Hacker News new | ask | show | jobs
by jasode 76 days ago
>When you get an email from Apple—or, really, anyone telling you to complete a digital security measure—check the URL they’re trying to send you to. Apple Support lives on apple.com and getsupport.apple.com, nowhere else.

That advice is fine for the technically savvy but doesn't work for a lot of normal people who don't have the knowledge to mentally parse urls.

  https://getsupport.apple.com/customer?cvid=8c11bcc71f684b6ab405d4fa1e86c146
  https://getsupport.apple.com.phish.xyz/customer?cvid=8c11bcc71f684b6ab405d4fa1e86c146
People just pattern match on the substring "apple.com" because they don't understand that the DNS system works right-to-left. Therefore, the 2nd url looks just as "legitimate" as the first one.

I work with senior citizens and tried to explain how to parse the domain in the URL by looking for the first forward "/" after the "https://" and then scan backwards but they find that mental algorithm confusing and those instructions don't stick. (This is actually an area where some AI on phones/desktops could assist people decipher urls or mark them as suspicious.)

The other problem with that advice is people can't "whitelist" the legitimate domains to look for because they don't know ahead-of-time what they are. E.g.:

- An Amazon verification email will be sent from "account-update@amazon.com". It's intuitive to predict something coming from "@amazon.com" so a mental whitelist filter works in that case.

- However, State Farm Insurance legitimate login verification codes are actually sent from "noreply@sfauthentication.com" instead of the expected "@statefarm.com"
12 comments
varun_ch 76 days ago
Microsoft is really bad with this. Login might be live.com or microsoftonline.com or maybe onmicrosoft.com. I went to report a vulnerability to their security portal this week and it redirected me to b2clogin.com.

OneDrive email attachments link to, I kid you not, 1drv.ms, or maybe it was 1drv.com…

Not to mention, they use .ms as if it’s their personal TLD, but obviously anyone can register a .ms domain. It’s like they want people to get phished.

link
Retr0id 76 days ago
Until this moment I assumed .ms was a Microsoft TLD, but indeed it is not https://en.wikipedia.org/wiki/.ms
link
amiga386 76 days ago
Handy tip: all two-letter TLDs are country code TLDs. Doesn't matter if they're trendy in website names (.nu, .cc, .io, .co, .it, .at, .cx, youtu.be and so on)

In fact, here we have the ma.tt website, where the ".tt" is Trinidad and Tobago. Is Matt Mullenweg from Trinidad? No!

link
mayoff 76 days ago
It's kind of crazy that the IRS (among other United States government agencies) uses ID.me for account management. The .me domain belongs to Montenegro.
link
anon7000 76 days ago
I think ID.me is a private company. So yeah, it’s especially fucking stupid that they use that in the first place. Any gov login should be required to go through a .gov tld. At least reverse proxy it or something!
link
the_mitsuhiko 76 days ago
Though not all country codes point to a country. See .eu, .ac .su as different examples of stuff that breaks the rules.
link
mghackerlady 76 days ago
the .su domain was made when the soviet union was still around, so that doesn't really break the rules. I would prefer for top level domains to be eternal for a great multitude of reasons
link
SAI_Peregrinus 76 days ago
The possible annoyance with eternal country-code TLDs would be the dissolution of one country, and the creation (or renaming) of another country resulting in an eventual exhaustion of two-letter country codes. Eternity is a rather long duration.
link
the_mitsuhiko 76 days ago
> so that doesn't really break the rules

At the time it did not break the rules. It's breaking the rules now because by the original rules it should have been phased out. What makes it survive is a special arrangement.

link
RGamma 76 days ago
They also use .microsoft now (e.g. for the M365 admin portal).
link
anon7000 76 days ago
We’re talking about the company who owns npm, one of the most hacked package registries in recent history. Can’t say I’m shocked, but this is so bad
link
basilikum 76 days ago
It is unfortunately normal for companies to impersonate scammers.

We can teach people as much as we want about security against phishing. It won't matter because people have to break these rules constantly. Companies actively train people to fall for phishing by doing everything in their power to be indistinguishable from phishing themselves.

link
microtonal 76 days ago
The worst are DHL, UPS, etc. customs payment mails. Even the real ones look like phishing mails and in some cases they don’t link the payment request to your account, so you cannot circumvent it by logging into your account and checking wether it is legit.
link
xorcist 76 days ago
> senior citizens and tried to explain how to parse the domain

Why would you want end users, senior citizens or not, to mentally parse URLs?

The rule is: If the bank, or paypal, or your landlord, or anyone else really emails you that you have to complete some information to your account or pay the latest bill or whatever, you GO TO THEIR WEBSITE and login normally. If it is important they will have the same information there.

The same rule also applied to unsolicited phonecalls, but it might be harder to follow: If your bank, or the police, or some other important person calls you and asks for information or for you to do something that feels the least bit off or hurried, you take their contact information, you look up whatever it is they want you to do and you CALL THEM BACK at the official telephone number of the bank or the police. You probably already have the number and if you don't it's on their web site. Do not call back on any other number.

People working the phone generally have much worse protocols than people working over email, so they may be less prepared for you to do this, but I have never heard of anything important that was emailed that wasn't also easily available when logged in to the website.

The only time it is appropriate to click a link in an email is when you are verifying your email address with them. Not for any other reason.

link
jasode 76 days ago
>The rule is: If the bank, or paypal, or your landlord, or anyone else really emails you that you have to complete some information to your account or pay the latest bill or whatever, you GO TO THEIR WEBSITE and login normally.

Yes, that is a "best practice" and good internet hygiene is to never click on email and text message urls but the reason they like clicking on legitimate email urls is convenience and usability. A helpful email link directly lands them on the relevant website page to do whatever they need to do. That's because the email url has a long string query parameters (id, etc) that automatically navigates to the correct webpage.

On the other hand, to do it the "best practice" way, it requires clicking around a confusing website menus and drilling several layers deep to find whatever issue the email is talking about.

A helpful email url link bypasses the hassle of learning whatever flavor-of-the-month confusing UI the website designer happened to to use.

Hang around old people and watch over the shoulder how they use computers and you become sympathetic to how the make it work for them.

E.g. An order status email has a URL link of a UPS tracking number to monitor shipping status. But don't click on that! Instead, copy the 1Z... number to the buffer. Then open a web browser and type in the ups.com url. Then paste the number into the text box. Those copy&paste mechanics not too difficult on desktop (Ctrl+C Ctrl-V) but it is much more difficult on mobile phones (double taps or long press and hold).

That was a simple example. The more complicated one is email from health and medical companies with confusing websites. They'd rather just click on the email url.

link
dwedge 76 days ago
Man it's like we live in two different realities and yours is a textbook. dozens of times I've been sent links to download a pdf or fill out a form that is not linked from the main site anywhere. I know because I check - I hate clicking links in emails because of tracking if nothing else
link
smsm42 75 days ago
And yet, a multitude of banks, credit card companies, stores, etc. routinely send promotional emails where the only way to do what they want you to do is either click on the link (5 seconds) or try to log in through their home page and then find the same option among approximately 9000 menu items, banners and popups.

Are those things important? Well, never life-or-death important, for sure. Is getting 20% off your next order worth the risk of getting your account stolen? Probably not, but I suspect the majority of the population would still act as if it were.

link
qingcharles 76 days ago
Bluesky's moderation email is moderation@blueskyweb.xyz which 100% looks like a phishing address.

https://bsky.app/profile/safety.bsky.app/post/3ljp6zi7tp227

link
latexr 76 days ago
> I work with senior citizens and tried to explain how to parse the domain in the URL by looking for the first forward "/" after the "https://" and then scan backwards but they find that mental algorithm confusing and those instructions don't stick.

Have you tried some analogy which will be personal to them? Like describing the URL as a family tree: “com is the oldest ancestor, like you Mr Johnson. Then apple is your son Bill, and getsupport is your grandchild Cody. If you saw ml instead of getsupport, that would be a different grandchild, but still in your family. However, when you see phish and xyz before apple and com you can think ‘I don’t know those people, they aren’t my father and grandfather’”.

The idea is imperfect but I literally just thought of it. We could certainly come up with something better that might eventually work.

Thank you for working to keep vulnerable people safe from phishing.

link
kstrauser 76 days ago
For a simpler example:

“You ever watch MASH? Remember the main guy, Benjamin Franklin Pierce? He’s not the same guy as Benjamin Franklin, is he? You can tell because you don’t stop after the first part of the name you recognize. You have to go all the way to the end and look at the whole name.

Well, same here!”

link
latexr 76 days ago
Agreed, I like that better. It even has the correlation with family names being at the end.
link
re 76 days ago
> getsupport.apple.com.phish.xyz

I notice that a lot of scam texts use domains that start with a TLD followed by a hyphen, like:

  https://wa.gov-phish.fit/dol
  https://seattle.gov-phish.cc/dmv
(Real examples, with "phish" replacing a string of 3-4 random letters)

In some ways, it's a more convincing fake URL, since even if you're used to reading the domain right-to-left, your brain wants to start from the hyphen since it's a different character following a familiar TLD. But that type of domain also seems a lot easier for spam detection rules to catch.

link
krackers 74 days ago
I think you have it the other way, the hyphen should be in a place where it can be confused with a period. E.g. foo-example.com, which at first glance mentally parses similarly to foo.example.com

This is how the scam page in OPs article is formatted, and I think it could easily fool a technical person who's tired. Precisely for the reason you touched on that when you're used to working with reverse DNS notation your eye is drawn to the last period. But hyphen and period are both used as "separators" in different contexts, so you have to be vigilant enough to override the natural instinct to chunk based on any separator.

link
Terr_ 76 days ago
Or the insanity of IRS services that use the "id.me" domain for a vendor with a Montenegro TLD.

Privacy issues aside, white-labeling the service and infrastructure behind *.irs.gov should be a mandatory requirement.

link
esquivalience 76 days ago
> I work with senior citizens and tried to explain how to parse the domain in the URL by looking for the first forward "/" after the "https://" and then scan backwards but they find that mental algorithm confusing and those instructions don't stick.

Might try explaining it this way?

It works the same way as a postal address. The first part before `/` is the envelope: by analogy it runs streetaddress.city.country.

You can give a name to your house, or add an apartment to the front - but that doesn't change the most significant part.

link
toast0 76 days ago
> The other problem with that advice is people can't "whitelist" the legitimate domains to look for because they don't know ahead-of-time what they are. E.g.:

Yep, and there's even things like irs.gov which tells you how to know a site is official (https, and .gov), and then links you to id.me to login. (not sure what was wrong with login.gov, which SSA lets you use)

link
small_scombrus 76 days ago
1Password has really been bugging me recently, all the emails they send have giant link buttons they want you to click without verifying where you're actually going
link
AnimalMuppet 76 days ago
I recall receiving an email from company X, warning me to not trust emails that said they were from X but didn't come from X.com. But the warning email itself did not come from X.com! They broke their own rules in the warning email.

It's been a while, so I cannot name and shame X...

link
JohnMakin 76 days ago
hp’s email sender always look malicious and makes me double take
link