Improving Native Message Host Reliability on Windows

Last Update: May 24, 2023 —UPDATE— Chrome postponed this change, re-releasing v113 without it :'( Edge also removed the change in v113.0.1774.42. The plan is to eventually turn it on-by-default, so extension authors really should read this post and update their extensions if needed. The feature was relanded inside Chrome Canary version 115.0.5789.0. It’s off-by-default,Continue reading “Improving Native Message Host Reliability on Windows”

Attack Techniques: Open Redirectors, CAPTCHAs, Site Proxies, and IPFS, oh my

The average phishing site doesn’t live very long– think hours rather than days or weeks. Attackers use a variety of techniques to try to keep ahead of the Defenders who work tirelessly to break their attack chains and protect the public. Defenders have several opportunities to interfere with attackers: Each of these represents a weakContinue reading “Attack Techniques: Open Redirectors, CAPTCHAs, Site Proxies, and IPFS, oh my”

Q: “Remember this Device, Doesn’t?!?”

Q: Many websites offer a checkbox to “Remember this device” or “Remember me” but it often doesn’t seem to work. For example, this option on AT&T’s website shown when prompting for a 2FA code: …doesn’t seem to work. What’s up with that? A: Unfortunately, there’s no easy answer here. There is no browser standard forContinue reading “Q: “Remember this Device, Doesn’t?!?””

Attack Techniques: Blended Attacks via Telephone

Last month, we looked at a technique where a phisher serves his attack from the user’s own computer so that anti-phishing code like SmartScreen and SafeBrowsing do not have a meaningful URL to block. Another approach for conducting an attack like this is to send a lure which demands that the victim complete the attackContinue reading “Attack Techniques: Blended Attacks via Telephone”

Couch to Half Marathon: Closing My First Year of Running

On February 11th, 2022, I took my first jog on my new treadmill, a single mile at 5mph. I’d been taking three mile walks for a couple weeks before, but that jog just under a year ago was my first workout over 4mph. Yesterday, I ran the 3M Half Marathon in Austin, crossing the finishContinue reading “Couch to Half Marathon: Closing My First Year of Running”

Defense Techniques: Reporting Phish

While I have a day job, I’ve been moonlighting as a crimefighting superhero for almost twenty years. No, I’m not a billionaire who dons a rubber bat suit to beat up bad guys– I’m instead flagging phishing websites that try to steal money and personal information from the less tech-savvy among us. I have hadContinue reading “Defense Techniques: Reporting Phish”