Man, just when we think we’ve figured out this cybersecurity stuff, someone throws a spanner in the works. One of the easiest ways to see if a website is dodgy is not as solid as it once was. Conventional wisdom says that checking the URL is one of the surest ways to spot an impostor. This is no longer the case.
The URL is a web address like https://www.google.co.zw/
You see, fake websites have typos in their URLs that fool people who just don’t know how to verify this and people who don’t pay attention. For example, instead of cbzbank.co.zw (the good CBZ website) a fake website can be cdzbank.co.zw. The goal is to trick users into entering their login credentials on the fake website.
Typically, no one can use someone else’s registered domain name and therefore scammers cannot use the actual URL of the website they are trying to impersonate. That’s why they change some letters. That’s what made the advice to just check the URL such solid advice.
The browser-in-browser attack (BitB)
A security researcher has found it’s possible to create a legitimate-looking Chrome window, including a typo-free URL. the BitB Attack simulates browser windows that appear and ask you to log in to continue. We use authentication services from Google, Microsoft, Facebook, Apple, Twitter and others to make logging into different websites easier and more secure. It is these pop-ups that are simulated by the BitB attack.
Before the BitB attack was made public, one would have been comfortable with the pop-up above. The URL looks legitimate, there is a padlock indicating a secure website, and there are no other obvious warning signs – the page loaded fine and there are no graphical irregularities.
Now, in the age of the BitB attack, that won’t be enough. All of this can be faked. So are we doomed? Not necessarily, there are still ways to make sure we don’t fall for attacks like these.
There is hope
On the one hand, the BitB works after having already been tricked into visiting a malicious site. So if you are on a legitimate website, a scammer cannot intercept the login window as far as we know. Thus, one of the rules of the web becomes even more important: beware of links that are shared with you. If you never end up on a malicious website, the BitB attack is unlikely to reach you.
Then there is the protection offered by password managers. The BitB attack may fool humans with a perfectly copied pop-up, but password managers won’t fall for it. BitB does not render real forms and therefore other software like password managers will not see it as a real browser window. Therefore, there will be no automatic password entry, thus protecting the user.
So maybe it’s time to think about using these password managers. Read more about password managers from my colleague who explains why he chose Bitwarden:
Goodbye LastPass, hello Bitwarden
Then there are all these other tips on how to navigate the interwebs safely:
As we celebrate Computer Security Day, let’s remember these good habits
CBZ Warns Customers of Fake Email Traffic, Let Us Discuss How You Can Spot Fake Emails
Are you sure you’re not vulnerable if your phone is stolen?
US$30 million lost to Ponzi schemes this year, here’s how you can spot these scammers