I would notice the “data:text/html” prefix.

My first solution would be to suggest to modify the browsers to not allow these data URIs by default. I’ve never seen one being used in an actual application. (Now I’m sure I’ll be inundated with counter-examples.)

Daniel March 17, 2017 11:51 AM

Sure, you can tell them not to click on attachments – but that’s not useful – you might as well tell them not to use the internet at all.

Here is the root of the problem. We have created a culture and a generation of gullibility. So long as people see every iota of data on the web as another little treat on the hedonistic treadmill there is nothing that information security can do to stop it. Technology cannot cure opsec fails.

An individual has a skull around their brain to protect it. If a person continually bashes their head into the wall till their brains spill out that is not a problem with the skull–it is a problem with the brain. It is bad behavioral security to trust your log-in credentials to a website whose URL you did not type in yourself. No browser update can fix the users lack of self-restraint.

Duncan March 17, 2017 11:59 AM

Daniel wrote: “…Technology cannot cure opsec fails.”

Maybe true. But Technology can certainly make it more or less likely for opsec fails to occur.

I read somewhere that the majority of baby car seats are not secured properly, and in the event of a crash the seat would go flying around inside the car. How do you interpret this? Parents need to be much more careful and do a better job of securing baby seats. Well, yes. But that’s not what I would think of first. I would immediately think that car seat manufacturers and car manufacturers need to do a much better job of making it easy to attach baby seats, and completely obviouis when they are attached wrong.

I still maintain that telling people not to click on attachments is useless advice. The fact is that it’s extremely useful to be able to send and receive attachments in email. I’ve downloaded half a dozen attachments from email in the past hour (receipts from a recent trip). Telling people not to download attachments would be like telling parents just not to take their baby with them in the car, because it’s too hard to be sure the baby seat is properly attached.

No, it’s too easy to blame the failure on the users, but that’s not where the blame should be assigned.

Spookmail March 17, 2017 12:01 PM

Gmail IS the ultimate phishing scam in and of itself. Cue Gmail suits in one court case:

“Just as a sender of a letter to a business colleague cannot be surprised that the recipient’s assistant opens the letter, people who use web-based email today cannot be surprised if their communications are processed by the recipient’s ECS [electronic communications service] provider in the course of delivery.”

QED.

Protonmail or no email is best, if you can live without it.

CallMeLateForSupper March 17, 2017 12:15 PM

Despite having read the linked article three times, the sequence of events in this attack makes little sense. I must have missed something.

1) Attacker sends email cum mal-attachment.
2) Target LOGS IN to her Gmail account, selects the bogus note, and tries to view the attachment.
3) Target finds herself looking instead at what appears to be a legit Gmail log-in page.

Huh? She was already logged in. Does Gmail actually require a logged-in user to log in?

That alone would raise my shields, no noticing “blurry” page or goofy URL required.

k15 March 17, 2017 12:28 PM

Is Google open to learning about & fixing some of its security flaws, the ones that don’t fit into standard categories?

How would you be able to tell?

k15 March 17, 2017 12:33 PM

CallMeLateForSupper, Amazon does logins on top of logins, so anyone using both services is probably desensitized to seeing an additional login screen.

Daniel March 17, 2017 1:02 PM

@Duncun

Of course technology can help. But that is most definitely not the issue in this specific case. Here’s the opsec rule:

Never enter your login credentials into a website whose URL you did not type into the browser yourself.

That is no different than:

Never drive off with the child’s carseat unbuckled

What the internet lacks is a regulated means of positive punishment (I use that in the psychological sense of the term). In the off-line world if a person fails to buckle their seatbelt they can be fined and may be forced to show up in court. Getting hacked is the on-line equivalent of this positive punishment, it’s the “fine” for not following the rules. The difficult with using hacks as positive punishment is that for most people the incidence of hacking is too low and the harms too abstract to influence behavior. This is the exact same problem that existed with seatbelts (replace hacking with fatal accidents). The public policy solution was to involve the police but there is no on-line police force in this sense.

No, it’s too easy to blame the failure on the users, but that’s not where the blame should be assigned

We assign blame to the user in the off-line world so why on earth would me not assign blame in the on-line world?

Who? March 17, 2017 1:07 PM

@ CallMeLateForSupper

Huh? She was already logged in. Does Gmail actually require a logged-in user to log in?

Yep. If I remember right some changes done in https://accounts.google.com/ require re-authentication when applying. Of course it should not happen when downloading an attachment, but it is something a user may fail to notice opening a window of opportunity for this attack to become successful.

Winter March 17, 2017 1:18 PM

I suppose Lastpasd and browser password vaults would not give out a password. Would that not be a warning?

In other words, doed using a password vault help?

Who? March 17, 2017 2:23 PM

@ Winter

Using a password vault may help, but it opens a wide range of completely different —and more dangerous— attacks. I would never store a password on-line, encrypted or not, nor would use non-airgapped devices to store it.

Martin March 17, 2017 2:38 PM

@ Winter, @Who?

An on-line password manager has some risk. If you’re concerned, a better choice is an off-line password manager such as Password Safe. It is good, very, very good, but can be made even better by utilizing the YubiKey 2-factor authorization feature.

If some folks believe I’m not on target with this approach (statement), I’d really appreciate feedback.

albert March 17, 2017 4:10 PM

@Daniel,

“…not a problem with the skull–it is a problem with the brain…”

No, it’s the -wall-. We must fix the wall.

If walls were softer…..perhaps padded?….

. .. . .. — ….

Gabriel March 17, 2017 4:11 PM

“In addition, people should add two-step authentication, an added layer of security that can help prevent account takeovers.”

This is exactly the kind of attack that can’t be prevented by using MFA.

Armin March 17, 2017 4:41 PM

Headline: everyone is falling for it

Tom Scott quoted in article: I almost fell for it

Do they have no editors any more as that’s an obvious and blatant contradiction?

Clive Robinson March 17, 2017 5:55 PM

@ Martin,

If you’re concerned, a better choice is an off-line password manager…

The problem is “What is ‘truly’ off line and what is psudo or faux off line?”.

If there is not a choke point in the communications channel between the manager and the computer that you 100% control, then it’s faux off line.

So if you plug the manager into the computer via a USB or other connector etc, and unless you can instrument it properly you can not see if there is another say covert time channel getting at the secrets on the manager…

It’s a very real problem and few not in the technical side of the “guard labour” IC / LEA / Mil actualy know about the possibility let alone the consequences and how to mitigate them.

When you consider this aspect a slip of paper in the wallet or scriblings in the back of a diary start looking a lot more secure.

Duncan March 17, 2017 6:14 PM

@Daniel wrote: Here’s the opsec rule: Never enter your login credentials into a website whose URL you did not type into the browser yourself.

I guess we are going to have to agree to disagree. I mean, I agree that’s a valid opsec rule. I just don’t agree that it’s any way realistic, or even reasonable, to expect most users to follow that rule. Let me ask you this: Do your mom and dad follow that rule? Your kids? Your grandma and grandpa? Many users probably NEVER type URLs into the browser bar – everything they do is driven by clicking links, bookmarks, etc… Heck, I would bet that only a minority of readers of this forum follow that rule 100% of the time.

Another area where we may have to agree to disagree is: whose responsibility it is to provide security? Sure, users have to take some responsibility. But software vendors can, and should, make it much easier for the average user to achieve security. I would argue that, right now, it’s pretty much impossible for the average user to use the tools they are offered (email, social media, etc.) in a secure way. If “real world” products were as difficult to use, and as likely to cause harm, as most of the software we use, there would be a LOT of product liability lawsuits. If I bought a door lock that was advertised as secure, but was made in such a way that it looked like it was locked when in fact it was unlocked, and my house got broken into, I think I might have a good case for a lawsuit.

Anyway, regardless, can we agree that more could be done, and should be done, to make it easier for users to be secure? Any comment on my idea that the browser should make it much clearer to the user exactly WHO they are communicating with, without expecting the user to understand the structure of URLs?

Duncan

Compartmentalize everwher please March 17, 2017 6:31 PM

My policy usually is never share my privacy and security defenses, i will make an exception here:

Please compartmentalise everywhere possible: e.g. the John Podesta hack of the gmail email accont could have been prevented by having a dedicated administration email address that is only known by google and that will handle all security communications from google and a separate email address for contacts with DC technical support and only known by him the tech support and other comapertment emails for compartmentalized partioning of distinct elements of Democratic party business. The comapartment must secure against cross contamination of partions and cross-infection by malware.

Spear phishing will most likey first land in the wrong email and this can give you a heads up that you a target. The tech suupport people will become a rich target for spear phishing so that their compartmentalization has to be even robust like using a totally separated systems that have no way being cross-infected and solely dedicated only for tech support and nothinge else.

I will be patenting the above system if there is similar prior art, Ha, ha, ! All rights resevered!

Honey pot March 17, 2017 7:05 PM

Why stop at legitimate compartments, why not throw in several honey pot comparments to sweeten your strategy

And why stop comparments at the level of email, go ahead and put inextra defenses; hoops and jumps to prevent a compromised email compartment; inboxes and sent boxes from being accessed if the first layer of defense is breached, a layer forbidding sending of images, javascript etc. robust layering and robust compartments will slow down yor adversary.

Layering and robust compartments are like locks, there are there to slow down intruders.

furloin March 18, 2017 1:47 AM

I started blocking all images as I web browse a few years ago. First I heard about tracking pixels. Now this clever scam. Next they will exploit bugs in the image libraries similar to androids libstagefright bug a year or so back. I suggest turning images off unless you want to see something specific. Makes some pages load much faster too for those of us with slow/throttled ISP’s. Also why use google for anything in the first place? They are a nice search engine and a app store for android. Even those are fading away. Everything else is copy paste of mission creep and confusion.

@Clive @Martin

Or just keep the passwords in your head and not manage any of them outside your mind.

supersaurus March 18, 2017 5:23 AM

@furloin
“…just keep the passwords in your head…”

if you use different strong passwords for sites that matter to you it is quite unlikely that you’ll be able to make that work. for example how long can you remember this: “Ypx7Pr01Go6iVVJ9nhidac12Opapivab”? or suppose you get a bang on the head and part of what shakes loose is your strong password list?

Google Drive neutered: Compartimentalization edition March 18, 2017 9:27 AM

Google should consider comunicating with users via a messages tab or panel and not via email messages.

Re: attachment on google drive or some other google service requires entering credentials in order to be accessed.

A compartimenentlizing strategy will mean that the email account receiving emails will be prophylacticized by disabling all services that are not email.

Google drive for incoming documents will have its own account that is distinctive and conspicously recognizable as such

Google drive for outgoing documents another seperate account that is distinctive and conspicously recognizable as such

Google drive for user’s projects documents another seperate account that is distinctive and conspicously recognizable as such

OtherDaniel March 18, 2017 1:53 PM

@Daniel wrote: Here’s the opsec rule: Never enter your login credentials into a website whose URL you did not type into the browser yourself.

+1 ! Then, only choose banks and mail accounts for which the website URL is short enough to be typed and in which typos are easily detected.

Sean March 19, 2017 8:17 AM

Thanks to 2-step verification, I wouldn’t have been hacked. Tricked, maybe.

We usually recommend to avoid storing passwords in the browser settings. Like safety belts, this is the kind of things that wouldn’t have worked with less (or different) security.

Bilsko March 19, 2017 8:32 PM

Google also logs the IP address from every log-in to your account and typically if a log-in comes from an IP/location that doesn’t look right, they’ll alert you.

So, if you suspect your account has been compromised, take a look back through the list of IPs that have accessed your account.

Mike S March 20, 2017 5:09 AM

Isn’t this exactly the kind of thing that Trusteer Rapport is designed to protect against. I always check the little box is green before entering my login details. Also since I have sites like Google logged in constantly on trusted devices, I am immediately suspicious of being re-directed to another login page.

Andrea March 20, 2017 1:16 PM

1st Security golden rule: any system is as much secure as its less secure part.
2nd Security golden rule: there is no absolute security, it is not a question if your system will be compromised or not, but only when it will be…
3rd Security golden rule: Security is a process, not a technology, it is only up to you, and worse, you can not delegate to someone other.

Anytime you give up to do what you should, you are exposing you to some more or new risk or threat, maybe, probably, you are wasting time and money spent by someone other to help you to be “more secure”…

…Worse, everyone gives up, everyone makes mistakes, sometimes, someone gives up and makes mistakes without knowing it. I am human, I make mistakes, worse, sometimes I give up, but at least I know it, and what about you?

These kind of attacks works very well because they are not attacking the technology, instead they are aiming between computer and chair.

Yahoo breach March 20, 2017 7:52 PM

Here we go again!

How did Yahoo get breached? Employee got spear phished, FBI suggests
https://arstechnica.com/tech-policy/2017/03/fbi-hints-that-hack-of-semi-privileged-yahoo-employee-led-to-massive-breach/?comments=1&vs=b</a href=”URL”>

social engineering or spear phishing “was the likely avenue of infiltration” used to gain the credentials of an “unsuspecting employee” at Yahoo

Unwitting sysadmin or other employee was conned out of credentials, FBI theorizes

Palmore declined Ars’ request to elaborate during a brief interview inside the San Francisco FBI office, and he would not say whether the government or Yahoo discovered the breach. He also would not say how long the intrusion lasted before it was cut off.

Arie March 20, 2017 11:23 PM

@Duncan wrote: “Any comment on my idea that the browser should make it much clearer to the user exactly WHO they are communicating with, without expecting the user to understand the structure of URLs?”

Is this not exactly the problem that EV certificates are trying to solve? In particular – without the additional step of identity validation which is performed by CAs there is no way that a browser can rely on the information in a DV cert in order to provide identity information to the user. The company name of many banks and online payment providers are clearly displayed in my browser, but Google does not use EV certs for (most of) it’s sites.

Mike March 23, 2017 8:08 PM

This particular phishing scam would not have worked on me. Why? Because I use Mozilla Thunderbird for my Gmail, with default settings. With these settings, images are not downloaded. Attachments are shown in the attachment area of the app interface, and in this case, there was no attachment – only an image. (And if there was a .pdf attachment, I wouldn’t have downloaded it.)

An additional advantage of using Thunderbird (with default image settings) is that I am tracked less than I would be using Gmail in the browser. Why? Because there is a lot of tracking in email image pixels. No image pixels for me, with the above settings.

I recommend you try using Thunderbird. It makes email be about email again.

md5 October 27, 2017 1:39 PM

Remember the old days before email? There used to be just one mail, and it’s physical mail. Post office is at the same place you recognize. You don’t need to “authenticate” the post office (unless you’re in a modern day Asian counter where counterfeit industry makes fake police stations).

Now lots of people use email that’s hosted by Google/Yahoo/Microsoft. And lots of people use web browsers on cellphone and computers to check email. Browsers don’t tell you much more than “the site has a legitimate certificate that matches the domain name, issued by a trusted certificate authority”.

Browsers need to tell users much more than that. It needs to be able to tell people “this looks like Google but it’s not really Google. Do you want to go there?”. In order to do that, some AI recognizing the page needs to be in place. Techniques like embedding invisible content to confuse the AI can still be employed, but this makes it more and more expensive for spammers/phishers.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.