Man, just when we think we have this cybersecurity thing figured out someone throws a wrench in the works. One of the easiest ways to see if a website is shady is no longer as solid as it once was. Conventional wisdom says checking the URL is one of the surest ways to spot an imposter. That is no longer the case.
The URL is a web address like https://www.google.co.zw/
See, faked websites have typos in their URLs that fool people who just don’t know to check for that and those who are not paying attention. For example, instead of cbzbank.co.zw (the correct CBZ website) a fake website may be cdzbank.co.zw. The aim being to get users to input their login credentials on the fake website.
Generally, no one can use someone else’s registered domain name and so scammers cannot use the actual URL of the website they seek to imitate. Hence why they change a few letters. That’s what made the advice to just check the URL solid advice.
The browser-in-the-browser (BitB) attack
A security researcher found that it is possible to create a Chrome window that looks legit, including a typo-free URL. The BitB attack simulates the browser windows that pop up asking you to log in to continue. We use Google, Microsoft, Facebook, Apple, Twitter and others’ authentication services to make it easier and safer to log into different websites. It is those pop ups that are being simulated by the BitB attack.
Before the BitB attack was made public, one would have been comfortable with the pop up above. The URL looks legit, there is a padlock indicating a secure website and there are no other obvious warning signs – the page loaded up well and there are no graphic irregularities.
Now, in the age of the BitB attack, that won’t be enough. That can all be faked. So, are we doomed? Not necessarily, there are still ways to ensure we don’t fall for attacks like these.
There is hope
For one, the BitB works after one has already been duped into visiting a malicious site. So, if you’re on a legit website, a scammer cannot intercept the login pop up there to our knowledge. So, one of the rules of the web becomes even more important – be suspicious of links that are shared with you. If you never find yourself on a malicious website, the BitB attack is unlikely to get you.
Then there is the protection that password managers provide. The BitB attack may fool the human through perfectly copied pop up but password managers won’t fall for its deception. BitB does not render real forms and so other software like password managers won’t see it as a real browser window. Therefore there will be no password autofill, protecting the user.
So, it might be time to think about using those password managers. Find out more about password managers from my colleague who explains why he settled on Bitwarden:
Goodbye LastPass, hello Bitwarden
Then there is all that other advice on how to safely navigate the interwebs:
As we celebrate Computer Security Day let’s remind each other of these good habits
CBZ warns clients of fake email circulating, let us discuss how you can spot fake emails
Are you sure you’re not vulnerable if your phone is stolen?
US$30 million lost to Ponzi schemes this year, here’s how you can spot these scammers
7 thoughts on “Scammers can now convincingly fake browser windows, including URL. You can protect against that”
Here’s the best internet security advice: have more than one Email account. One legit Gmail account for your social media and other corporate things (and never link any email to your bank account if you can help it, for obvious reasons) and many burner accounts for you to register other non essential accounts. This is so that even if they get your account (of which they will if they want to regardless), the only thing they will get is spam. And never ever use the account linked to your bank for anything else, not even to chat to your relatives or even for work. That way you can browse around with your burner account with zero risk
Yes and yes,truth has been spoken here.one genuine account and one fake, all sites you are not sure about you register the fake one
I were able to identify that yesterday following a Facebook link posted on a hacked account? The hackers created a fake Log with your Facebook account. Unfortunately that wasn’t smart enough to fool me as I realized it in an instant that it was phishing 😂.
I am in highschool, I’ve had more than 7 of my classmates hacked the same way since the beginning of this month. It seems better to use the app since on the browser it is very easy to get phished.
I received certificate of award from AT&T last year and i paid affidavit, transfer fee now they ask onother money