HTML5 Overlays now convincingly masquerading as real like Windows for Social Logins

Learn how user interface standards have now made phishing attempts more complicated to spot

Episode #9-27 released on February 17, 2019

Watch on Youtube
Download MP3 Audio
Download MP4 HD Video

Phishing scams are a huge problem online and the problems just got worse for everyone online, even for the well informed. It isn't just a problem for individuals, it, also, affects businesses, as well. And finding a solution to solving the epidemic online may be more complicated that just being careful, you might have to fundamentally understand how web-sites and applications are made.

With the shift to one click logins using our Social network accounts or using our social network profiles to manage our profiles, we have created a safer way to create accounts, but, also, painted a target on that very technique to secure our lives. The biggest problem on the Internet is the use of usernames and passwords and all the technology related to that. Even without an explicit bug to any web-site, spearfishing attempts can be used to intercept the username, password, cookies, etc. of any person online, including tricking people into entering the one time use token into these fake web-sites compromising web-sites regardless of the lack of any programming or security issues, and all this because the Internet of today is heavily customizable to the point that we can create fake popups that look identical and function identically to the real thing.

Now, let's start explaining what has happened recently and explain to you what to do to determine if the popup for Facebook, Twitter, Google, etc. is in fact real or fake. As referred to by The Hacker News web-site, there is a live phishing campaign using Fake Facebook pop-ups that are designed to look like and behave like real pop-up Window prompts by Facebook. All the normal details including URL, the green identifier for SSL, the buttons to close the window, etc. all work. You can even move the Window around like a real window. The illusion fails only when you drag the window to the edge of the screen. Also, since the window isn't real, it doesn't have its own button in the taskbar on your computer screen.

This problem only exists because of the advancements in design related to the user interface and the ease of developing user interfaces using HTML5 and many other standards that all web designers and application developers rely on to make beautiful designs. And, it began with Dynamic HTML standards a long time ago, too. We all take for granted that browsers, address bars, etc. look the way they do, but rarely take the time to consider that the ability to recreate them using modern UI coding in HTML5 standards definitely exists, especially with the advent of using HTML5 standards to create those very UI elements in the real applications themselves.

The only suggestions we can offer is to use two-factor authentication, test the windows that open up to see if they are in fact real by trying to minimize them to the taskbar, moving them off the screen, making sure the address of the site matches expectations, even go as far as making sure the information from the SSL certificate matches the real thing by opening the actual site and comparing the information. And, if you cannot determine the validity of the popup window, close it, and don't use the site.

If you want to understand just how dangerous this current trend is, follow the link to The Hacker News web-site in the sources and watch the video clip. Stay informed, be careful, and doubt everything you see online until you are sure it is absolutely real. And, always use a different password on every single web-site you use.

Host : Steve Smith | Music : | Editor : Steve Smith | Producer : Zed Axis Dot Net

Sources & Resources

Community Comments

Share your thoughts, opinions and suggestions

Login or Register to post Your comment.