Phishing by any other name...

July 12, 2010 in Internet

If you visit The Huffington Post using Google Chrome, you'll see this alert bar appear at the top of your screen:

It looks just like a standard Chrome alert, sharing the same coloring, fonts and icons as the browser's notification bar. But it isn't. It's generated by a piece of code on and is just a <div> like any other on the site. There are only a couple of clues to its true nature: unlike a true Chrome alert, it won't stay at the top of the page when you scroll (surprising, since that's an easy CSS property to set) and the text of the alert can be highlighted. Finally, most blatantly, the ruse is revealed by right-clicking the alert and choosing "Inspect Element" from Chrome's menu.

I think this is pretty awful and irresponsible. We live in a time where online fraud and phishing is rampant -- malicious attacks in which a  site passes itself off as a different, trusted site in order to fool the user into taking some action. It's a terrible practice that ensnares millions of people. Usually, such fraud is perpetrated by hackers trying to trick their victims into downloading malware or revealing confidential information. The victim is led to believe that the software they are downloading or form they are filling out is from a site they trust.

And that brings us to The Huffington Post, which is trying to cajole its readers into downloading software by making it look like the download link was generated by their trusted Google browsers! When I first saw the alert, I wondered if Google and The Huffington Post had entered into some sort of partnership, but they haven't (although the extension in question is a "featured extension" on the true Chrome extension site). Then I wondered if the alert bar was being generated by some suspect third party, but quickly determined it originated from The Huffington Post itself.

I think it's insane that this idea was implemented. The only good news here is that the software in question is not malicious. But the means by which it is being advertised is fraudulent. The Huffington Post is completely misrepresenting Google and their browser by stealing its look and feel for the purpose of harvesting clicks. At the very least, borrowing the look and feel of another application of site is an infringement of intellectual property. I'm stunned by the lack of commentary on it -- either people don't realize, don't care or - most likely - haven't equated this version of phishing with its more dangerous analogues.

And HP isn't the only one -- the well-known site DownloadSquad was fooled by a similar scam at The Independent.

I see no difference between an email spoofing my bank and an web site spoofing my browser. I rely on both to provide me with information that I can rely on, and any attempt to hijack that trust is contemptible. The decision to spoof my browser bar should have been accompanied by a highly-visible disclaimer that the message did not originate from Google or, preferably, been scrapped altogether.

Leave a Comment

Previous post:

Next post: