The FUI looks convincing but I think the file download dialog should give it away for most people. At least I tell my family and friends to never download and run any files from the web or e-mail like that.
Users are getting sophisticated enough, but the attacks are getting more sophisticated. Social engineering attacks like this almost always work atleast on a small subset of users.
When taking the amount of traffic in the internet into account, this small percentage becomes a very scary number.
My sister recently came to me with ‘Antivirus 200’ (or something like that). I immediately knew what happened, but she thought she was doing the right thing.
The solution seems to be simple - end the monoculture of static themes. If every user had to pick colors and styles for his desktop theme on the first login, with NO DEFAULT VALUES, it would be much harder to successfully spoof a window. Alternatively, it shouldn’t be that hard to write a browser plugin that automatically hides images behind a warning if they contain typical Windows elements, just like certain programs detect porn by looking for certain commonalities.
In the end, though, nothing is ever 100% secure, and it doesn’t need to be. Viruses aren’t actually the major threat people perceive them to be. While yes, they do make your PC slower, so does the new Office you installed, and while yes, they send your clicks to nefarious advertising companies, my mum just really doesn’t care.
The FUI looks convincing but I think the file download dialog should give it away for most people.
I don’t know, Kalle. You think users are actually reading and understanding the file download dialog, much less the warning?
http://www.codinghorror.com/blog/archives/000114.html
Dialog boxes usually say If you want to tech the tech, you need to tech the tech with the teching tech tech. Tech the tech? Yes / No
This is really difficult. With the graphical expressiveness that people need to build meaningful applications, you’ll always be able to fake web applications.
I think it will be pretty hopeless to prevent websites from faking real UIs. The better way to go is making the warnings even bigger when crossing a security line. In this case, you stop visiting a website and start downloading executable code that will be executed outside of the sandbox.
This should give a really huge, really annoying warning. Maybe you should even be required to type your password, or the sentence I realize this might fry my computer, before being able to execute code from the internet outside of a sandbox. After all, this should be a very uncommon operation, so it’s reasonable to bug users about it.
Mac OS X at least displays an additional warning about downloaded code, where it came from and the time when you downloaded before executing the program. But something that requires typing would be a lot better, as people tend to dismiss dialogs without thinking (being trained by gazillions of annoying senseless messages in Windows programs).
A part of my friend’s business is to talk to people through messenger type application, so it got them all, and he has a lot of people he doesn’t know about.
So, some week ago he got this MSN type message popup from some random guy named with a common name, so he just clicked it. Luckyly, he didn’t seem to get anything from this click after scanning his computer.
Even if I browse with NoScript, I find it hard to know what’s fake or when it comes to download files from Filefront or anything like this. The file could be anything.
I cant wait for macs to get enough market share to become a virus target.
Naive users can not be protected until they get sophisticated
Being a non-administrator would definitely help, but it doesn’t prevent the problem. All it does is limit the scope of the infection. Someone in Vista (or Gnome or KDE or OSX) running Firefox as a limited user can still run systemscan.exe, and that program can still send itself in emails, set up fake webservers (on higher number ports, of course), scan the network, steal passwords, and set itself to start up again when the user logs in.
It would be a bit easier to clean up, I suppose.
Poor English is also usually a dead give-away.
Your may have Spyware!
Java applets, when launching new frame windows, had some piece of chrome that was impossible to remove; can’t remember if it was the titlebar, or I think it was a status bar kinda thing. And I think for some of the browsers/VMs it was an annoying yellow-background type of style. Not a complete answer, but better than nothing. Setting other limits also probably makes sense, like not allowing absolute screen positioning, so that you can conveniently ‘hide’ the browser’s This is a FUI! chrome off-screen, or with a second FUI window, etc.
I recently saw something very similar, animated to look like the real thing, but it was hilariously obviously faked in the browser - I was running FF2 on PC Linux OS.
Back in Windows, one thing that helps is to change your colour scheme (title bars, fonts) and not use the defaults, these spoofs always use the most popular defaults. So if you’ve set your system to use purple title bars and the browser spoof comes up in XP blue or silver, it’s obvious. (Also comes in handy to tell the source of pop up dialogs when running virtual machines, or VNC etc).
The very first thing this page does is minimize the browser (…)
Javascript that resizes the browser should die.
One word: NoScript
Poor English is also a dead give away: ‘Your may have Spyware!’
It’s hard for people to understand that browsers can’t know their systems are infected if Windows Update can look into their computer and know which updates they need.
Maybe the OS can constantly scan the UI for instances of certain security icons and graphics? But then we would inevitably get into a reverse CAPTCHA problem.
Maybe it should be a hardware solution… Microsoft could bundle a USB light that only they can turn on when using Windows Update, Defender, or other approved programs. Kind of like when browsers change the address bar color when on a secure site. Then you tell grandma to never trust any security warnings unless that light is on.
My uncle had something like this come up for him, but at the time he was already infected with something on his machine which was causing these popups to appear. He called me up before clicking on one of the dialogs that came up. The guy is not a dumb guy, but the window that came up looked very convincing, windows logo the whole bit, claiming that he needed to download such and such antivirus to clean his machine off.
I explained that his machine was already infected and that was why he was getting these popups (they would come up whenever he opened the browser).
I had him install and run SuperAntiSpyware and that found a crapload of stuff on his machine. Seemed to fix everything.
I think he recently switched to a Mac.
How about having a way to customize your native window headers in a way that the spoofer will have not way to anticipate? Perhaps it’s not possible on an OS which by default runs everything as the equivalent of root, but I’m ignoring that pathological case.
I’ve noticed that on linux, the spoofed dialogs that look like windows dialogs really stand out as being fake. Yahoo mail has this thing where you tell it the location on your local machine of a custom icon file, which it will display. Yahoo-mail spoof sites won’t have this info, so won’t be able to display the icon. Similarly, the window manager could put some custom image in the window header, or whatever, and spoof windows would lack this feature, making them more obviously fake. Now if the browser allows websites to create native windows, this won’t work, of course.
I’m with the first poster though – why in the hell does the browser permit web pages to minimize it, hide various UI features, prevent clicking on window close buttons, block ‘ctrl-W’, etc? What is the point of having these capabilites?