While I have a day job, I’ve been moonlighting as a crimefighting superhero for almost twenty years. No, I’m not a billionaire who dons a rubber bat suit to beat up bad guys– I’m instead flagging phishing websites that try to steal money and personal information from the less tech-savvy among us. I have hadContinue reading “Defense Techniques: Reporting Phish”
Category Archives: security
Attack Techniques: Priming Attacks on Legitimate Sites
Earlier today, we looked at two techniques for attackers to evade anti-phishing filters by using lures that are not served from http and https urls that are subject to reputation analysis. A third attack technique is to send a lure that entices a user to visit a legitimate site and perform an unsafe operation onContinue reading “Attack Techniques: Priming Attacks on Legitimate Sites”
Attack Techniques: Phishing via Mailto
Earlier today, we looked at a technique where a phisher serves his attack from the user’s own computer so that anti-phishing code like SmartScreen and SafeBrowsing do not have a meaningful URL to block. A similar technique is to encode the attack within a mailto URL, because anti-phishing scanners and email clients rarely apply reputationContinue reading “Attack Techniques: Phishing via Mailto”
Attack Techniques: Phishing via Local Files
One attack technique I’ve seen in use recently involves enticing the victim to enter their password into a locally-downloaded HTML file. The attack begins by the victim receiving an email lure with a HTML file attachment (for me, often with the .shtml file extension): When the user opens the file, a HTML-based credential prompt isContinue reading “Attack Techniques: Phishing via Local Files”
TLS Certificate Verification Changes in Edge
Last Updated August 21 2023: When establishing a secure HTTPS connection with a server, a browser must validate that the certificate sent by the server is valid — that is to say, that: In the past, Chromium running on Windows delegated this validation task to APIs in the operating system, layering a minimal set ofContinue reading “TLS Certificate Verification Changes in Edge”
Mark-of-the-Web: Additional Guidance
I’ve been writing about Windows Security Zones and the Mark-of-the-Web (MotW) security primitive in Windows for decades now, with 2016’s Downloads and MoTW being one of my longer posts that I’ve updated intermittently over the last few years. If you haven’t read that post already, you should start there. Advice for Implementers At this point,Continue reading “Mark-of-the-Web: Additional Guidance”
“Not Secure” Warning for IE Mode
A customer recently wrote to ask whether there was any way to suppress the red “/!\ Not Secure” warning shown in the omnibox when IE Mode loads a HTTPS site containing non-secure images: Notably, this warning isn’t seen when the page is loaded in modern Edge mode or in Chrome, because all non-secure “optionally-blockable” resourceContinue reading ““Not Secure” Warning for IE Mode”
HTTPS Goofs: Forgetting the Bare Domain
As I mentioned, the top failure of HTTPS is failing to use it, and that’s particularly common in in-bound links sent via email, in newsletters, and the like. Unfortunately, there’s another common case, whereby the user simply types your bare domain name (example.com) in the browser’s address bar without specifying https:// first. For decades, manyContinue reading “HTTPS Goofs: Forgetting the Bare Domain”
Attack Techniques: Notification Spam
A colleague recently saw the following popups when using their computer: Because they seemed to come from nowhere in particular, they seemed credible– either Windows itself had detected a virus, or perhaps their computer was infected with malware and it caused the popups? The reality is more mundane and more much more common. These areContinue reading “Attack Techniques: Notification Spam”
Passkeys – Syncable WebAuthN credentials
Passwords have lousy security properties, and if you try to use them securely (long, complicated, and different for every site), they often have horrible usability as well. Over the decades, the industry has slowly tried to shore up passwords’ security with multi-factor authentication (e.g. one-time codes via SMS, ToTP authenticators, etc) and usability improvements (e.g.Continue reading “Passkeys – Syncable WebAuthN credentials”
text/plain 