Outsmarting social engineering threats with SmartScreen

Outsmarting social engineering threats with SmartScreen

  • Comments 7
  • Likes

I wanted to talk about a new user safety feature we just introduced in Wave 4:

SmartScreen for URLs

This safety feature is another step Windows Live is taking to protect you from socially engineered attacks and account abuse. This abuse is an industry-wide problem, and we've seen a significant uptick in these types of attacks within the context of social networks over the past couple years (details in Microsoft SIR V8, p.119). Social networking targeted scams now account for over half of the phishing attacks that SmartScreen filter blocks in Internet Explorer 8. This trend makes sense; internet users are particularly vulnerable within their social networks because messages appear to come from their friends and contacts. There is an implicit trust boundary being exploited. With Windows Live’s deep social connectivity and increased social feed integration in Wave4, we felt it essential to introduce a new protection mechanism for URLs posted in the Live network.

We’ve been working on this problem for a while. The SmartScreen team has worked with several large social networking partners over the past couple years to combat this abuse and has seen success with both our browser filter and simple features within the social network that help users regain context in the midst of a scam. These features disrupt the social engineering attempt.

With these successes in mind, we’re happy to announce the use of SmartScreen on the new Messenger and Windows Live websites, such as profile and photos. When you click a link on one of these sites, the web request is first examined by our SmartScreen service. The service checks the reputation of the link prior to navigation with three potential outcomes:

1. Direct Navigation (Redirection)

If the website has a positive reputation (e.g., has high traffic and no history of hosting any phishing scams or malware) - the user is directly navigated to the destination website. This is the case most of the time - you go directly to the website you chose, with no interruption from SmartScreen at all.

2. Block

If the link points to a known bad website— for example, one that hosts a malware or a phishing scam—the redirection server navigates the user to a red block page.

Unsafe website - blocked

3. Informational

If the website has very low traffic or has had a history of abuse, you’ll be taken to an informational interstitial page. This page helps establish context and lets you decide how to proceed.

Informational interstitial

How do these attacks work?

Attackers can breach social networks by compromising a user's account and subsequently preying on their friends/contacts or by directly tricking users into accepting them into their social circle. A common attack from a compromised friend's account might say:

"Hey, check out my new video http://somesite“

When you click on the link, you might get a fake login page that looks just like your regular login page, or a site that looks like a video player but that requires a download (which is malware).

This is a common example, but if you live on the internet and use social networking sites regularly, you’ll probably face many variants of these types of attacks. For the typical user, these attacks are very difficult to discern from a normal interaction with their friends and contacts – we click on links all the time, we log in often, and we download files regularly. Leveraging these common behaviors as elements of an attack is social engineering at work. We understand that some users are able to recognize the characteristics of an attack scenario before falling prey, but for the majority of internet users, these subtle and technical cues are impossible to distinguish from their everyday activity. This is why social networks providers, communication software providers, browser makers, and other software providers must put multiple levels of safety in place to keep their users informed and safe.

Given our past experience in the space, we’re convinced that this feature will help protect you from socially engineered attacks and give us a new tool in the fight to keep you safe online. As with all safety mechanisms, this feature is a learning system, and we’re actively studying the data to continue to improve both the experience and the intelligence.

John Scarrow
General Manager – Safety Services

7 Comments
You must be logged in to comment. Sign in or Join Now
  • Adam C
    1 Posts

    I'm gonna go ahead and say that it's a terrible idea to leave out a function where you can turn this off completely. There's a wesbite I go to in which me and my friend share pictures, which has a mechanism in place to stop hotlinking so going through the informational page results in the images not loading. This results in me having to go it through the whole copy/paste routine.

    This is happening to me through the Windows Love Messenger Beta and it has ruined the seemless experience of sharing links. I understand there's people who would like this, so only an option to turn it off completely would be appreciated for users like myself (who have a good idea what links should or should not be clicked).

  • This feature needs an opt-out. The idea is nice if it will really cut down on phishing for account details and malware distribution, time will tell. But all links you click being forced through a third party service is not a good thing for privacy in the web in general. What keeps you from injecting all pages we click with an advertisement frame?

    All modern browsers already have a form of malware protection which doesn't require the user to hand over all URLs he/she visits. Why don't you rely on this?

  • Van
    5 Posts

    It's a great idea, but every.single.link. I click goes through the "are you sure?" screen. There needs to be a way to 100% disable it.

  • I like this. I use Messenger to keep in touch with my father. He is 57 years old and will greatly benefit from this protection. He uses google to go websites most of the time even if he knows the website name. He doesn't even understand the difference between ftp and http, he has no idea which link is a good link and which is not a good link. When he gets a message via Messenger - he is very likely to click on the link. The warning page will be very helpful - it should stop him from going to unwanted sites.

    If you allow him to stop the warning page from showing, then the whole point is lost. Only advanced users should be able to turn off this feature.

  • I'm with Rafael on this one.

    For the record, IE8 is my main browser, and I leave SmartScreen on all the time.  However, I don't like how you do this in Wave 4.  To be specific, I'll go ahead and say that I hate the "3. Informational" screen so much that I decided I have to post my opinion.  I know you may have a good intention.  However, please make an option to turn it off.  I myself can't stand it, and I believe a lot more people will say the same thing.  A checkbox or a registry key or whatever.  Do not hardcode it, please.  That screen is very, very annoying to me.

  • John,

    I'm worried about a few items.

    First, privacy. Your team may be committed to safety, but at what cost? From where I'm standing, it appears you now possess the capability to determine what sites people visit. I'm sure we'll see that marketing data sold sooner or later.

    What do these GET parameters provide, in terms of PII? When will we get an updated privacy policy to reflect SmartScreen changes?

    Second, I can't turn the thing off. I don't want you checking my links because I've determined I'm savvy enough to do this on my own. Worse, I don't need the extra hoop jump. I want to opt-out but can't. Thanks for that.

  • Great News John.  Well written and presented.  IE8 may live another day! Positive reports such as this may well keep our user base informed.