Visual Spoofing And The Art of The Sting
Here’s a potential scam that raises the bar — and alarum bells — for everyone. It’s already got a name: Visual Spoofing.
It works like this (I think): Instead of ne’er-do-wells concealing addresses to make you think you’re at a legit website (say your bank, or PayPal) rather than at their sleazy password-grabbing site — what’s called phishing — why not just fake everything? And I mean everything?
The guy who developed this idea is called Don Park, and he’s posted a demo on his website to show what phishers could do. Basically a window pops up which looks like a PayPal site — much as a normal scam might — but which looks more authentic, because the website address looks solid, because there’s a lock in the bottom right hand corner to suggest it’s secure, and because all the main bits of it are actually fake. They are images of locks, images of website addresses (or at least, the box that contains the text is). It’s like a mirage, or a Potemkin Village, or a website. Nothing of what you see is real.
Don puts it like this: ”Most of the readers who saw the demo thought of it as a hole in the browser code. Yes, there is a hole in the browser, one that allows scripts to hide and replace key UI components such as the toolbar used to display URL of the page and the statusbar used to display the golden lock. But there also a hole in our brain…”
He goes on: “You see, the computer screen you are seeing this post with is actually showing just a rectangular array of pixels. There are no such thing as windows or buttons. Instead, there are pixel patterns we call windows or buttons. It is us, the users, who associate the idea of windows and buttons to those patterns of pixels.”
It’s a scary proposition. It’s like the fake betting shop in The Sting, or any number of movies (The Recruit, Mission Impossible) where the mark is convinced that what he is seeing, the place he is in, is real. What Don has shown us is that because we look for familiar things on a webpage — an URL bar, a status bar at the bottom, forward and back buttons — we feel comfortable when we see them. Only they’re not real. As Daniel McNamara of Code Fish put it to me: “Nothing is being exploited other than the human mind.”
It’s only a matter of time before real bad people, as opposed to the good guys, start to play around with this. Daniel again: Now that Microsoft has plugged one of the main holes that phishers used — hiding website addresses at the end of strings of gobbledigook — “this may be the new evolution stage of phishers”.
- Click to share on Twitter (Opens in new window)
- Click to share on Facebook (Opens in new window)
- Click to share on Google+ (Opens in new window)
- Click to share on Pocket (Opens in new window)
- Click to share on Pinterest (Opens in new window)
- Click to share on Telegram (Opens in new window)
- Click to share on Tumblr (Opens in new window)
- Click to share on Reddit (Opens in new window)
- Click to print (Opens in new window)
- Click to email this to a friend (Opens in new window)
- Click to share on WhatsApp (Opens in new window)
- Share on Skype (Opens in new window)
13. February 2004 by jeremy
Categories: Scams | Tags: bank, Daniel McNamara, Don Park, Microsoft Corporation, PayPal Pte. Ltd., phishing, sleazy password-grabbing site, social engineering, The Recruit, The Sting | 2 comments