
Google Phishing Quiz - technion
https://phishingquiz.withgoogle.com/
======
orastor
Seems odd to me that they would encourage allowing 3rd party sites to read all
your email, but I guess this is where we're at right now

~~~
CM30
Yeah, that's the only reason I got a question 'wrong'. Sorry, but no third
party app is getting access to my email for obvious security reasons. Doesn't
matter how 'legit' the company is or what not.

~~~
drusepth
This sounds conceptually right and I would definitely agree with it... if I
haven't given multiple sites access to my email over the years.

Anything that interacts with your email is going to need it, and if you're
signing up for that service odds are you know (or at least assume) it'll need
some kind of access to your email. For example, I used unroll.me for years,
which gives you a singular interface to block spam and fake subscriptions --
for these kinds of emails, there's often no (working) unsubscribe link.
Unroll.me works by looking at each incoming email and, if it's from someone
you've blocked, automatically deletes the email.

Similarly, it has other services that operate on emails you receive, like
bundling up multiple emails into one (which, on the backend, deletes
thoseincoming emails and concatenates them into a singular email with them all
later).

It's easy to say "i'll never give a third party app access to my email", but
for most people it comes down to the age old problem of trading data for
services/conveniences that you find valuable.

Side-note: There've been many rumors over the years that Unroll.me sells
information about the emails it scans. I think it's even more telling of the
"trade data for service" paradigm that people continue to use the service even
after finding out.

~~~
cosmie
> There've been many rumors over the years that Unroll.me sells information
> about the emails it scans.

It's not just rumors, it's stated clearly (if in softened terms) on the site
now[1]. Although it wasn't for the first few years, as their original
monetization model wasn't based on it.

The big stink about it was that they shifted to that model silently. The
original founder only monetized it in a straightforward manner via ads in the
app. Then it was sold to Slice/Rakuten, and they silently incorporated it as
part of Slice's consumer intelligence data, along with data from other
subsidiaries they bought such as Ebates.

Small aside: Rakuten also has a major stake in Acorn[2]. Acorn uses Plaid to
verify bank account information for payouts. Plaid[3] is incredibly handy from
a consumer experience, but the implications are scary from an "alternative
use" perspective. Once connected, there are several _handy_ Plaid products[4]
which can make use of that authorization, above and beyond just confirming
account ownership. Such as continuously siphoning off transaction level
records or keeping tabs on income and employment fluctuations[5].

Not that Rakuten is leveraging their stake in Acorn to access Acorn's bank
authorization for those ulterior uses. But it's food for thought on what
possibilities exist.

> I think it's even more telling of the "trade data for service" paradigm that
> people continue to use the service even after finding out

I agree wholeheartedly with this assessment. Although I wonder how much their
subscriber growth rate changed after their alternative data use came to light.

[1] [https://unroll.me/your-data](https://unroll.me/your-data)

[2] [https://techcrunch.com/2016/04/21/paypal-
invests-30-million-...](https://techcrunch.com/2016/04/21/paypal-
invests-30-million-in-acorns-investing-app/)

[3] [https://plaid.com/](https://plaid.com/)

[4] [https://plaid.com/products/](https://plaid.com/products/)

[5] [https://plaid.com/products/income](https://plaid.com/products/income)

------
jtokoph
While the domain is a legit Google domain, I find it ironic that it’s hosted
on “withgoogle.com”. If my parents followed my anti-phishing tips they would
fail by clicking this link.

~~~
bduerst
withgoogle.com is more of a 'sandbox' for Google one-off programs, labs,
events, etc. which don't need to have the same branding guidelines as on
google.com domain.

~~~
scarmig
...so?

It's still a phishing vector. Teaching users that sometimes Google throws
together half-assed domains encourages them to trust any domain with "google"
in it.

~~~
bduerst
AFAIK they don't have any pages there that allow account login, for that and
other security reasons.

~~~
owaty
Yes, but:

> Create a name and email — neither need to be real — to make this quiz seem
> more realistic. Don’t worry, this information won’t leave your device.

I'd trust this notice if I knew it came from Google, but since it was placed
on a phishy-looking website, it really gave me pause.

------
julianozen
I wanted to point out one of the phishing schemes used a google amp link to
disguise a URL as being from google..... sigh <insert regular complaint of
google amp ruining the web>

~~~
londons_explore
My bet is on this site being developed by a google security team to try to
embarrass other teams around google to get their act together and close flaws
like this.

The concept of AMP for example should have been built into browsers, perhaps
as a new protocol, for example:

amp:[https://newyorktimes.com](https://newyorktimes.com)

Then the browser can go to _any_ amp-provider to retrieve the amp page, which
will be signed by the origin that it came from so the browser can still
validate the amp-provider hasn't tampered anything. That model would also let
any company be an amp provider with no trust required.

The benefit of AMP is much reduced with QUIC zero-rtt resume anyway.

~~~
PaulBGD_
Or just `amp://nytimes.com`, would make more sense even if it's being sent
over https.

------
zulln
A bit annoying that the fact that Dropbox used HTTPS-links are highlighted as
a sign of it being legit. I have always suspected such advices makes people
think HTTPS are actually somehow magically secure, while it has nothing to do
with phishing related issues.

~~~
LambdaComplex
I guess that depends on whether or not MITM is an attack vector that you're
concerned about

------
cbanek
I missed two: the "allow some random person to read your email" which I would
never click on, and the one that had a PDF, even though they don't allow you
to do anything with it. Just because someone sends you a PDF doesn't mean it's
an attack vector. It would have been more helpful to say something like "this
is someone you do business with as well, or someone you've never heard of."
(which I find to be more useful signal on if I want to look at an attachment,
though even if they are someone I know, do they have a reason to send me that
PDF is the second question). Unsolicited attachments are always suspect.

~~~
justusthane
On the PDF one, it tells you in the "intro" blurb that the sender's email
address is wrong. Should be .edu and it's .org.

~~~
verbify
I don't know if that would be enough in real life for me. I know some
organisations use two different domains (e.g. they did a transition but they
don't want to turn off .org just in case something still uses it, the IT team
forgot that Sam has two Outlook profiles, one is on .org).

And while pdfs can be attack vectors, they're not an especially strong one -
it's not like running an exe with administrator privileges.

Comparatively giving a third party access to your emails should definitely
raise flags.

~~~
Zarel
They even had a legitimate example, of Dropbox sending an email from
dropboxemail.com.

I honestly think this should never be done because users shouldn't be expected
to know which domains you do and don't own.

~~~
verbify
Your first point is definitely correct - their guide is confused at best.

As to your second point, I agree in terms of 'best practices', but in terms of
teaching about phishing, the fact is, companies do use multiple domains (and
some deliverability guides actively encourage different domains for marketing
emails and transactional emails - companies should use subdomains for this,
but not all are that savvy).

Given that companies are sending from multiple domains, I think the litmus
test for phishing is:

"Is the email trying to get me to give me information? E.g. a login on the
wrong site, sending card details or anything like that"

Your pdf reader should allow you to open a pdf without being compromised (just
as your browser should allow you to click a dodgy link without being
compromised). So I think that item should pass the litmus test (unlike the
email reading one).

------
technion
Hi All,

I posted this here because I think it's great there's some effort being put
into free training in this region.

I do however agree with some of the comments here. I had been hunting for
something like this to use as our own training, but it won't be this because I
don't agree with the TripIt example.

Edit: Maybe there should be a "maybe" or "consider" answer. "This is a
legitimate company. However, their desire to access your email is something
you should carefully consider".

~~~
bargl
100% this. I think sometimes people miss the target demographic for something
like this. My 70s+ year old dad and mom got phished. This might help them
understand why they shouldn't have clicked the link.

A technical solution to security should be sought out as well. This doesn't
remove ANY responsibility from companies for having good security.

It does help to empower the less technical users.

------
scarmig
Phishing, especially the targeted type, is impossible to combat at scale, and
expecting users to know the ins and outs of what's a safe domain
(withgoogle.com? Is it safe or not?) or to try to identify legitimate
communications is a stupid waste of time.

Long term the solution is ubiquitous hardware-based 2FA, ideally incorporated
into the physical devices themselves.

~~~
bargl
True, but a solution doesn't have to be single sided.

I can easily send this link to my parents and then they know a little more.

Expecting users to know is ridiculous, but offering tools for people to help
educate their less tech savvy loved ones is awesome. That's kinda how I see
this. It helps me empower my parents a little more.

~~~
scarmig
I agree that it doesn't have to be single-sided, and we need multiple angles
to protect against phishing.

This quiz isn't it, though. You and I know what domains are; we know what's
possible; we can sense when somethings off. It's our bread and butter. The
average user knows none of these things, and giving them a dozen rules to
follow that will work a lot of the time is in the end confusing.

A better set of rules to link your parents to is this:

1) Trust nothing over email. If your bank sends you a notification, don't
click on the link in your email: just go directly to your bank's website and
log in.

2) That's about it.

~~~
ptoomey3
I’m not even convinced “don’t click links” is the best guidance. That message
has been pushed so hard that people immediately think their machine has been
compromised once they have clicked a shady link. That is nearly never the
case. Clicking links isn’t something that should cause fear. Nobody is burning
a modern browser vuln in a spam email. I think the message should be more
focused on not manually entering credentials into a site. Lean on your browser
to validate domains and know which sites are associated with which credential.
I say that somewhat aspirationaly , as I still think there is lots of room for
how well browsers and password managers work for novice users.

~~~
scarmig
Agreed that clicking links is usually safe.

My point is, as a broad-based message, as soon as you start saying complicated
words like "browser" and "validate domains" and "credential" and "password
managers," nontechnical eyes immediately glaze over. I think your advice works
for the most technically inclined 25% of users. It just confuses the rest.

"Don't click links," despite having more false positives when used as an
individual's safety heuristic, resonates more and thus will result in many
fewer false negatives when applied to the general public. The cost of a false
positive is relatively low, while the cost of a false negative is high.

------
invalidusernam3
Funny considering Google still has a UX vulnerability in their gmail
interface: [https://eligrey.com/blog/google-inbox-spoofing-
vulnerability...](https://eligrey.com/blog/google-inbox-spoofing-
vulnerability/)

"The link mailto:​”support@paypal.com”​<scam@phisher.example> shows up as
“support@paypal.com” in the Google Inbox composition window, visually
identical to any email actually sent to PayPal."

It has been fixed in the web version, but apparently the Android app still has
this issue

------
Leace
What happened with the Gmail's Authenticated Senders key icon for e-mails from
certain high profile sites that properly validate through DMARC? (described
e.g. here [0])

[0]: [https://www.pcworld.com/article/2921383/software/4-gmail-
lab...](https://www.pcworld.com/article/2921383/software/4-gmail-labs-
features-you-should-be-using.html)

------
abtinf
I had no idea google allows arbitrary redirects through its own
[https://google.com](https://google.com) domain. Why?

~~~
AgentEpsilon
Actually, it looks like navigating to the link you're talking about
[https://google.com/amp/tinyurl.com/y7u8ewlr](https://google.com/amp/tinyurl.com/y7u8ewlr),
or any link beginning with [https://google.com/amp/](https://google.com/amp/),
will first bring you to a redirect confirmation, not immediately redirect you.

(The shortlink above is actually safe - it redirects to
[https://jigsaw.google.com/](https://jigsaw.google.com/))

~~~
philcolbourn
does anyone know where google documents this?

------
jimhefferon
It says:

    
    
      Incorrect!  Not everything is bad.
    

I think that is mistaken.

------
SimeVidas
LOL One of the phishing examples is a page hosted on Google AMP Cache.

~~~
underwater
”This one is a little tricky”. No, it's a complete security trainwreck that
Google have opted into for no good reason.

------
yellowapple
I missed the one with the PDF attachment, for multiple reasons:

* To my knowledge, there are no extant PDF-based viruses that would affect me (on either Linux or OpenBSD), and just because something's infected with malware doesn't mean it's a phishing attempt (it could be that it's a legitimate email from a sender whose computer is infected with some malware that spreads itself through PDFs).

* The PDF is actually attached, so if this were a real email it would pop up in Gmail's built-in attachment viewer (and any errors occurring there would be more cause for alarm).

* Not all schools use .edu domains at all, let alone exclusively.

All things considered, the question's wrong. It's not conclusively a phishing
attempt. It might be some other kind of malicious email, but phishing emails
are a subset of malicious emails, not the other way around (just like how all
carrots are vegetables but not all vegetables are carrots).

------
amayne
The Tripit one is very problematic. They don’t say that you installed TripIt.
I’m supposed to allow any Google third-party access to my email? Even if I
didn’t initiate that?

Hovering over the “allow” button doesn’t show anything. They need to reword
that one.

------
gregmac
I dislike several aspects of this quiz, and think it's actively harmful to
users. It's great to train on the URLs, but that's not the only warning sign
with these.

\---

1) "Hey there. Here is the doc you asked for."

Did you ask for a doc? Do you know this person? If no, these facts alone
should be giant warning signs.

\---

2) Fax Message from efacks.com

Do you have an account with this service, where you explicitly signed up to
receive faxes? If not, obviously you shouldn't be getting faxes from them so
it's not legitimate.

\---

5) "Please find attached the 2019 financial activity report for your perusal."

Aside from giving away the answer in the title [1], this isn't a good example.

First line of defense, once again: Do you have an account with "Westmount Day
School", and are you expecting a "financial activity report"?

Also, spoofing "from" e-mail addresses is a thing, and completely trivial, so
relying on that is not a way to verify authenticity.

What's not mentioned is being aware of what PDF reader you're using: eg, do
you regularly make sure it's up to date? Personally, I use Chrome as my PDF
reader as I'm not a fan of Adobe products or their security track record in
general.

Also in my experience, these types of e-mails often come in with an attachment
like "2019 F.A.R.pdf.exe" (or a zip file that contains an exe), and not an
actual PDF file. This would have been a great way to train users on this
point.

\---

6) "Someone has your password"

The two reasons that this isn't legitimate are listed as "We don't use
google.support to send emails" and "This link points to a subdomain of ml-
security.org, not Google." [2]

So once again, spoofing "from" addresses is trivial -- so that is not a
security measure. Secondly, how should I know what mail comes from? There was
an earlier example of a legitimate message from Dropbox coming from a non-
dropbox.com address (dropboxmail.com).

Also, the best defense against this is not mentioned: Never log into sites by
clicking on links in e-mails! This includes changing your password. The only
exception to this is a password reset mail when you explicitly just asked for
a password reset.

\---

7) "Government-backed attackers may be trying to steal your password"

Once again, "Change password" link in e-mail. Don't click it.

\---

8) Tripit Security prompt [3]

Sorry, but this is a terrible example.

First of all, am I trying to perform some action with Tripit that this prompt
is expected? If no, don't allow (in fact, just close the window)

Secondly, what does my browser window show? If you're on google.com (or
gmail.com) and this appears, that's one thing, but if your browser is showing
google.security-check.se then no, don't click anything and just close the
window.

Third, even assuming this is all okay, do you _want_ Tripit to have access to
view email messages and settings? If all you were trying to do is use your
Google account to authenticate, the fact it wants access to view all your
messages is highly suspicious. In this particular case (because it's Tripit, a
service that parses your email), this is probably your intention, but if it
also asked for other permissions -- such as ability to manage contacts and
send messages on your behalf -- you might want to think twice.

\---

Training like this is good, but phishing e-mails can be very devious and
training users on the wrong things -- such as trusting "from" addresses, not
considering context, and not looking at actual attachment types -- is
extremely dangerous. In the worst case, it can train users to click on things
they otherwise wouldn't have, due to false confidence obtained by (inadequate)
training.

[1] [https://i.imgur.com/8mNePZS.png](https://i.imgur.com/8mNePZS.png)

[2] [https://i.imgur.com/tpJMb5n.png](https://i.imgur.com/tpJMb5n.png)

[3] [https://i.imgur.com/KfNDuZI.png](https://i.imgur.com/KfNDuZI.png)

~~~
_asummers
My read was not "trust From" but more "be distrustful when from does not
align". Perhaps users will take the former from this, but my understanding of
this exercise was more spotting negatives than spotting positives.

------
ken
It says PDF is a potential attack vector. Have there been any attacks on
Preview.app, since it became sandboxed?

~~~
baroffoos
I think its referring to adobe reader which allows PDFs to run arbitrary code
as well as 100000 other anti-features.

------
tapland
This works very similarly to HoxHunt: [https://tech.eu/brief/finnish-startup-
hoxhunt-secures-e2-5-m...](https://tech.eu/brief/finnish-startup-hoxhunt-
secures-e2-5-million-for-its-cybersecurity-gamification-platform/)

------
rsaraceni
I was really surprise that they could embed a tinyurl inside a google url. Got
6 / 8.

------
dustinevan
Wait. So why didn't google just put this on a subdomain? It's a phishing quiz
at a phishy domain, and the first thing that happens on iphone is it asks for
your name and email (instructions are covered up)

------
iambateman
Cool idea confounded by the reality that many many people notice phishing on a
quiz who would not notice in ordinary life.

------
alex_young
Anyone else think the domain for this seems suspect? Why not just use
google.com? This is pretty meta.

------
Angostura
withgoogle.com is clearly a phishing domain.

