A $152,000 Cryptocurrency Theft Just Exploited A Huge 'Blind Spot' In Internet Security

https://www.forbes.com/sites/thomas...ted-a-massive-blind-spot-in-internet-security

 

Seems like the only way to protect against this is by anti-phishing tools, I don't know if AV's are focused on this. So as soon as you try to login to a malicious site, AV will block it.

 

The problem with this approach is that it's blacklist solution and will never have all phishing sites included in their list.

 

No it should be the other way around. A security tool must only allow logins to trusted sites, there must be some kind of method to verify them. So with this approach you don't have to rely on blacklisting. But I'm not sure how it would work on a technical level, I do know that Trusteer offers such a feature:

http://www.trusteer.com/en/glossary/phishing

 

There is a better way, use a seperate browser for security critical sites, firewall it to allow only the IP addresses of those site's so poisoned DNS lookups that try to direct the browser to a fake site will fail.
Or, if your browser allows it, make bookmarks like this,

Wilders Security Forums
https://45.33.17.126:443

That also prevents poisoned DNS lookups because the browser is already directed to the correct site ip address by the bookmark.
You could even do both firewall and ip address bookmarks for belt and braces security.
What sucks is these tech article writers write about DNS based attacks but never advise those simple mitigations that ought to be standard practice.
I've been doing that for years.
(Browser may warn that URL doesn't match the site name on its certificate. That is only because the address in the bookmark is an ip address and not the site's regular URL)

 

There is 2FA and similar which can be used for additional protection, but I don't expect my AV to prevent phishing attacks using whitelist approach. It would work only for well known sites, for others it would fail.

 

I forgot about 2FA, I suppose it would have blocked it. And the way white-listing works is that you make a list of sites that should be closely monitored, but I'm not sure how AV's make sure that you're not on a fake site.

Would this be enough? Isn't the browser tricked into thinking that it's the right IP address? But anyway, in the article is mentioned that DNSSEC and HTTP Strict Transport Security would have most likely helped to block this attack.

 

No, the browser just asks the DNS server, What is the ip address for website.com?
The DNS server, if compromised, tells the wrong ip address.
If you do what I suggested with the firewall the browser will not connect to that wrong ip address because it can't.
If you do what I suggested by using the correct ip address in the address bar, in a bookmark, the DNS lookup should be rendered irrelevant.
I say should be because I wouldn't put it past the internet powers that be to subvert that in some way.
You can learn a lot about them just by looking at what they don't say.
If you listen to their rhetoric you might think the text URL is the be all and end all of web connections. They never advise to use the far more secure way of connecting to a website directly by its ip address.
That is probably because DNS requests are a method of tracking the sites you visit.
Using the ip address should work with DNS disabled in network settings.