[svlug] Highly Effective Gmail Phishing

Rick Moen rick at linuxmafia.com
Thu Jan 12 18:22:37 PST 2017

Quoting Paul Zander (paulz at ieee.org):

> This a link to a Phishing attack on Gmail users.  It is clever enough
> that a lot of people have made themselves vulnerable.
> https://www.wordfence.com/blog/2017/01/gmail-phishing-data-uri/

The technique obviously can be generalised, and no doubt will be, so
it's important to note that this is not _merely_ relevant to GMail

Generally speaking, I use a number of precautions I think worth
describing for people to consider:

1.  I never share credentials (e.g., passwords) across multiple places,
e.g., Web sites.  Every one of them gets a unique credential.  I store
them all in 3DES-encrypted storage in my offline PDA.  To date, this has 
been a PalmOS PDA with the open source Keyring app
(http://gnukeyring.sourceforge.net).  PalmOS PDA are now so antique that 
I'm looking to find equivalent code for my Cyanogenmod tablet, instead.
But the critical thing is to use a carefully sparse, _offline_ device.

Every time I mention this category of credential storage, some people
tout their 'password wallets' as if those were the same, but IMO they
very much are not -- because they are online.  IMO, the same security
attack that compromises your desktop/laptop having the ability to snoop
on everything in your password wallet is A Very Bad Thing.
(Disadvantage of Keyring:  Being offline, it doesn't permit
copy-and-paste to my login session.  But IMO, the PDA's airgapping's
advantages outweigh that inconvenience.)

If someone were to offer a pocket-sized security appliance with zero
network capabilities, that is open source from the ground up, hey, I'd
buy one.  This is an untapped niche that smartphones are hogging --

2.  I never enter credentials for a security-sensitive thing (banking,
medical, e-commerce) except in a context and manner initiated and
operated by me.  So, using example of the phishing attack discussed at
your URL, if I were using GMail webmail and something popped up
asking me to login again, I would _not_ do so.  Never, never.  If
confused and thinking I might indeed need to login, I would open a new
tab of my _own_, and go to where *I* know the correct GMail login page
to be -- never a page supplied _to_ me by anyone or anything.

Following this precaution not only protects against all future variations on
the phishing attack in question, but also against frogery
(http://linuxmafia.com/~rick/lexicon.html#frogery) attacks like a
'bank0famer1ca.com' Web site (or _much_ subtler ones using UTF8
lookalike characters).

To use a real-world analogy:  You're accustomed to walking six blocks to
the Chase Bank ATM.  But today, _two_ blocks from home, you see a new
Chase-branded ATM against the outer wall of the neighbourhood 7-11
market, in the corner of the parking lot.  Do you use it?  No, you walk
those four extra blocks, use the ATM built into the side of a known-real
Chase Bank building, and send off a query to Chase Security Dept. asking
if perhaps someone is operating a fake Chase ATM at your 7-11.

Fake ATMs _have_ been successfully deployed and used, by the way.  They
are used to steal customers' credentials and clone their cards.[2]

Cultivating this precautionary habit also protects the user against
social engineering.  No matter how credible the call from 'Customer
Service' sounds, if you politely decline every time you're asked to
provide sensitive information in an unexpected / unfamiliar context,
and insist on using only familiar contexts under your control and by
your initiative, you automatically default a very large percentage of
such attacks.

3.  I distrust other people's recursive DNS nameservers.  Personally, 
I trust only my own, and think it's elementary caution to use (say) an
instance of Unbound via on one's laptop and eschew what DHCP 
provides -- except where it's your dhcpd and your recursive nameserver.

4.  I deeply distrust Javascript.  Well-tuned NoScript is your friend
and protects against another huge bloc of problems.  Yes, it's useful,
yes, it's not too awful for something Brendan Eich madly cobbled
together in only ten days
but man, what an overfeatured menace.

5.  I deeply distrust webmail.  The more I hear about HTML-mail security
and other complications, the more I love mutt.

6.  I try to never rely overmuch on other people's routers and networks.
Strong crypto helps, though with same-origin problems (helped by the
HTTPS Everywhere extension) you may have non-https streams alongside
your https ones.  Always remember that strong crypto's security is only
as good as the security of each endpoint and that of the transport.  

But what I wanted to mention here is a browser extension so modestly
simple it does an important job well:  CertWatch
(https://certwatch.simos.info/).  What it does, and _all_ it does, is
remember the attestation chain of each https cert you have used, and pop
up an advisory if that chain changes -- root, intermediate, and Web site 
certs.  Why is this good?  Because a lock icon is nowhere near enough
information, and CertWatch informs you about changes that might be
worrisome but still present a lock icon

So, if my bank's cert is suddenly signed by the root cert of an Iranian 
certificate authority rather than Symantec Trust Network as intermediate
CA and VeriSign as primary CA, I'll know before entering my credentials.

Likewise, I keep my server's SSH host key fingerprint in my PDA.  If I'm
sshing into linuxmafia.com from a new client host, I can rule out
man-in-the-middle before user authentication.

[1] https://blog.torproject.org/blog/mission-impossible-hardening-android-security
Yes, I know it links to a Nov. 2016 update article, but note in
particular the 2014 piece's points about the damning baseband problem.

In my dreams, there would be a totally open design for a YubiKey 
equivalent with a strongly-encrypted credential (passwords, etc.) store
and small LCD input/output screen.  I'd pay a nice premium to get one.

[2] More recently, though, they've most often attached 'skimmer'
overlays to the real ATMs styled to look like part of the base unit,
so get to know the installations you use and walk away if there's
anything the least odd about the card slot or keypad, and especially
anything protruding even a millimeter further than it should..  (Also,
cover your hand whenever you enter you PIN, because cameras.)  For the
same reason, use a gas station payment kiosk only if it has an unbroken
security seal, and I would never use a debit card there, only credit,
because legal protections are better and there's no PIN to skim.

More information about the svlug mailing list