Open Bug 1685910 Opened 5 years ago Updated 5 years ago

Warn the user if a page's HTML was manually edited (possibly by scammers)

Categories

(Firefox :: Security, enhancement, P5)

Product:
Firefox
Component:
Security
Version:
Firefox 86
Platform:
Desktop
All
Type:
enhancement

Tracking

()

People

(Reporter: vaclav.trpisovsky, Unassigned)

Details

TL;DR: Scammers with remote access often edit banking page HTML on the victim’s PC to persuade them that they have been sent money. I propose to add a strikethrough to the URL (like this https:​//bank.​example.​com/) if a page has been edited to notify the user that the page is not genuine, and so give the victim a greater chance of noticing the scam.

Some of the most common tech support scams involve the following steps:

  • Make the victim believe that you represent customer service, tech support or law enforcement.
  • Guide them to install remote access software and connect to their PC.
  • Have them log into their online banking account.
  • Black out their screen and disable keyboard/mouse input from their side.
  • Keep them busy by talking about a transaction in progress or reassuring them about your credibility.
  • Press F12 and edit the banking page’s HTML so that a fake account balance appears.
  • Close the Developer Tools, enable user input and turn the screen back on.
  • Discuss the “new account balance” with the user to continue the next part of the scam.

You can see such scam in action here, the actual HTML editing takes place at 6:39.

Of course, the problem cannot be dealt with using:

  • a pop-up, as the scammers would just close it themselves,
  • changing the page’s icon to ⚠️ as that would be too subtle and not explain what happened,
  • disabling tampering with certain pages, which would break all sorts of extensions etc.,
  • or a highlight of the page element that was changed, as this would disrupt web developers’ workflow.

So I propose a fairly non-disruptive, yet hopefully effective measure: add a strikethrough (and perhaps a mild color change) to the URL whenever the HTML is altered through the Inspection window. Upon a longer mouse-over or click on the URL bar, an explanation would appear, such as: “This page has been manually altered. Refresh the page to view an actual copy.” Many people are already used to looking at URLs to avoid phishing, and this strikethrough would raise their concerns.

Since the feature would be (obviously) on by default and might still be a bit of a nuisance for web developers, I suggest to give an about:config option to disable it, but requiring to restart Firefox (or preferably the computer) to take effect, so that the scammer just doesn’t disable the warning with the banking webpage still loaded.

I also know that editing the HTML with an extension gives a workaround but its installation significantly prolongs the time required to conduct the scam, and adds effort required to hide the installed software.

I know this is a minor improvement and that the other major browsers lack this functionality, but why not be the first to improve the Web experience? I am quite sure other browsers would follow if we get the feature out. I am only contacting Mozilla at this point as Firefox is my preferred browser and it is highly open for suggestions.

If anyone thinks there is a better way to fight such scams, please share your insights.

I'm marking the platform as “Destop/All”, though almost exclusively, Windows users are affected, since I suggest to implement the enhancement on all OSs for consistency.

Version: unspecified → Firefox 86

I understand that crossing and coloring things in the URL is quite a Chrome-y thing to do (for instance they start a URL with a red https:// whenever the page can only be fetched via http despite https being specified in the typed address), and that advanced users might not like the feature. Do you think it may be better to propose this to Chrome developers? Most of the scam victims use Chrome anyway.
If you are reading this, please leave a word or two to indicate your opinion, rather than ignoring: would this be a useful feature, or an annoyance for devs? Thank you.

Moving across to security, as this seems would cover multiple areas not just the address bar (e.g. some detection that devtools was in use to do modifications, etc).

Component: Address Bar → Security

This is a really fascinating scam, thank you for sharing that. And thanks for pondering how browsers could help here.

I don't think that address bar modifications would be effective in any way. Yes, sometimes users look at the lock icon but probably not in such a high-tension situation. Additionally, the small change could easily be explained away by the scammer. It's doubtful whether victims would bother to mouse-over or similar.

Maybe instead of adding browser UI we could think about adding APIs that give websites the ability to detect whether their contents have been tampered with, so that they can react to that and e.g. force a logout. (Note that websites could do that today by keeping "critical" UI in memory and watching changes to it with MutationObserver, forcing a reload as necessary. For some bank sites without any client-side JS they could just literally watch the entire page for changes).

Anyway, this is something to think about but unfortunately I don't think any team is immediately picking it up. Let's keep it in store as a P5 for now.

Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P5
You need to log in before you can comment on or make changes to this bug.