- Регистрация
- 20.01.2011
- Сообщения
- 7,665
- Розыгрыши
- 0
- Реакции
- 135
It’s extremely difficult to prevent attacks when there are Для просмотра ссылки Войди или Зарегистрируйся on the screen, especially if a user doesn’t realize that none of what they’re seeing should be trusted. Unfortunately for the browsing public, the Для просмотра ссылки Войди или Зарегистрируйся can deliver this power to an attacker.
Today (and Для просмотра ссылки Войдиили Зарегистрируйся), an attacking website can enter full-screen after any Для просмотра ссылки Войди или Зарегистрируйся, which may be as simple as the user clicking anywhere in the page, or tapping any key. A common threat pattern is to abuse the browser’s APIs to perform a tech scam attack, in which a user is convinced to call a phone number staffed by the attacker.
Для просмотра ссылки Войдиили Зарегистрируйся
On initial load, the attack page doesn’t have permission to go full-screen so the address bar and tabs remain visible…
Для просмотра ссылки Войдиили Зарегистрируйся
As soon as the user hits any key, the attacker now has the “gesture” they need to abuse browser APIs and go full screen.
As in Для просмотра ссылки Войдиили Зарегистрируйся, after the victim phones the supplied number, the attacker then either directly asks the victim for money to “fix” the PC, or entices the victim to run “remote control” software to grant the attacker control of the PC to steal credentials or install malware. (Aside: The 2024 action thriller Для просмотра ссылки Войди или Зарегистрируйся explores what happens if the bad guys accidentally target the friend of a government assassin.)
Attack pages show text in a black box near the top-center of the window to try to confuse the user so they don’t see the browser’s hint that the browser is now in full-screen mode and hitting the Escape key will exit. They make the attack even harder to escape using the Для просмотра ссылки Войдиили Зарегистрируйся (which hides the mouse pointer) and the Для просмотра ссылки Войди или Зарегистрируйся (so exiting fullscreen requires that the user hold the Escape key). They increase the urgency with animation and even a computerized voice claiming that the user’s machine is under attack and they should call immediately to avoid damage. Some attacks will use tricks to cause the browser to become sluggish (e.g. by spamming the IPC channel between the renderer and the browser process) to make it harder for the user to escape the attack page.
If a user even manages to get out of full-screen mode, any keystroke or click re-enters the fullscreen mode. Attempting to close the tab with the [x] button will result in the OnBeforeUnload dialog box, where the user must see and press the Leave button in order to close the page:
Для просмотра ссылки Войдиили Зарегистрируйся
OnBeforeUnload confirmation dialog
I built a Для просмотра ссылки Войдиили Зарегистрируйся demonstrating some of these techniques.
Making matters even scarier, the attack site may deliver JavaScript which, while (harmlessly) loaded into the browser cache, causes the system’s real security software to pop up a toast indicating that an attack is underway.
Для просмотра ссылки Войдиили Зарегистрируйся
What’s a normal human to do in the face of this attack?
One response might be to turn off the power to the computer in the hopes that it will just go away. That might work, at the expense of losing anything that hadn’t been saved, but it might not, if the user accidentally just “sleeps” the device or if the browser’s crash recovery brings the attack site back after the computer reboots.
I recently noticed that the Для просмотра ссылки Войдиили Зарегистрируйся attempts to detect “browser locker” scam sites like these by watching the exercise of certain web-platform APIs. While blocking APIs entirely could have site-compat impact, it might be a reasonable thing to do for many sites on the too-often hostile web.
или Зарегистрируйся, for example, automatically denying full-screen on sites where the user isn’t a regular visitor.
URL Reputation services like Google Safe Browsing and Microsoft SmartScreen do allow blocking of known tech scam sites, but there are just so so many of them (millions every month).
Для просмотра ссылки Войдиили Зарегистрируйся
Для просмотра ссылки Войдиили Зарегистрируйся
Today (and Для просмотра ссылки Войди
Для просмотра ссылки Войди
On initial load, the attack page doesn’t have permission to go full-screen so the address bar and tabs remain visible…
Для просмотра ссылки Войди
As soon as the user hits any key, the attacker now has the “gesture” they need to abuse browser APIs and go full screen.
As in Для просмотра ссылки Войди
Attack pages show text in a black box near the top-center of the window to try to confuse the user so they don’t see the browser’s hint that the browser is now in full-screen mode and hitting the Escape key will exit. They make the attack even harder to escape using the Для просмотра ссылки Войди
If a user even manages to get out of full-screen mode, any keystroke or click re-enters the fullscreen mode. Attempting to close the tab with the [x] button will result in the OnBeforeUnload dialog box, where the user must see and press the Leave button in order to close the page:
Для просмотра ссылки Войди
OnBeforeUnload confirmation dialog
I built a Для просмотра ссылки Войди
Making matters even scarier, the attack site may deliver JavaScript which, while (harmlessly) loaded into the browser cache, causes the system’s real security software to pop up a toast indicating that an attack is underway.
Для просмотра ссылки Войди
What’s a normal human to do in the face of this attack?
One response might be to turn off the power to the computer in the hopes that it will just go away. That might work, at the expense of losing anything that hadn’t been saved, but it might not, if the user accidentally just “sleeps” the device or if the browser’s crash recovery brings the attack site back after the computer reboots.
I recently noticed that the Для просмотра ссылки Войди
Punditry
In my opinion, browsers are much too eager to enter and reenter fullscreen – if a user exits full-screen manually, I think we shouldn’t allow the site to regain it without a more explicit user-interaction (e.g. a permission bubble). And browser vendors probably ought to be Для просмотра ссылки ВойдиURL Reputation services like Google Safe Browsing and Microsoft SmartScreen do allow blocking of known tech scam sites, but there are just so so many of them (millions every month).
Для просмотра ссылки Войди
Для просмотра ссылки Войди