Yes, that’s a phising technique. CORS, CSP, or CSFR tokens can’t prevent it.
---
bank.com can mitigate it by blocking my-bank.com IPs
---
This 2007 paper [1] is about the initial mitigation idea, which was using Extended Validation Certificates (EV SSL). The study showed that users didn't pay attention to the special UI address bar EV certs had. In 2018 Chrome removed that UI style [2]
Thank you for the reference! Would you mind to see if you can reflect on my solution idea which I’m questioning myself about? I filed a patent for it and mentioned it in a comment above. Please
Yes, that’s a phising technique. CORS, CSP, or CSFR tokens can’t prevent it.
---
bank.com can mitigate it by blocking my-bank.com IPs
---
This 2007 paper [1] is about the initial mitigation idea, which was using Extended Validation Certificates (EV SSL). The study showed that users didn't pay attention to the special UI address bar EV certs had. In 2018 Chrome removed that UI style [2]
[1] http://www.usablesecurity.org/papers/jackson.pdf
[2] https://www.ghacks.net/2018/05/18/google-chrome-removal-of-s...