[nielsole]

If you had never visited the site, how would modern security practices have prevented the attack?

HSTS is useless in this case isn't it?

[peterwwillis]

Correct. HSTS does not protect against a first visit to a site. And to work around HSTS, there are many ways to get users to clear their caches, install new browsers, or use new devices to browse sites they've already visited.

Technically, if the domain had DNSSEC enabled, it might prevent this kind of attack, but no regular consumer is using a validating stub resolver, so even DNSSEC wouldn't work.

Now that browsers are saying "Not Secure" by default for HTTP pages, users are apparently expected to notice this popping up where it didn't before and realizing they're on a phishing site.

[hrrsn]

Many sites can be included as HSTS only in Chrome itself, so it wouldn't be entirely useless.

https://hstspreload.org

[Avamander]

Anyone can preload their domain in Chrome, Firefox and others that share the preload list. I'm not sure what vulnerabilities are left after your site has been preloaded.

[deaps]

The only vulnerability left would be, as mentioned above, a client installing a browser that doesn't support HSTS.

[tedunangst]

If your attack relies on getting the user to install your own browser, don't waste your time with a simple HSTS bypass.

[deaps]

No. If the domain (and its subdomains) are preloaded - then a first visit is not required. The HSTS requirement is then baked into a list supported by modern browsers such as Firefox and Chrome.

[Boulth]

Preloading always include subdomains (it's not possible to preload just tld).