Once again, Google’s UI is aiding in phishing scams
A Reddit clone was squatting on a domain that closely resembles Reddit’s. Reddit.co, was a fake website that took advantage of a common typo. When visitors reached the site they were greeted by an extremely convincing front page that was, at the time, marked Secure.
Google has already blacklisted the site, and it appears to have been taken down. But in the time it was up, it was phishing Reddit users and stealing their login information.
What’s odd is that Reddit never attempted to grab this domain. It’s fairly common for large brands to grab similar domains that may have resulted from a typo and then redirect them to their main page. Reddit is 13th most popular website in the US. It appears Reddit had chances to nab this domain dating back to 2010, but never did.
The .co TLD belongs to Colombia, which probably should have never given the OK on this domain to begin with. But nonetheless, whoever was behind this Reddit clone did an impeccable job.
But here’s where I have a bone to pick. Part of what made this attack so successful was that Google’s UI marked the website “Secure.” Consider this, the average phishing site is only active for a few hours. Just long enough to catch a few people before it gets shut down.
And I will credit Google for that, it wastes no time identifying malicious sites and blocking them.
But we’ve reached a crucial point where user education is lagging way behind the technology that is being pushed. It’s extremely easy to get a DV certificate. Some are free and many of the paid ones cost less than 10 dollars. That’s led to an explosion of HTTPS phishing.
It requires minimal effort for cybercriminals to slap a DV SSL certificate on their website and fool users into believing they’re safe. Because, let’s be honest, the average internet user has no idea what connection security is, much less what to look for. Too many people believe Secure = Safe.
And this is where Google needs to make a change. Unfortunately, the argument made by Google is that the new UI is working – that DV is doing its job just by authenticating the server.
If that’s the position you want to take then do something to educate your users. Who is in a better position than Google to influence the way people use the internet? I don’t have statistics but I’d be willing to wager that most Chrome users still have Google.com as their homepage. The very first thing they’ll see when opening their browser or opening up a new tab is the front page of Google’s website.
There’s a lot of negative space on that page, too. Why not spend some it to try and educate users? Tomorrow you’re going to put an interactive doodle with a turtle curling (the Olympic Sport). But you can’t even teach your users what your security indicators mean? Hell, why not just make a Doodle that incorporates it? People actually write articles about “what the Google Doodle was today.” That link takes you to Time magazine. CNet and a slew of other outlets report on the Doodle too. At this point it’s practically its own genre of journalism. So why not use the Doodle to teach users something they should definitely know.
But forget about that for a minute, the crux of the issue is this: DV doesn’t deserve the secure indicator.
“Free certificates provide little validation, yet users see them as sacred,” said Kevin Bocek, Chief Cybersecurity Officer at Venafi. “If people cannot trust that the sites they visit are genuine, our digital world could start to crumble.”
The removal of the DV indicator is something Melih Abdulhayoglu, the CEO of Comodo has also called for repeatedly.
If DV SSL is supposed to become the standard, as many around the industry are fighting for, then it shouldn’t get special UI. Whether Google is aware of it or not, its UI – which marks any HTTPS site Secure, even before its Safe Browsing filters can blacklist it – is misleading its users. Look at that Reddit spoof again, it looks legitimate. And Google says it’s Secure. Why wouldn’t you trust it?
Phishing is at an all-time high. HTTPS phishing was one of the biggest trends of 2017 and looks to continue unabated in 2018. Google needs to make a change.
And this Reddit clone business is exactly why. Marking any website with HTTPS is patently irresponsible. Yes, maybe the site in question would have still caught some people without the DV indicator. But when Google tells you something is secure, we tend to believe them.
And right now that’s a big mistake.