Stop Phishing by Analyzing the Bait

Rebeccca Peltz - Jul 12 - - Dev Community

CyberSecurityNews.com published a gif on X showing Top 8 Cyber Attacks 2024 last spring that shows the top 8 cybersecurity threats for 2024. This chart has popped up in many places. I like the way it's paired with Beethoven's Moonlight Sonata here:

Top 8 Cyber Attacks - 2024 [4K] - YouTube

Top 8 Cyber Attacks (2024):1. Phishing2. Ransomware3. Denial-of-Service (DoS)4. Man in the Middle (MitM)5. SQL Injection6. Cross-site Scripting (XSS)7. Zero-...

favicon youtube.com

I've worked on product releases where we just scoured the front end to try to eliminate any HTML that might lead to a security issue

If you look closely at the list 3 out 8 of these attacks rely on front end software, that is, a vulnerability in the browser. Fullstack application developers can use this awareness to help prevent these problems. The list of attacks is shown below. Attacks 1, 5, and 6 are attacks that occur in the browser.

  1. Phishing
  2. Ransomware
  3. Denial of Service (DoS)
  4. Man-in-the-middle (MiTM)
  5. SQL Injection
  6. Cross Site Scripting (XSS)
  7. Zero-Day Exploits
  8. DNS Spoofing

Both Phishing and Cross Site Scripting rely on links that a user clicks on to carry out the attack. In the case of Phishing the link is in often in an email.

In this post, I'm going to focus on Phishing. Both Phishing and Cross Site Scripting are forms of Social Engineering that rely on the user's trust and possibly lack of knowledge. I'm going to focus on Phishing in this post because it is one of the most prevalent types of attack.

Companies are aware of the losses that result from cyber crimes, and instruct employees in what to look for to prevent attacks that involve links. However, the nature and attributes of the HTML anchor element that is used to create links might make it difficult for users to spot a problem with the link.

I've worked on product releases where the goal is rework any HTML that could create a vulnerability. But in the end, if you tell a user to 'hover over each link on the email and make sure that the underlying URL looks OK', you're asking a lot.

Let's look at the anchor tag attribute variations that might make it difficult for a user to just hover over the link to determine if the link is OK.

1. Expected Anchor Element.
The HTML anchor tag was created to make navigation between web
pages easier. The structure of a basic anchor element does
this includes a URL assigned to an href attribute and text
content that describes where the URL will navigate to.

```html
<a href="https://www.example.com" target="_blank">Example</a>
```
Enter fullscreen mode Exit fullscreen mode
The design of the anchor element strongly suggests that the 
user shouldn't have to know what the URL is.  If the URL is to 
be known, it could be copied in the text content.  If all the 
URLs were spelled out, it would make for an unattractive and 
probably messy looking web page.  This variation is the most 
commonly used.  If the user hovers over `Example` they will see 
`https://www.example.com`.
Enter fullscreen mode Exit fullscreen mode

2. Using onclick in an Anchor Element.
We can introduce more complex instructions into the anchor tag
by adding an onclick event handler and JavaScript. Here are
three examples of what we can do when we want to run some
JavaScript when the link is clicked. In all cases, hovering
over the link won't show you the onclick event.

**a. `onclick` returns false.**

When you the JavaScript in the onclick handler returns false, 
the navigation to the URL in href is not executed.  But if 
there is a problem from the JavaScript itself, it's too late 
once you've clicked on a link in which hovering over it showed 
a URL that was OK
Enter fullscreen mode Exit fullscreen mode
```html
<a href="https://www.example.com" target="_blank" 
onclick="alert('hello'); return false;">Say Hello</a>
```
Enter fullscreen mode Exit fullscreen mode
**b. `onclick` doesn't return false.**

If the `onclick` handler JavaScript code doesn't return false, 
then the link will navigate as intended.  Hovering over the 
link will return an OK URL and the code will navigate to the 
URL.  In this case, all will seem well, but if the JavaScript 
contained a problem, it's too late to fix it.
Enter fullscreen mode Exit fullscreen mode
```html
<a href="https://www.example.com" onClick="alert('found me')" 
target="_blank">onClick me</a>
```
Enter fullscreen mode Exit fullscreen mode
**c. anchor tag doesn't contain an href attribute.**  

If the `href` is not included in the anchor tag element will 
render without text decoration, but will still be clickable if 
an `onclick` is included.  For users that are used to clickable 
items showing some sign of click-ability like `text-decoration` 
or a CSS that style to clickable text to look like a button, 
there may be some confusion here.  A user instructed to hover 
over links would likely ignore clicking on this entirely.
Enter fullscreen mode Exit fullscreen mode
```html
<a onClick="alert('found me')" target="_blank">onclick me</a>
```
Enter fullscreen mode Exit fullscreen mode

3. No encryption in URL.

If the URL references a site that doesn't use encryption, like 
`http://www.example.com` vs. `https://www.example.com`, this 
could a raise a question.  These days browser will often 
encrypt the web page even if the scheme is `http`.  There are 
extensions and settings to make browsers automatically encrypt, 
but if the user hovers, and finds that HTTP instead of HTTPS is
used, this could be the sign of a problem.
Enter fullscreen mode Exit fullscreen mode
```html
<a href="http://info.cern.ch/" target="_blank"
onclick="alert('my href is unencrypted but chrome will 
make it secure')"; 
return true;>info.cern.ch is unencrypted</a>
```
Enter fullscreen mode Exit fullscreen mode

4. href refers to a URI with a javascript: pseudo scheme.

Although it's most common to see a scheme in a URI like 
`https:`, other schemes are in use.  For example `mailto:` and 
`tel:` are used to send message via email and SMS.  These 
schemes are followed by email addresses and telephone numbers. 
These are refereed to as URI's instead of URL's.  The scheme is 
provided an **identifier** instead of a **location**.  Both 
`mailto:` and `tel:` are visible when hovering on a link.  

It's also possible to use `javascript:` as a scheme.  It is 
then followed by a call to a function in the context of the 
HTML.  In the example below it is calling the function 
`doSomething`.  This will be visible upon hovering, but because 
the contents of the JavaScript code is not known, it may raise 
a question.
Enter fullscreen mode Exit fullscreen mode
```html
<a href="javascript:doSomething()">Javascript me</a>  
```
Enter fullscreen mode Exit fullscreen mode

I hope the examples above show how difficult it could be for a user to determine if a link in their email should be clicked on or reported as a possible threat. What's the solution?

Create a Browser Extension

What is needed is a full analysis and report on what is going on within the links on a webpage. There needs to be a way to quickly generate some information that shows the links without hovering and provides alerts as to which links may have some unexpected attribute settings. We need a Phish Bait analyzer report. It would be nice if browsers had this feature, but until they do we can create a Chrome extension to do it.

I created an extension named Link Reveal and published it in the Chrome Web Store. I'm not the only one that thought of this. If you search the Store for terms like "link" or "phish", you'll find many extensions that relate to the anchor tag. If you're interested, you can also look at the code. There are a couple of test pages you can use:

Page with a lot of different anchor tags.

Page with no anchor tags.

Other Solutions that Preventing Phishing

The Chrome extension is useful for getting a better look at the attributes of rendered anchor elements. In some cases, once an email web page is opened, the malware has already been installed. There are tools to investigate emails before they are opened. Any links containing suspicious URLs or URI can be removed before the user can access them. This blog summarizes some of those tools and how they work.

Learn More About Cybersecurity

The chart below shows that phishing is on the rise.

Phishing attacks
credit: phishing-statistics

Cybersecurity awareness is important for developers. I joined ICS2 and learned a lot.

See this guide for creating and publishing the browser extension described in this post.

. . . . . . . . . . .