New attacks article: phishing #41115
Conversation
github-actions
bot
added
Content:Security
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
| 6. The user's authenticator app generates the same TOTP, and the user enters it on the fake site. | ||
| 7. The fake site relays the TOTP to the real site, and the attacker is given access. | ||
|
|
||
|  |
There was a problem hiding this comment.
[markdownlint] reported by reviewdog 🐶
MD045/no-alt-text Images should have alternate text (alt text)
|
Another defense I've seen websites do, is ask the user to enter a custom phrase that is displayed on the login page. That way, unless the phishing site knows the custom phrase (which is as bad and as hard as knowing the actual credentials), the user will be alerted that it's not the real site. This is perhaps significantly easier to implement than OTP and passkeys. |
|
Preview URLs
Flaws (3)Note! 2 documents with no flaws that don't need to be listed. 🎉 URL:
External URLs (4)URL:
(comment last updated: 2025-09-17 22:42:25) |
I do remember some sites that used to do this a long time ago. Is it still current practice? Do you know any significant sites that still do this (e.g. banking sites)? I think it would still be vulnerable to the adversary in the middle attack, and I wonder how well defenses based on users paying attention work against attacks that are really all about users who are not paying attention... |
|
I have a banking site that does this, but everything else about the site is old enough so I'm not sure if it's in trend in general. Nevertheless I think it's a viable practice to recommend, especially for low-capability developers or needing to support extremely esoteric setup.
Isn't that solved by HTTPS?
Yeah that's true. It has to be baked into the UI and the user has to be accustomed to seeing it. Anyway the site looks like this: 
|
* upstream/main: (32 commits) FF143 GPU import external texture experimental relnote (mdn#41126) added ff release note for nested pseudo-elements (mdn#41146) Add a page for SSRF attacks (mdn#41105) New CSSOM view API landing page, move CSS guides under (mdn#40547) 40778 color input value (mdn#41086) Synchronize with BCD v7.1.5 (mdn#41116) Cross-reference `:target` and `::target-text` pages (mdn#41121) Fix content issues (mdn#41125) Make all JSON code syntactically valid (mdn#41120) Fix the link name with actual heading (mdn#41117) Associated listed form controls (mdn#41096) Mention `new Set()` accepts `undefined` (mdn#41106) chore: correct the `timeRange` function name (mdn#41107) Mention that custom elements constructors can't be directly called (mdn#41069) chore(deps): bump @mdn/fred from 1.3.2 to 1.4.0 (mdn#41111) Public-key cryptography glossary page: add headings and links (mdn#41092) Improve caret color demo contrast (mdn#41104) Fix supported algorithms for HKDF and PBKDF2 (mdn#41100) Update MongoDB example to async/await (driver v5+) (mdn#41102) Remove onload and DOMContentLoaded handlers (mdn#41079) ...
wbamberg
requested review from
dipikabh and
Elchi3
and removed request for
a team and
dipikabh
|
|
||
| Phishing is a very old but still very common attack, which has gone through many variations, both to evade defenses and to take advantage of new vulnerabilities. In a basic form, though: | ||
|
|
||
| 1. The attacker registers a domain name that resembles the target site. For example, if the user's banking website is `my-bank.example.com`, the attacker could register `my-bank.examp1e.com`. |
There was a problem hiding this comment.
Optional: I think it might be worth calling out some tricks specifically. For example, say that unicode tricks (e.g. cyrillic ‘а’ vs Latin ‘a’) might get used and that the fake site might still use HTTPS and the original site's favicon to make the fake appear legitimate.
There was a problem hiding this comment.
There's also semantic attack (which was briefly mentioned in https://developer.mozilla.org/en-US/docs/Web/URI/Reference/Authority, although I just realized the Wikipedia link on that page is talking about a slightly different thing).
There was a problem hiding this comment.
We could add this, but I'm not sure it's that important in this guide to go into specific things attackers can do to make the fake domain resemble the target. None of this is actionable for developers AFAIK.
There was a problem hiding this comment.
This looks great to me, Will!
Given many phishing attacks come via email I wondered what to do and I think this Cloudflare article has some good advice: https://www.cloudflare.com/learning/email-security/how-to-prevent-phishing/ From that we could maybe say that properly configuring SPF, DKIM, or DMARC email checks would be a thing that developers / domain owners should do? (among other things)
Co-authored-by: Florian Scholz <[email protected]>
I have added a bit on this although I'm not sure how well I understand it! |
Here's a new article on phishing attacks.