We take on the problem of URL spoofing, where the address bar in your browser doesn’t tell you the truth about the identity of the website you’re looking at.
Apple products had a recently disclosed bug of this sort (now fixed), which led to a lot of coverage of the issue, so we thought we’d explain what URL spoofing is, and what you can do about it.
Enjoy…
(Watch directly on YouTube if the video won’t play here.)
Raj
Great information! Thank you
Paul Ducklin
You’re most welcome. Glad you enjoyed it!
Raj
Enjoyed and learnt a lot! :)
Spryte
Informative video but what about the use of other fonts to disguise URLs? I know you’ve written about it in the past. Perhaps a good time for a reminder to users that similar looking characters from other fonts can take them places where they may not want to go.
Paul Ducklin
Good point.
FWIW, we already covered that issue in an earlier Facebook Live video:
https://www.facebook.com/SophosSecurity/videos/10155525051835017/
For people who are interested in more detail about the trick of font substitution – for example, using the Greek letter ρ (rho, or the R sound in English) because it looks like an English p but isn’t actually the same character) – please see:
https://nakedsecurity.sophos.com/2017/04/19/phishing-with-punycode-when-foreign-letters-spell-english-words/
https://nakedsecurity.sophos.com/2018/04/04/free-virgin-atlantic-tickets-no-its-a-whatsapp-scam/
Pete
What about Safari on an older 32 bit iPad that Apple no longer provides updates for which is at 10.3.3? That device is working fine but it now defective?
Paul Ducklin
You’ll have missed a lot of security fixes…
Personally, I’d retire an old iPad like that.
(One big beef I have with Apple and with a big part of Google’s Android ecosystem is the lack of official support for jailbreaking and repurposing devices that they won’t themselves support any more. There are doubtless regulatory reasons why hacking the radio and telephony firmware isn’t allowed but the idea that the device should be dumped in landfill because the vendor won’t let you re-use it is worrying. Enthusiasts keep old-school cars, motorcycles, bikes, furniture, buildings, clocks, trains, typewriters, tape recorders, gramophones and much more going because, well, because they can, and why not? But iPads and so forth are left to undergo security rot with little or nothing you can do to fix them.)
Pete
Thank you Paul.
That device is not used for financial purposes, but is used for email, photos, and news browsing. Is it still a risk, either for the device itself or other devices within the same household? Also if it needs to be replaced what is the best way to “clean” it?
Paul Ducklin
If you’re logging into email on a device then you can argue that device really should be in the most tip-top security shape of all, because your email account is probably the way you do password resets for numerous other accounts. In other words, your email account is effectively the master key to many other accounts.
Your email inbox also offers a detailed record of your digital life – all sorts of transactions get logged there, such as receipts from online shopping, itineraries for travel, reminders about contract renewals and much more. A crook with access to your email, even it’s just read-only access, could learn an awful lot about you that would be handy for identity theft.
As for retiring an old iPad – I had an ancient iPad (first ever version) that ran out of support from Apple. I jailbroke it for research purposes for a while, then it became unreliable. I opened it up with a guitar plectrum, prised off what I assumed were the flash chips and dropped them into a crosscut shredder. No idea whether that was necessary (or effective) but it was fun! I then got rid of the rest of the internal components at a municipal e-recycling collection point, except for the front panel, which I gave to a colleague to use as a comedy picture frame.
Pete
The scenario of replacement leads to a related security question, i.e. Android vs Apple tablets. I’ve read that security updates for Android phones is a much worse story than for iPhones. Does that translate to Android tablets (including Fire)?
Pete
I removed the email apps from the device so now it’s just a browser and photo device so I guess I’ll keep it. email was being done in parallel on an iPhone 6 which is up to date.
Paul Ducklin
I wouldn’t visit any sites where personal information is requested or displayed :-)
Pete
Would proton mail be secure to a hack that attempted to gather info such as we were discussing earlier?