Martín Obiols

Random InfoSec Rants

This is why you cannot battle phishing with user-awareness campaigns

13 Nov 2018 » phishing, awareness

This content was originally posted as a Twitter Thread. Copied here for archive purposes. Please, forgive potential typos and the succinct writing style.


I know anti-phishing is a business that feeds a lot of people but the way this war is fought today just seems off to me.

First, I differentiate targeted phishing campaigns (usually APTs) from massive or moderately massive phishing. I don’t think I need to point out why you can’t fight the former with awareness.

Massive phishing is like mail spam: Cheap, risk-free and thrives under big numbers. 1 victim for each 100 targets might seem a low turnover but if you have 100k targets from the same bank figures suddenly get grimmer, while staying cheap for the phisher. But 1% is sooo distant from real world figures for phishing click-through from regular users. In one of my past gigs we conducted regular internal phishing on employees massively. Click-through never went below 10%.

Awareness campaigns ensued to deliver guidance to people to look out for unexpected emails, not opening attachments or clicking on links. Results still randomly ranged between 10% and 20% regularly. It was common to hear victims state how coincidental it was that Rachel, the phisher, shared first name with some other Rachel who regularly emailed them. I don’t blame them.

The message will happen to be believable enough to someone, somewhere. It just happens.

And we are just getting started on the “don’t click on unknown links” silly security adagio you still often get from awareness campaigns.

Yeah right, as if in 2018 you could know where the hundreds of links you click every day take you: link shorteners, open redirects from trusted domains, no status bar preview on touchscreens, TOCTOU, tabnabbing…

If you still believe you can prevent users from brainlessly clicking on links, consider also there are links that do not look like links at all.

Exhibit A:

Exhibit B:

Exhibit C:

OK, people brainlessly click through. But at least we can teach them not to put their credentials on untrusted sites right? Well just before you start with the awareness there is some prep work you need to do.

For your awareness campaign to be remotely successful, you need to keep your login pages (that is, the forms where your users put credentials) consistent.

Consistent means you cannot have a myriad of places (URLs, frames, apps) where your users can login (and all with a different UI or CSS). Multiple logins, on different sites, UI dialogs, CSS… it’s just bad security urbanism

You can only have your users putting credentials on a single place. If they are not gonna check the URL properly (or they actually can’t, more on that later) at least give them a fixed familiar form to mentally refer to when things get ugly. e.g. https://accounts.google.com

That helps them build mentally a model of “how does it look when this company asks for credentials”. Sending them email messages telling them that they won’t be asked for a password via email or phone won’t help. Also, by doing that you retain control and can properly notify users of upcoming changes so they actually expect them

But even if you do that, you still need to give users a way of actually checking whether it is you or some phisher the one asking for the credentials. It turns out there is only one way to do that: The Almighty Browser Address Bar.

So let’s say after your awareness campaign your users actually glance at the address bar (which is assuming a lot). First, are they able to do that? There is a ton of situations where you are just out of luck with no clear indicator of who is actually receiving your credentials

In some other cases, you are being deceived by UI bugs:

Even the size of your screen matters:

And… it’s not enough to only check the address bar only once, heh, what were you thinking?

Lastly, have you considered Mobile UI design principles? Real state is pricy so the address bar is just not there sometimes:

I could go on but you get the point. How do we effectively fix this in a sustainable manner? Not by focusing on awareness that’s for sure. Cheers