[svlug] Highly Effective Gmail Phishing

Akkana Peck akkana at shallowsky.com
Fri Jan 13 11:58:19 PST 2017

Such a lot of great advice in this thread ...

> Rick Moen wrote:
> > 4.  I deeply distrust Javascript.  Well-tuned NoScript is your friend

Ivan Sergio Borgonovo writes:
> Today you really have to put your browser in a VM and start over from a 
> fresh snapshot everyday.
> Even banks fill their websites with tons of external sources of JS.
[ ... ]
> Even when you've some experience selecting sources of JS to authorize a 
> list of 20+ external sources, some of which you just discover after 
> you've enabled some is becoming a pain.

Often it takes five or six iterations: even if you enable all six of
the javascript sites on the first page, when you hit reload, the
javascript from those sites brings in four new ones, and if you
enable those and reload, there will be still more ... all of them
required before you see any content on the page. It's loony.
It took me months to figure out how to view O'Reilly content:
it needs JS from several sites but it also needed cookies from
at least two domains, one of which never shows up in the urlbar.

So I use a separate browser, ideally one that doesn't save any
cookies, passwords or any other information. I have a little
python-webkit browser I use for that purpose, which starts up very
quickly and doesn't have any way to store cookies or other info;
but you can also make a separate firefox profile and run it with
    firefox --private-window -new-instance -P profilename
when you need a safe window. Go ahead and let it set cookies and
such, then clean out the profile regularly -- like Ivan's VM
snapshot suggestion, but without the VM.

If you use a separate browser for heavy-JS sites, make sure it looks
different from your normal browser (if they're different profiles for
the same browser app, you can install different UI themes), so if
anything starts asking you to log in, you immediately know it's bogus.

> The fact that you can't authorize eg. akamai.net JS just when it is 
> required from XYZ.com doesn't help.

I sure wish noscript offered that sort of granularity.


More information about the svlug mailing list