ArticlesPhase A: Using My Powers For Good
I propose that we produce a Mock-Phish web-site, which will have a goal of helping security professionals to train their co-workers, family and friends to avoid falling for phishing scams.
One page will allow the user to nominate a naive computer user (known as the ‘mark’). They will enter the basic contact details of the mark (e.g. email address and perhaps name), a from address (e.g. security@yourorganisation.com, support@yourbank.com) and choose from a selection of pre-written phishing text.
The Mock-Phish site will then forward an email (with appropriately forged headers) to the mark.
The obfuscated URL inside the email points to a corresponding page of the Mock-Phish site, which invites the user to enter private information (e.g. corporate login name and password, or account number and PIN.) It has a submit button.
Sounds ominous, but here’s the twist: the submit button just does a regular HTTP-GET, and does not forward the entered details. The entered details are simply discarded in the browser. The submit button simply directs the browser to another page that explains “You’ve Been Phished!” and warns about the dangers of phishing, and how to detect it. It explains that, while it still might be prudent to change your password, that your password hasn’t really been collected.
This explanation page would link to a technical explanation page that shows how to read the HTML enough to convince yourself that your password wasn’t really stolen. It would also link to the first page that lets you mock-phish someone else.
I think this would be a useful tool for CIOs to tech people about the dangers of phishing by showing, rather than telling.
Phase B: Using My Powers For Evil
Once this site has been running for a while , is getting lots of hits, and has gained the trust of security professionals, Phase B comes into play.
Randomly, the first time an IP address visits the site, it gets presented with different HTML – this time it is a genuine phishing attempt, that delivers the secret information into my clutches. It is protected so that once the submit button is pressed, Javascript runs and changes the DOM to remove all trace of itself. I haven’t worked out the technical details yet – I’ll leave that to my evil Javascripting henchmen.
Anyone who suspects will hit “Back” and find no sign of the dodgy source, or will revisit the site and again, find no sign of the dodgy source.
Oh well. I thought the Phase A was a good idea, until I came up with the Phase B. I should have realised more quickly that security professionals would have not trusted the site – well not if they had ever read Ken Thompson’s Reflections of Trusting Trust anyway.
Comment by Improfane on January 19, 2006
If I understand correctly, this is something I did to help raise awareness of security for an online game.
Comment by Julian on January 19, 2006
Improfane,
Cool. Your site is much like Phase A, except there is no evidence that you aren’t collecting names and passwords for your own devious Phase B reasons. You even know the application that the passwords are for, so it would be easy to use them.
[To be clear, I am not accusing you of actually collecting passwords; I am just saying that from a security professional’s perspective, you would have to assume that any password entered on a site similar to yours to be compromised.]
My original plan for Phase A was to be able to clearly demonstrate, with hind-sight, that the Mock Phish site was not really harvesting the passwords. My realisation was that it would be very hard to prove that satisfactorily; it is too easy to come up with complicated skull-duggery.
Comment by Improfane on January 22, 2006
I understand your concern, but the form never actually submits.
The submit eventually returns false so nothing is submitted to me.
I forgot to say that you should try with a made up account – anything works.
Comment by Julian on January 22, 2006
Whoops! Sorry, Improfane! When I saw the fake name and password that I entered displayed on the screen after submitting, I wrongly assumed that the details had been pushed back to the server, and a new page had been displayed.
Looking at the code, I see that you use Javascript to fake that effect, turning off the display of some items and turning on the display of the password. It’s all down within the same page, and there’s no server access. Cool!
This is a perfect example of Phase A then. Thank you.
You also have neatly moved your key Javascript into a separate file (n.js), which would be perfect for swapping with nastiness occasionally when (errr… I mean if) you turn from good to evil, and implement Phase B.