
If malware authors ever learn how to spell we're all screwed - bdfh42
http://www.hanselman.com/blog/IfMalwareAuthorsEverLearnHowToSpellWereAllScrewedTheComingHTML5MalwareApocalypse.aspx
======
csmeder
Simple solution for tech savvy users. All system prompts should include a
photo of a user selected image. If the incorrect image is displayed you know
its a scam.

For example when I install Windows 8 or Mountain lion one of the first prompts
I must address is:

    
    
       "Please choose an image to help you identify 
       valid system prompts"
    

The user is then presented 10 images (a tiger, a house, a moose, etc) from a
library of 10,000 images.

    
    
       "The user decides to use an image of a tiger"
       
    

Next time a user gets a system prompt if the system prompt doesn't have the
picture of a tiger they know its a fake prompt.

See site key: <http://en.wikipedia.org/wiki/SiteKey>

~~~
astral303
Tech savvy users are not the main problem in malware.

The whole SiteKey/tiger image solution only gives you an illusion of the
solution. What happens when the system displays "System error, unable to
display the image?" How will a convincingly-written error message prevent your
average gullible or below-average competence computer user from logging in to
a phishing site?

Think of how many things can go wrong on a computer. Think of every time when
someone asked you why something works one way in this situation, but another
way in another situation, and you had to use a technical explanation (excuse,
really) for that inconsistency. Computing is full of that. Until we get to a
place where people can actually TRUST and expect consistent behavior in their
computing devices, the SiteKey/tiger will be well circumventable.

As far as I'm concerned, SiteKey is a brilliant business idea for selling to
satisfy the regulatory two-factor requirement, but a terrible idea in
practice.

~~~
avocet
Take a cue from banks, and add a "confidence word". The user enters a special
phrase such as "myspecialword". If "myspecialword" does not appear in the
corner of the dialog box, they will know it's fake. I doubt there would be
many technical issues that would prevent a simple phrase like that from
displaying in the corner of the box.

~~~
huhtenberg
What if it shows "PHP Parse error: syntax error, unexpected T_VARIABLE in ..."
where the confidence word should be? Or better yet "ConfidenceWord database is
empty" - something pseudo-techy that clearly implies a temporary f#ckup on
bank's side.

~~~
pbz
Hopefully they have a better system so that if anything breaks on the page,
the returned result is an error page / code.

~~~
zck
The problem is not if the bank's site breaks; the problem is what happens when
a phishing site displays "error: connection to ConfidenceWord database
failed". What percentage of users will say "oh, the bank's site is messed up;
let's go in anyway"? A high percentage.

~~~
johnchristopher
I hardly believe any technical solutions on the bank's website is going to
prevent any phishing sites to mimick it. People have to learn to recognize
phishing sites and electronic communications phishing tactics just like they
have to learn to spot fake ATM.

Frankly, I believe it's not something you can make happen. I remember a story
here not long ago about honeypots in China and businessmen getting full
briefing and warnings by the MI5 before leaving the UK and some would still
leave their computers and smartphones powered on near the bed. I think it's
the same with some users: they just don't learn and never will (I have another
theory that states they don't want to learn anything about computers and that
it should magically read their minds but I always end up cursing when I try to
explain it and besides it's not the point :).

------
mseebach
Probably an instance of this?

 _[T]he obvious giveaways are used as a pre-qualifier, to ensure with the
least possible effort that the ONLY people who respond to the scammers'
initial mass mailings (and therefore have to be brought along individually
during the later stages) are the absolutely most gullible, ignorant,
susceptible, suckers they can find._

[http://www.quora.com/Scams/Why-are-email-scams-written-in-
br...](http://www.quora.com/Scams/Why-are-email-scams-written-in-broken-
English/answer/David-S-Rose)

~~~
eridius
I thought that too, but it doesn't apply. This is malware. It doesn't need
someone to be gullible beyond the click of the button. Scams, on the other
hand, require actually convincing the mark to send money, which is why they
need to be sure they have a gullible person on the hook.

~~~
simonbrown
It's their button, why would they need the user to click it? I guess it could
be clickjacking, but there must be an easier way to do that.

~~~
bartl
>It's their button, why would they need the user to click it?

Because Javascript is allowed to do more, like show popup windows, if it
happens in an onclick event of a button.

------
arriu
_One day these things won't be "selectable" to prove to us that they are HTML_

Selection is probably not the best way to check whether something is browser
content...

    
    
      -webkit-touch-callout: none;
      -webkit-user-select: none;
      -khtml-user-select: none;
      -moz-user-select: none;
      -ms-user-select: none;
      user-select: none;

~~~
gergles
Why does this parameter exist? What possible legitimate use could you have for
disabling selection?

~~~
nixterrimus
I've thought about this quite a bit. As HTML applications continue to evolve
we should make them feel "appish". Things like selectable buttons take the
user away from experience the app. Also graph labels shouldn't be selectable.

One of the big ideas of the web is selectable content. However UI elements
shouldn't be included in this set.

I've written a little more about this (with some screenshots to illustrate my
thinking) here: [http://blog.dcxn.com/2012/02/29/selectable-elements-are-
driv...](http://blog.dcxn.com/2012/02/29/selectable-elements-are-driving-me-
crazy-heres-how-to-fix-it/)

~~~
Periodic
A simple example is an image-cropping system. The user has to click and drag.
If you don't disable the selection and the user clicks in just a slightly
wrong way they can end up selecting or dragging the image, which looks totally
wrong for someone who wanted to select a region of an image. Both actions have
the same user input (click, drag, release) but your intent is that it have a
very different behavior than the browser default.

------
hxa7241
Never respond. Always take the initiative.

If something _asks_ you about update/downloading/etc., reject it. _You_ decide
what to do and when, and _you_ type the URL into the browser, or go to the
normal menu/dialog/tool for updating.

(This is partly why Chrome browser is right and the normal approach is wrong:
if/when it needs update, it just does it.)

~~~
fromhet
That may work for people who think in terms of computer security, but not for
the average user who are interested in just using the webapps.

------
alister
The OP's point is that displayed content can be made to be indistinguishable
from visual elements of the browser _even for technically sophisticated users_
in the near future.

This reminds me of login spoofing of yesteryear. How do you know if the login
prompt on a shared computer or terminal is really from the OS or is a user-
level program trying to steal passwords?

The usual solution was to hit a special attention key--like the "break" key
under UNIX or Ctrl/Alt/Del for Windows--that user-level programs could not
intercept.

Could we use the same idea here? Holding the "break" key will highlight
genuine messages from the browser or the OS.

~~~
csmeder
Easy solution. Logging in takes two passwords. After you enter your first
password (first 8 chars of your 16 char password) you are presented with an
image of a Tiger. You now trust the system. (The picture of a tiger was your
secret image). You now enter your second password (the remaining 8 chars of
your 16 digit password).

See site key: <http://en.wikipedia.org/wiki/SiteKey>

~~~
gerts
SiteKey is completely susceptible to Man-in-the-middle (unless the user is a
scrupulous cookie-manager and refuses to re-authenticate a computer more than
once), so adds minimal value over regular SSL.

~~~
jaylevitt
SiteKey is also trivially vulnerable to the attack known as "I bet you didn't
remember that this page should show you a SiteKey."

------
drzaiusapelord
The problem is that the people who click on these also have lousy grammar and
don't notice, don't care, or won't actually read all of the text.

There's only so much we can do if the end user refuses to think. I suspect a
lot of these people will be migrating to locked down/walled garden devices
soon anyway.

~~~
mattmanser
One of the programs I inherited once had been written by a programmer who
loved alert boxes of the form 'Are you sure you want to Delete X'.

I was watching a user a month or so afterwards to notice they just pressed
enter every time an alert box popped up, immediately, without reading and
without thought.

Alerts on computers aren't there to be read any more. They're confusing
annoyances that you just click yes to. They're usually badly written in that
they tell a normal person nothing, they're without context and usually
ultimately exist because a programmer was prevaricating on making a decision.

We nagged our users too much as programmers, to turn around and blame them for
not thinking is a sublime irony given that we were the ones not thinking and
constantly asking for reassurance that it was us not making a mistake.

~~~
Osmose
Instead of using alert boxes to confirm that a user wants to perform a
destructive operation, you should support undoing the change after it's done,
perhaps for a limited time.

------
merraksh
_There's no option other than "Clean computer." No ignore, repair,
quarantine._

Note to malware coders: add ignore, repair, quarantine buttons that run the
same code.

~~~
sp332
Also note that Symantec doesn't have an "ignore" option anymore!

------
tlrobinson
I forget what the term for it is, but there's a principle that any dialog
that's asking the user for credentials or authorization must be clearly
delineated from the rest of the UI and thus "unspoofable".

The example I recall was a "ribbon" in the OS that slide out to reveal the
dialog. If a dialog presented itself but the ribbon remained along the edge
you could immediately tell it was spoofed. Of course this requires the OS not
allow untrusted code to reposition/hide the ribbon or present a full screen
display without prompting the user.

Another example is iOS grays out the background (including status bar at the
top) when presenting a modal password prompt. However this could easily be
spoofed by a full screen native app. The only way to solve that is to require
authorization to enter full screen mode.

Browsers are improving. At least Chrome shows the URL at the top of all popup
windows. Entering full screen mode requires user authorization.

That of course doesn't solve the OP's problem of spoofing a floating window
purely inside a webpage, but that really needs to be solved at the OS level.

~~~
recoiledsnake
You mean like the Vista and Win 7 UAC screen?

<http://www.micro-isv.asia/img/win7uac.png>

~~~
FreeFull
What would prevent someone from spoofing this? (other than there being no
apparent reason to spoof it)

~~~
juhanima
Except for the apparent reason of fooling a user to confirm something he/she
is not aware of?

Anyway, asking security questions from the end user is always a bad choice.
There is an excellent paper about it by Ka-Ping Yee:

[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.9.4...](http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.9.4449&rep=rep1&type=pdf)

But then of course, to relieve users from the burden of making security
decisions one needs the whole chain of authentication of executables, access
control and a trust system to dispense privileges.

EDIT: a better link to Yee's paper

~~~
tedunangst
Except you don't confirm anything. A fake UAC doesn't have any magic powers,
nor can it pass your click on to the real UAC.

The problem UAC solves is that you click on a harmless dialog, but suddenly an
important dialog is swapped in under your mouse. A fake UAC can't do that.

------
zvrba
That's what happens when programmability (JavaScript, Java, Flash, plugins...)
is added to a presentation format (HTML). Maybe this is the right time to
revive Gopher and give Usenet a fresh breath of life.

------
andybak
In moments of distraction I've had a couple of near-misses where I nearly
clicked on malware.

But when I'm trying to explain to my dad how to know what to trust and what
not to trust I realise it's completely hopeless. You can fake almost
everything that a non-techie would know to check.

~~~
its_so_on
Ever think to link to a file (e.g. excel spreadsheet) for a forum, like you
can for an image with imgur?

other than Dropbox public url's the services that exiist have so many images
with the word "Download" in the resulting link, all of which look exactly like
a UX element, that you have to click about half of them or play Sherlock
Holmes to uncover the real download link. It's like a scratch-off lottery.

~~~
simonbrown
You could get a hosting account (e.g. NearlyFreeSpeech or S3) and hotlink to
them. I guess people don't often intentionally click ads when downloading
files, unlike viewing images, so setting up a free file host isn't profitable.

------
taejo
The spelling heuristic doesn't work very well in much of the world. I live in
a country where English is the primary language of commerce, government, etc.
but only very few people (I think less than 5%) speak it at home. So the
people writing the genuine banking websites, etc. are almost as likely to make
mistakes as the phishers.

------
robert_nsu
He's right. Most of the time, the things that tip me off are the misspelled
words and poor grammar; also, the conflicting information. For example,
getting an email message from Chase Bank with a signature from a Wells Fargo
employee. A lot of people are one well versed phisher from losing a lot of
time and money.

~~~
danielweber
Once I got a letter from Bank Of America that they had noticed weird activity
on my home equity line of credit, with a weird phone number to call to talk.
No one answered that number, and I don't have an equity line.

It turns out the letter really did come from BoA.

EDIT: and once Chase sent me a letter telling me to reply by September 31.
[http://danweber.blogspot.com/2009/08/chase-does-it-
again.htm...](http://danweber.blogspot.com/2009/08/chase-does-it-again.html)

~~~
CWuestefeld
Back when "Verified by Visa" first came out, and I first saw such a page, I
called my credit card company to see what was up.

The customer service people at the card had no clue what was going on. They'd
never heard of it either. They told me they'd escalate the question to a
manager and call my back, but they never did.

------
superasn
This is a rather sophisticated scam indeed. Unfortunately you don't need such
kind of sophistication level when it comes to non-tech users or as the OP puts
it his "Mom".. because for them even a banner ads which say "you have one
message waiting" or the ever popular "emoji in email" just works equally well.

------
mgkimsal
I've suggested for years now that someone could make a killing selling
copywriting services to spammers. Poor spelling, bad fonts, random crap, etc -
these are all the hallmarks of spam which makes it easy to classify as spam.
Well-written, intelligent-sounding, professionally-produced spam would likely
get past more filters, and be harder for people to dismiss out of hand, and
likely get more sales.

~~~
dhughes
Here on HN or maybe it was Reddit I read the misspellings in spam/phishing
were intentional to weed out anyone smart enough to detect it was a scam.

------
politician
A suggestion to browser vendors: add a key combo that will turn all of the
screen real estate managed by your browser into yellow diagonal stripes.

Then we just have to educate users to press this panic button whenever
something that looks like a popup is on screen. If it's a real popup, it'll do
the modal flash thing; otherwise the browser -- and everything in it -- turns
yellow.

~~~
simonbrown
Or just tell them to switch tabs. Another sign is that if a dialog was
actually showing, the browser window wouldn't look focussed.

e.g. on Windows the browser looks like this:

<http://i.imgur.com/nbn9K.png>

instead of this:

<http://i.imgur.com/7F3FD.png>

------
wildtype
Must be more shocking for unix-like os user if the "malware window" displayed
as plain x11 window, with error message there.

------
bbrtyth
Malware authors have learned to spell -- many apps I install under the
mistaken assumption that they will not run background services or send
information back to the company, in fact do.

I also note that Dell's laptop division has a number of malware authors hard
at work.

------
gerts
This is why you don't run your computer using the default UI theme on the most
popular OS.

~~~
ams6110
Yeah exactly. I always set my theme to the most minimal, "classic", non-
effects, whatever options I can turn off. That way this kind of stuff really
stands out.

------
fghh45sdfhr3
Nah, you're already screwed. If you get to the point of the pop-up it is
already too late.

~~~
unimpressive
Don't see why this was downvoted. Once your opponent is executing arbitrary
JavaScript on your browser, there's no real reason for them to try tricking
you into clicking a link when they can just use one of the outstanding
security vulnerabilities for your browser to install malware.

------
Karunamon
Looks like trying to move the "popup" is a great way to defeat this kind of
thing for now.

Me: Okay mom, if you ever get a popup that you were not expecting, try to move
it outside of the browser before clicking on it. If you can't, it's fake.

Fairly simple, for now.

~~~
shanselman
Unless the entire image is a clickable hotspot that starts the next step in
the process of their evil. ;)

~~~
Karunamon
Can you do that? I.e. launch events on mouse down but not a full "click"?

~~~
ams6110
mousedown is an event yes. So is mouseover. I'm not even sure why any action
is necessary though. If you can present the popup, you can just feed a
<script> tag to the browser and do whatever the click was going to do, right?

------
CWuestefeld
Scott's right, of course.

But to the advantage of the good guys, anybody with the brains and discipline
to do a better job of this kind of thing, is much more likely to be able to
make a better living honestly, than through fraud and deception.

~~~
kylebrown
I don't think the business of selling "single mom makes $700/day online"
business plans is an honest living, but judging from the amount of ads and
comment spam at least a few people are making a living at it (and google of
course takes a nice cut as well). From what I've read, even though it converts
better than online pharmacies and rogue anti-virus, you can get more traffic
to the latter two.

------
phleet
Reminds me of this: [http://www.azarask.in/blog/post/a-new-type-of-phishing-
attac...](http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/) (the
demo of it is a bit outdated)

------
RedwoodCity
malware is a numbers game. All you need is a few thousand older people that
don't know any better and you can have your password sniffer / bot net , up
and running in no time.

While poorly written english is a red flag to some of us. Not all computer
users are native speakers of english even in english speaking countries. They
are much less likely to notice usage and spelling errors.

------
stcredzero
_> Should we digitally sign HTML5 apps?_

Yes. That's better than nothing.

~~~
simonbrown
Well, you can already do that through extended validation. I'm not sure
requiring it would be desirable, and doing this would need a better reason
than it being better than nothing.

The philosophy of HTML5 seems to be allowing applicants to do a lot of things
which don't require much trust to be placed in them (and most applications
don't need much), rather than security through asking the user's permission
(e.g. most desktop OSs), when they are unlikely to have much idea which
developers they should trust, or through accountability/review (e.g. iOS),
which adds barriers to entry.

