undefined | Better HN

0 pointsameliaquining8y ago0 comments

The real URL will appear in the browser address bar anyway before the user gets the chance to disclose any information. I don't know exactly what proportion of users will notice a well-disguised phishing URL in the email body but not in the address bar, but I bet it's not that high.

The attack prevented is simply having the user open the attachment, allowing the sender to execute arbitrary JavaScript on their machine in the file:// context. (Modern browsers have made the security consequences of this somewhat less dire than they once were, but it's still not something you want to do if you can help it.)

0 comments

stan_rogers8y ago

That involves the rather large and utterly baseless assumption that users look at the address bar at all. You probably do. Does your somewhat less-savvy next-door neighbour?

userbinator8y ago

This observation I made a while ago shows that a considerable number of "average users" used to, and even understood how URLs are formed:

https://news.ycombinator.com/item?id=7678729

If an increasing number of users aren't, then that is certainly a problem.

ameliaquiningOP8y ago

They don't really look at the URL in the email body either, especially if it's long and intimidatingly technical-looking.

hnlmorg8y ago

> The real URL will appear in the browser address bar anyway before the user gets the chance to disclose any information

Which is already too late for anyone compromised by a drive-by download attack.

ameliaquiningOP8y ago

The threat model here is phishing, not drive-by downloads. Browsers have a much greater ability to mitigate those. Also, a drive-by download email doesn't have to impersonate any particular sender, it just has to look like something that a user might want to click on.

hnlmorg8y ago

> The threat model here is phishing, not drive-by downloads.

I think you missed my point. What if it isn't a phishing attack? Or even, what if it isn't just a phishing attack?

Your suggestion leaves users vulnerable by encouraging them to open suspicious looking links on the off chance it is, at most, a phishing attack.

> Browsers have a much greater ability to mitigate those.

Except when they don't. For what it's worth, I've also seen mobiles fall victim to drive-by download attacks.

> Also, a drive-by download email doesn't have to impersonate any particular sender, it just has to look like something that a user might want to click on.

E-mail worms are spread by the trust relationship between people known to each other (ie a user opening an attachment because it's from a recipient they know). I don't see why drive-by download attacks couldn't exploit the same human condition (ie "Hey bob, check out this link. It's awesome").

In fact I have seen that kind of malware in the wild, now I think about it.

1 more reply

j / k navigate · click thread line to collapse

0 pointsameliaquining8y ago0 comments

0 comments

stan_rogers8y ago

That involves the rather large and utterly baseless assumption that users look at the address bar at all. You probably do. Does your somewhat less-savvy next-door neighbour?

userbinator8y ago

This observation I made a while ago shows that a considerable number of "average users" used to, and even understood how URLs are formed:

https://news.ycombinator.com/item?id=7678729

If an increasing number of users aren't, then that is certainly a problem.

ameliaquiningOP8y ago

They don't really look at the URL in the email body either, especially if it's long and intimidatingly technical-looking.

hnlmorg8y ago

> The real URL will appear in the browser address bar anyway before the user gets the chance to disclose any information

Which is already too late for anyone compromised by a drive-by download attack.

ameliaquiningOP8y ago

hnlmorg8y ago

> The threat model here is phishing, not drive-by downloads.

I think you missed my point. What if it isn't a phishing attack? Or even, what if it isn't just a phishing attack?

Your suggestion leaves users vulnerable by encouraging them to open suspicious looking links on the off chance it is, at most, a phishing attack.

> Browsers have a much greater ability to mitigate those.

Except when they don't. For what it's worth, I've also seen mobiles fall victim to drive-by download attacks.

> Also, a drive-by download email doesn't have to impersonate any particular sender, it just has to look like something that a user might want to click on.

In fact I have seen that kind of malware in the wild, now I think about it.

1 more reply

j / k navigate · click thread line to collapse