

Clever social engineering. A malicious web page that tells you it's malicious. - FSecurePal
http://www.f-secure.com/weblog/archives/00002051.html

======
nlh
So much of the protection from this sort of attack has to do with user
training (or the lack thereof). We need the same sort of PR campaign / public
service messages that aim to reduce drunk driving, lack of seat belts, etc.

And before you scoff at that, think of the economic cost of letting folks get
"trojan'd" -- this helps build botnets, which have a measurable negative
social impact on the Internet -- more spam, financial fraud, DDoS attacks,
etc. Obviously not as severe as drunk driving deaths, but worthy of prevention
nonetheless.

I know I'm trained -- I look at that "OK" button on the install dialog and my
stomach churns. But others don't have this geek instinct, and that should be
corrected.

~~~
extension
What exactly would you train them to do? It has to be comprehensible by
laypeople and distilled down to a single mantra.

So many security related interactions have backfired already, like this one.
Is there one simple, straightforward principle that users could follow that
will always work, and will keep working long into the future? I doubt it.

------
trebor
I know a good number of people who would fall for this. Very clever to imitate
the warning, I must say.

------
evoltix
It would be even worse if the malicious site was an exact copy of the true
Firefox block page. So, when the user clicked on "Get me out of here!" it
would prompt to install the rogue AV.

------
EGreg
That's what you get when your WARNING screen looks exactly the same as a
screen that a website or app can cause you to display.

I have always wondered how the Mac OS password screen works (you know, the one
where you are supposed to enter your system password). What if an app spoofs
it? How would the user know the difference visually?

~~~
oconnor0
Doesn't that same problem exist with all password screens?

~~~
AlexMuir
That's why windows (optionally) requires you to press ctl+alt+del to login.

~~~
agscala
I'm ashamed to say I've never been anything but annoyed at that feature until
now

~~~
wrs
As always, greater security equals greater annoyance.

------
dean
I don't know. The first thing that occurred to me on viewing the warning is
that Firefox is working as expected -- it is warning me about a malicious
site. So why is it asking me to download updates when it appears to be working
correctly? It's a contradiction. But maybe that's just me.

~~~
extension
What the typical victim thinks is probably something along the lines of "I'm
already in trouble, I better just do what the authorities tell me to do before
I make it any worse."

Most people (still!) don't question authority and there is a picture of a
policeman right on the page, for gosh sakes!

The problem with making users afraid is that attackers will find a way to use
that fear against them. You can't scare people into thinking critically.

------
lelele
This attack would screw only Opera users. It would not work for users of IE
and Firefox and Chrome, who at least know to look for the signature checking,
because all such browsers will flag the downloaded executable such that
Windows will check its signature before running it.

~~~
catshirt
if someone knows to look for a signature before running the file, i'd assume
they didn't download it in the first place.

~~~
lelele
Oh, no, you don't have to look for any signatures. Windows will look on your
behalf and warn you if needed.

------
danielnicollet
This is smart but nothing new in the sense that people have used fake
antivirus warnings, fake windows error messages, etc for years now to push you
to click on some sort of buttons which would then lead you to a binary install
with spyware.

~~~
larsu
Firefox's html warnings in the browser's content window seem to make this
particularly easy, though.

~~~
thorax
Yeah, I'd like to see these warnings move out of the HTML space and into the
chrome in some difficult to mimic fashion.

~~~
vog
This is already happening for a long time. I remember some ad banners which
looked like message boxes or download dialogs in Windows XP style.

(... which were easy to spot for me, because I'm using a completely different
system)

~~~
larsu
You're right. But something like this would be harder to fake:
[http://www.mozilla.com/en-
US/img/tignish/features/security-i...](http://www.mozilla.com/en-
US/img/tignish/features/security-id.png)

~~~
frio
Yes and no. Mozilla's a bit screwed on this front, because they use XUL to
render their interface - and, critically, the browser can render XUL pages. I
don't have FF installed on this machine, but you should still be able to check
it out at <http://www.faser.net/mab/remote.cfm> to see a demo of the feature.

It's a pretty cool feature, but it means that on Firefox, attackers should be
able to emulate basically any chrome they want to.

~~~
LordLandon
To demonstrate, go to chrome://browser/content/browser.xul in firefox

------
tickle_me_elmo
I don't know which Alanis Morrisette song the author is referring to.

~~~
westicle
at a guess?

"ironic"

