The Perils of FUI: Fake User Interface

As a software developer, tell me if you've ever done this:

And let's not forget the common goating technique where you take a screenshot of someone's desktop, make it the desktop background, then proceed to hide every UI element on the screen. The anguished cries as users desperately double-triple-quadruple click on pixels that look exactly like real user interfaces can typically be heard for miles.


This is a companion discussion topic for the original blog entry at: http://www.codinghorror.com/blog/2008/08/the-perils-of-fui-fake-user-interface.html

Atwood, of course there is a good solution, but its not obvious, and from seeing so many misguided suggestions in your comments, its no wonder that we are where we are.

very helpful of you to point out the problem but what about offering solutions Ian.

what i ended up doing on my sister’s pc was changing all the browser shortcuts so that they would start in limited user mode. seams to work but i get the feeling she is just more careful after i whinged the whole time i was making her pc run properly again.

I am going to talk to my local FUI expert. He is working from home and does not seem to mind it.

My Wife ran into this exact same scam last week on some other web site. Luckily this was on my Mac Book Pro laptop, so all I had to do was delete 15 or so exe files from the download folder.

Re: Antivirus programs:
http://www.shadowserver.org/wiki/pmwiki.php?n=Stats.VirusYearlyStats

This is a table with the percentage of malware infections detected during the last 12 months by various AV programs on day zero, before anyone had distributed copies of those particular samples. Even the best program missed one malware program in twenty, and some well known and well respected programs did miserably. (I don’t know about anyone else, but I’ve seen a lot more than twenty emails with links to malware in my inbox lately, almost every one of them on an innocent site that has been hacked.) If you check the short term stats elsewhere on the site, you will also see that individual AV programs move up and down the list as variants of malware come out that they are not good at detecting – no one program is consistently the best.

I regularly download samples of the malware I find through links in spam and submit them to www.virustotal.com, virusscan.jotti.org and until recently, Castlecops.com’s Unknown Files forum. The results are quite discouraging. A sample is considered pretty well detected if no more than 50% of programs miss it.

In short, I would never assume a download is safe based solely on a lack of complaint from my fully-updated, high quality AV program. You have to look at the provenance of the download. Before I download something that appears to be legitimate, I want to know who wrote the software, who else recommends it, and whether anyone is posting on forums asking how to remove it. You really can get some very high quality free programs on the internet, so the fact that it is free isn’t necessarily a red flag. But people don’t know they should research a program before downloading, and they don’t know which sites’ recommendations are reliable if they do. If you google the name of a scam antispyware program, your top hits will include a lot of scam product review websites recommending it.

Similarly, if I come across a download via suspicious means, I don’t need anyone to tell me it’s probably malware. For instance, I don’t subscribe to CNN updates, so any links in an email that claims to come from CNN is certain to be malware – if my AV program doesn’t think so, I submit the sample to them to add to their definitions.

Of course, with so many otherwise harmless sites being hacked, and now with cache poisoning, even following a bookmark to a site a user knows and trusts is not 100% safe. I use NoScript to block javascript with all but the most trusted sites. Whether I know what I’m doing is beside the point; I don’t get to see the source code before the site loads in my browser.

As far as non-administrative accounts for users: It’s a great idea. We do it for our employees’ computers, since our business requires us to interact with companies that insist we use Internet Explorer. Unfortunately, it also seems to prevent Windows Updates from installing in XP unless an administrator logs into each computer every week (and then sits there during the download while logged in with our own passwords). It may be blocking some AV program updates as well. It’s insane.

In Firefox go to tools options content tab, then click advanced to bring up the advanced javascript options configuration menu. Unclick everything on that dialog, this will disallow scripts from being able to move, resize, raise/lower, etc. existing windows.

In my experience, these features are never worthwhile, more often than not even when they are used by non-malicious sites they are an annoyance, and they allow malicious sites to manipulate your browser window and trick you. Note that this does not prevent a site from opening up a new window (when you click on a button, for example) which has a specific size, etc. so it really does not limit web designers to do fancy things with new browser windows, it just makes it so that nobody can surprise you with those features.

I’ve noticed banks in particular have tried to jack up the security by having every user pick an image and then forcing every user to confirm that it’s the right image when they login. Not quite the same thing as the FUI but the goal here is to add a bit of personalization that cannot be spoofed in an easy way. (I’m sure there are clever ways to get around such a thing, of course.)

If every OS window had some tiny thing in it that made it clear that it was real and the browser was not, or vice versa… anyway, but to dream.

I agree with Jon that some AV should be run (I use the free AntiVir and have been very pleased) but Jeff rather scoffs at this idea which I think is like promoting driving without seatbelts (I don’t have the links to his posts handy).

The web is dangerous, period. When you connect you are open for attack. Many people should probably not use it because the attacks are so sophisticated.

Like driving, if you surf the web you must accept some risk.

Oh, I was in no way implying one should not have an AV program! After all, if you trust a website and allow javascript for it, you are vulnerable if it is hacked. In fact, after submitting some of these viruses and seeing my own AV program not performing too well, I abandoned it mid-subscription and bought a different one because I do consider them very important – I just don’t abandon my own better judgment just because I’ve got a good one.

BTW, here’s an analysis of one I got spammed for just now. 8/35 programs were able to detect it (jeez, you’d think anything named ecard.exe would automatically be detected by now :wink: )
http://www.virustotal.com/analisis/28b64d84673fb36d4812353e8360a403

It was missed by AntiVir, Avast, AVG, Dr. Web, Kaspersky, McAfee, Microsoft, Norman, TrendMicro, and Webwasher, among others, and two of the ones that did raise alarms only called it suspicious. (Some of the other top programs were not among those tested, so they won’t get a copy of the sample to add to their definitions in case they don’t detect it on day 0.)

I like the comment above about allowing for customizable sites, but you know, that’s really not practical. What is practical though, is a themed user interface on the OS. During install of the OS (or the first load if it’s a store-bought machine) Have a few really easy screens with some basic theme choices. Choose your color with no default. Choose your window style with no default. Make the combinations of choices too robust to bother trying to find a common scheme.

This is exactly like the ATM keypad FUIs.

Train people in such a way they get jaded about these warnings.

Browsers should not offer you the option to execute downloaded files directly. The user must then separately navigate to the download folder and run the downloaded file.

That should solve 90% of the problem i reckon.

I think part of the problem is how browser security has been misrepresented in the past. People worry that websites will put cookies on their computer that will somehow infect their system and that just using a browser somehow opens their computer to all kinds of attacks. What they didn’t hear is that browsers and websites don’t have access to their entire system unless they allow it. No one tells them that their browser can’t know that their system is infected and whatever else, and they should ignore and cancel anything that tells them so. Users should be informed that they shouldn’t download anything that they didn’t seek out unless they research it first. Basically, if they didn’t directly ask for it, they should be very cautious.

FUIs are just going to become more and more sophisticated and will evolve with the look of operating systems and browsers. I think that if we could teach people to avoid things they didn’t ask for that we could go a long way towards avoiding the problem.

For a start: never, ever, ever allow the browser chrome (address bar, nav buttons, status bar, etc.) to be hidden, or allow the browser window itself to be hidden/resized/moved/etc. I know Firefox has settings that allow you to enable or disable these things, and I always disable them. That way you at least get some indication that the window you’re looking at is a website and not a real application, and it’s harder to pull windowing tricks that make you lose track of what just happened.

How about some combination of sandboxing and whitelisting by default? There’s a very powerful presumption that, ultimately, the user has to have ‘control’ over what goes on his or her computer-- maybe this presumption needs to be revisited.

Web Browsers are responsible for a major part in fighting these types of attacks.

Identifying and blocking specific types of scripts can also prevent these attacks rather than trying to block just a single website.

It happens everyday, and had happened with me once. You take care a lot of times, but once in a while, you do falter( And I am a hyper-techie type of person). And FUIs(good term) do increase the technophobia for elderly people

Problems like this will persist as long as

  1. People insist on using tools that they openly do not understand. Like web browsers.
  2. Microsoft continues pitching products to people who use tools that they openly do not understand.
  3. Microsoft continues to produce tools that are insecure by design.

Or, to be less verbose

This problem will persist forever.