Impersonating web browsers with fake error pages

December 22, 2019

If you’ve read my last post on client-side injection via an analytics javascript snippet, you probably already know that lately I’ve been thinking about simple methods of deception via unique and unexpected framing. After all, social engineering and other forms of deception usually begin by carefully staging a convincing scene. The perfect scene leaves the potential victim with very little doubt about its authenticity (or at least curious). It’s for this reason that attackers are constantly trying to come up with unique ideas for email phishing. If an attacker can impersonate a credible entity when the person least expects it, they can profit greatly.

About 9 months ago, I came up with an idea — impersonating a web browser by posing as a fake “native” browser error page (see example). I created a simple prototype that looks at your user agent and displays the right error page for your browser. For demonstration purposes, only the top 3 desktop browsers are supported: Chrome, Safari, and Firefox. While the idea is quite simple in practice, I believe it has some interesting qualities, namely that there is no obvious way to distinguish it from a real browser error page. With phishing emails, for example, there are often rudimentary methods which can expose an attacker like looking closely at the email address, domain, or language of the email itself. With a fake browser error page, there is nothing that is visibly obvious — the url address bar and the contents of the page are as you’d expect.

Once you’ve established an anchor of authenticity via a browser error, you’ve now opened up the door to more interesting possibilities. One idea would be to show a popup upon leaving the page and ask for the person’s information as a means of browser error reporting in the same way that operating systems sometimes ask you to report an unexpected crash (see example). Using a prompt with the native browser GUI, this could potentially trick less sophisticated users. An even scarier and less obvious strategy would be to subtly notify the person that their browser is outdated and prompt them to download a newer version, thereby tricking them to install your malware (see example). Because browsers don’t show any indication of error in their native GUI when a website error occurs, this gives fake browser error pages the ability to speak on the behalf of the browser to some extent. I believe with the right audience, these types of attacks can be frighteningly effective.