Phish Pharm

During last few months there were quite simple but very effective phishing attempts at twitter, deviantART and maybe also other social sites. The phishers spoofed login page of twitter (or deviantART). They sent out a catchy messages along the lines of "funny blog about you" or "I have seen your photos on this blog". These messages contained link to the spoofed login page that phished user passwords. Phished credentials were used to spread the message further, creating an avalanche effect.

This approach was efficient because the messages were apparently coming from trusted friends. Why would a good of friend of mine send me to a phishing page? Because he was phished just a minute before! Simple, but efficient. My estimate is that a significant portion of users that were on-line fell in this trap. I was on-line on deviantART when this happened. As far as I know nobody of the people that I watch detected that the login page was spoofed. They have only detected the consequences: that someone is sending out strange messages using their account.

I have immediately noticed that the login page was spoofed. The spoofed page was slightly different than the normal login page. But the primary reason that I was alerted was that the page was out of context. I should be seeing a blog that stole my photos, not a login page. I haven't logged out and the session should not expire in such a short time. An immediate look at the URL bar confirmed my suspicion.

This specific phishing attempt was not very sophisticated. But if the phisher tries a more subtle tactics next time, I may become a victim as well. Such a tactic will probably display a login page in the correct context, where it is expected. Even the most cautious users may automatically enter the credentials without any suspicion (you just cannot watch URL bar all the time). Now it is quite difficult to construct a phishing message that would direct you to a login page in the right context. The correct context for entering a password is at the start of interaction with the site. But the world is changing ...

Using OAuth it is usual to enter your username and password almost any time during the interaction with a site. OAuth will normally redirect user to your trusted site that stores his data - to request an authorization to use the data. But that usually results in asking user to log in. It may be quite easy for a phisher to simulate that flow and to spoof the login page of the legitimate page. OAuth in fact trains users how to get phished easily by making the normal use case similar to the phishing case.

This problem is amplified when OAuth is combined with OpenID. It is not a big deal if a twitter password gets phished. But if a key to the OpenID kingdom is phished, that may be entirely different story. OAuth-OpenID combination is increasing the exposed surface as well as impact: there are more places that user may be phished and the phished credentials are more valuable.

I can understand that neither OAuth nor OpenID created the primary problem. But the use of OAuth and OpenID is amplifying existing problems. Therefore instead of increasing the privacy and security of users the use of these mechanisms may if fact have exactly the opposite effect.