This article originally appeared in Search Security/Tech Target on February 1, 2019.
Google is planning to add warnings on lookalike URLs in an ongoing effort to ensure internet users experience useful and clear warnings while using the Chrome browser.
The latest effort by Google to provide clear and understandable warnings on the internet will be to highlight fraudulent websites that use lookalike URLs.
Google has a history of pushing changes on the web to help users understand security more clearly, such as the effort to change the badges used for HTTPS websites, so HTTP is labeled as insecure by default. Emily Stark, lead of the Google Chrome usable security team, played a part in that effort, and this week she revealed her team’s latest plan is to offer warnings when Chrome detects lookalike URLs.
Stark spoke at the Enigma security and privacy conference in Burlingame, Calif., on Tuesday to detail what Google has been working on.
Stark said the main problem with URLs is that although they are supposed to help users understand website identity, research indicates that this isn’t true. Stark said most people don’t notice or understand the potential security information being conveyed by a URL.
Google doesn’t believe there’s a good way to replace URLs, but Stark’s team wants to improve identity by issuing warnings on fraudulent websites that have been designed to impersonate well-known pages.
Stark said her team wants to make sure the warnings are informative, so they plan to alert users if Chrome detects lookalike URLs (e.g., techt4rget.com) or homographs, such as when a similar looking Cyrillic character is used in place of a Latin character.
Joshua Franklin, co-founder and CISO of Outstack, said Google has a big job ahead.
“There are more than a billion websites out there. If Google can really make this happen, it could have a huge impact,” Franklin said. “However, even with an entity as large and powerful as Google, experience has taught us that trying to do something like this takes years and years. Models have to be trained, tested and integrated upon.”
Mike Bittner, digital security and operations manager at The Media Trust in McLean, Va., said the warnings about lookalike URLs in Chrome are “a step in the right direction toward building user awareness.”
A warning to the user may be the last and may be the only line of defense at times, especially with regards to targeted phishing campaigns.
Mike Bittner, digital security and operations manager, The Media Trust, “There is a huge market amongst bad actors regarding the sale and purchase of domains similar to popular sites in the hopes of users accidentally navigating to the fraudulent ones,” Bittner said. “But ultimately, more should be done to curtail the efforts of bad actors utilizing these fraudulent sites for financial gain. Some of the burden is on the companies/site owners, themselves, to purchase and maintain domains to prevent them falling into the wrong hands.”
It’s currently unclear when such warnings about fraudulent websites might come to Chrome because the team is still working on the heuristics that determine when a URL is trying to trick a user. In this vein, Google developed an open source tool called TrickURI, which can, in part, test if URLs are displayed correctly.
“URLs are often the only source of identity information available when making security decisions in a web browser or other context, but URL syntax is complicated and subject to a wide variety of spoofing attacks,” the TrickURI readme states. “TrickURI allows easy exercise of common sources of spoofing vulnerabilities to ensure applications are robust in their display of URLs.”
Franklin said the success of Google’s effort will depend on how the warnings are implemented, because “trying to get everyone who uses the web to make risk decisions on whether they are on the right website or not is unlikely to be easy.”
“Even if Google is trying to get people to only focus on parts of a URL, what about people with colorblindness or dyslexia, or people who are visiting, legitimately, a site for the first time?” Franklin asked. “Then there is the risk of ‘security deafness’ — think of the expired certificates warnings that come up now. Most people just ignore the warning and go to the site anyway because they don’t understand the risk or the potential consequences. They just want the information they were looking for.”
Bittner added that the biggest danger of fraudulent websites that employ lookalike URLs is in the theft of sensitive data, such as login credentials, personal information, credit card numbers and more.
“These fraudulent sites are remarkably similar, and in some cases, identical to the sites they are attempting to portray, so, a warning to the user may be the last and may be the only line of defense at times, especially with regards to targeted phishing campaigns,” Bittner said. “The first step is user education and the warning that Google is providing is certainly a step in the right direction, and other major browsers should take note.”