0

Seeing how big names like Gmail, Yahoo! (despite the login seal) and Hotmail (Live Mail) are prone to phishing attacks, this raises the question of whether it is possible (theoretically) to safeguard a website login form from phishing scams?

Now before we go in answering whether it is possible to (theoretically) phish-proof a website, I understand that we need to establish a few factors.

  1. What is the general method used for creating a phish login page? Is it possible to counter this generalized phish-page-creation method? That is, if a programmer is able to defeat the "generalized" phish-creation-method, can he/she expect to make a major change in the security industry?

  2. What is the programming and tech understanding of the majority of phish-hackers? If it is not possible to completely phish-proof a website's login system, is it possible to effectively push out 80-90% phish-makers out of the game by making the phish-page-creation a complex and difficult process?

  3. What is the theory behind some of the phish-proofing mechanisms in practice today (Yahoo login seal etc)? Are these methods effective? If the methods are practically ineffective, is it possible to improve the efficiency of these methods while sticking to the same theory/idea? Or is it the very approach which is erratic?

I know experts would have varying views on these matters, but I hope I could at least find some points of consensus on these issues.

RoraΖ
  • 12,347
  • 4
  • 51
  • 83
Youstay Igo
  • 121
  • 4
  • 1
    This will likely be closed as *Too Broad*. Each one of your "factors" could be a question in its own right. You could ask for a canonical answer, but I think you'd still have to narrow down your factors to what you're really looking for out of the question. – RoraΖ Nov 10 '15 at 13:57
  • Possible duplicate? The answers to [this question](http://security.stackexchange.com/q/3374/76890) contain a lot of information about how to detect and counter phishing attacks. – r3mainer Nov 10 '15 at 14:44
  • I just had a 4000+ word explanation to everything you asked typed up... but I don't have time to finish it right now, so I'm just gonna summarize it: the only way to defeat phishing is by educating yourself and your users. And even then, there are many ways to intelligently phish even the most seasoned paranoid security nuts. – Mark Buffalo Nov 10 '15 at 14:49
  • 3
    Phishing exploits the human factor, you cannot patch servers against something that does not act upon them. – DarkLighting Nov 10 '15 at 15:02
  • @DarkLighting, of course you can. However, everything will be completely inoperable. :p – Mark Buffalo Nov 10 '15 at 15:11
  • 1
    Well, shutting the server down does not count as an answer :P Also, even if you shut it down, the user will have already clicked on the phishing email, therefore giving the attacker sensitive info that might be used against some other service. – DarkLighting Nov 10 '15 at 15:15
  • The objective of the phishing is to gather information, not access. The information might be used for getting access to some service, correlate with some other infor or simply sell the information. Anyway, what the attacker does with that information is a whole other story. – DarkLighting Nov 10 '15 at 15:21
  • I was just expecting a 5 sentences answer to each of my sub-questions. That shouldn't be too broad. As the question is opinion based, I am simply trying to find things of consensus about these issues. I am not stating anything as granted by myself, but asking you people what is your point of view on the matter(s). If only you guys had used the same time to post your opinion on the matter instead of commenting on the type of question ... – Youstay Igo Nov 10 '15 at 15:33
  • 1
    @YoustayIgo the problem is that you do not understand the underlying concepts - that makes it very broad. You also seem to have a lot of assumptions about phishing pages that we would have to deconstruct for you. A simple HTML form with 2 fields (username and password) and a stolen site logo is sufficient as a "phishing login page". What do you hope to do on the legitimate page to affect that? – schroeder Nov 10 '15 at 15:48
  • Where/how did I assume anything anywhere in my question? Instead, I stated right in the beginning that I just want you guys' brief opinion on the subjects at hand. That's all. As for myself, I am a white-hat hacker and I can safely say that I have a "fair" understanding of the phishing procedure. But as a person, my perspective is based on my experiences alone and hence could be biased or limited. Hence I wanted to get the perspective of the experts on the matter. Was it too hard to simply provide your point of view on the questions? The world is so cold these days! – Youstay Igo Nov 10 '15 at 15:54
  • You can defeat phishing by using SSL client certificates for authentication. That is a technical fix that doesn't rely on user training – paj28 Nov 10 '15 at 16:27
  • Can't SSL's be faked too, with a similiar looking SSL monogram? Also, what about non-encrypted sites? – Youstay Igo Nov 10 '15 at 16:49
  • Yes, use U2F. They can phish your username and password but not your U2F key – Neil McGuigan Nov 10 '15 at 19:21

4 Answers4

5

Probably no.

A phishing attack doesn't rely on using the content of the actual login page, it just relies on the user treating the phishing page as if it were the login page. Even if, as suggested in the comments, you shut your servers down completely, that doesn't mean that your users wouldn't respond to a phishing email pretending to be you.

To elaborate, it doesn't matter how fancy and advanced your underlying security algorithms are. If I can't use your page as it is, I can just (worst case) take a screenshot and drop some forms on it, and this will be good enough for a decent portion of my targets.

If you can't make the page itself phish-proof, you could try to help your users respond better to phishing attempts by training them to recognise your legitimate site and having some part of that site that is unique to them. For example, banks often have a personal image that they show you during the login process. A phishing page is unlikely to be able to accurately reproduce these unique sections, and instead will remove the segment or substitute a generic image. If the user is vigilant, they will notice this and abort before submitting their information.

However, as Adam Shostack comments, there's evidence that training users is unreliable and has a low payoff. Additionally, an advanced phishing page could feed information to the real site and echo back the unique parts as you go along.

Samthere
  • 166
  • 7
  • 2
    Training people to recognize your legitimate site has been demonstrated to not work, as has presenting a unique image. I believe Stu Schecter did a study in 2010 or so in which he demonstrated a very high (75+%) of failure in people's willingness to stop logging in because the image was missing. Also, a clever phisher might connect to the site and borrow the unique image. – Adam Shostack Nov 10 '15 at 16:27
  • @AdamShostack Fair enough, I'm more trying to say that it's more viable than trying to make a page uncopyable. 75% means that it could help 25% of users. I agree that it's not reliable, but it's an alternative to doing nothing. – Samthere Nov 10 '15 at 16:36
  • I agree that making a site uncopy-able is a powerful way of stopping phishing. But how do you stop folks from copying the UN-LOGINED page? The page folks see when they open your site for the first time? No cookies to read previous logins, no nothing. How are you going to stop hackers from copying this fob page and basing their phish attacks on this? – Youstay Igo Nov 10 '15 at 16:51
  • 1
    @YoustayIgo You cannot stop people from doing this. As Samthere notes in their answer, phishers can always take a screenshot of your login page, and use that as the basis for their fake. Beyond that, the front-end code of your page is accessible to them, because it loads in their browser. If your page is visible to your un-logged-in users, then anyone can copy it. – recognizer Nov 10 '15 at 16:53
  • 1
    @YoustayIgo That's exactly the issue. Unless you develop an oracle that can judge whether a user is legitimate as they connect, you can't stop the phisher from seeing what a user would see before logging in. Even if you had some way of pre-authenticating users, you'd have to know that none of your users will ever develop a phish. – Samthere Nov 10 '15 at 16:54
  • This being established, what is the level of tech which a phish-maker **must** have before he can successfully phish a visually complex page? – Youstay Igo Nov 10 '15 at 16:57
  • 2
    @YoustayIgo That depends on what you mean by "visually complex", and what you mean by "successfully". But the answer to that question is probably "a basic understanding of HTML and CSS". It's not hard to take the front-end code of a page you're looking at and produce a version that looks the same, but has no functionality aside from collecting the information the user enters. The ways that a phishing attempt can be spotted are many, but the initial step of replicating the page is easy. – recognizer Nov 10 '15 at 20:58
  • @YoustayIgo why does your scenario need to include a visually complex site?? I've seen people log into a fake web service that looked *nothing* like the legitimate site. Phishing is a people problem **NOT** a technical one. It seems like the underlying condition you have is that the phishing site has to look identical to the legitimate site. If that is so, you need to state that. – schroeder Nov 10 '15 at 22:38
3

No. You cannot make a web site un-phishable.

Phishing is an attack on human understanding, not on your website. Adding images, EV SSL, all these things fail because people don't pay attention to them.

In his book, "Thinking Fast and Slow" Kahneman talks about "WYSIATI" (What You See Is All There Is") as an issue in human perception. It goes way beyond security.

Adam Shostack
  • 2,659
  • 1
  • 10
  • 12
  • The question I am asking is not whether users will pay attention to logos and images or not. What I am asking is whether it is possible to add visual content in your website which cannot be faked? As in, faked by anyone with less than professional level of expertise in web develeopment. – Youstay Igo Nov 11 '15 at 05:13
  • 1
    Ummm, "visual content" is equivalent to logos and images. Maybe you animate them. The answer remains, simply, no. If you serve it to visitors via an HTTP GET, those visitors can copy it. – Adam Shostack Nov 11 '15 at 05:57
0

I think for this reason using Extended Validation SSL Certificates is a wise idea. Also with HTTP Strict Transport Security (HSTS) enabled in Browsers, we can provide some security. Refer https://www.chromium.org/hsts. Users if are directed to genuine site with fake SSL certificates, they will be interrupted by the Browser. If it's a fake website, Users should be vigilant enough to check padlock in the address bar. There are some plugins (e.g. CertPatrol, etc.) in Firefox who keep track of visits and certificates and store them locally and alert in case of change.

I found these URL Shorteners a threat which does not give you an idea before they expand into actual URL. Also looking at email-headers can give some lead about the phishing emails.

Recently I have come across some claims about Web Application Firewalls which prevents someone from site-scraping. Educating Users and awareness about phishing is the most effective way however, given the rapidly changing social engineering attack methodology.

Krishna Pandey
  • 1,497
  • 1
  • 16
  • 26
  • Relying on plugins (talking from the site managers/owners point of view) to provide security for your site is a potentially fatal approach as you are handing out your trust like free candies. Plus, you cannot expect every user to have installed those plugins. You can also not expect all users to rely on Firefox only. SSL might be a good idea, but can't SSL outlooks be faked? – Youstay Igo Nov 10 '15 at 17:01
  • Actually I was fielding from both the sides. From Site Manager/Owner perspective, get your site listed in Google Chrome HSTS list, use EV SSL Certificate, don't frequently change the UI of your site while maintaining uniqueness, so that Users develop familiarity with the site and can notice even subtle changes may be. Leave an email-id to report phishing incidents and regularly issue advisory to Users. – Krishna Pandey Nov 10 '15 at 17:09
0

Make phishing not useful

The only reasonable way to protect yourself from phishing threats is to assume that a determined attacker will be able to obtain the initial set of credentials from some of your users through phishing, and ensure that this is not enough to provide a worthwhile benefit to the attacker. If you eliminate incentives for attackers, you will not only mitigate your damage in case of a successful attack but also greatly reduce the chance of such attacks as serious attackers will usually choose other targets.

A common example used in banking is a careful use of two factor authentification tokens. If an user gives their credentials and code from the token to a phishing site, then this can be enough to log in once immediately, but not enough to do take over the account afterwards or, for example, approve a transaction - which would require to obtain an additional code from the real user at that time.

Similar functionality can be achieved even with low tech pre-mailed paper sheets with single use challenge-response codes.

In this case a successful attack needs to perform a MITM attack in real time, requesting (and obtaining) the appropriate code from the user at the same time while your system is performing a transaction in real website. This raises the required competence and deters some attackers, and also makes them easier to detect as, unlike in normal phishing, the actual exploiting must be happening while the phishing campaign is running instead of enabling the attacker to gather a large amount of credentials silently.

Peteris
  • 8,389
  • 1
  • 27
  • 35