Google’s new look for mobile search results will likely attract people to phishing scams23rd May 2019
Today Google unveiled a visual refresh of the mobile search results page to “better guide you through the information available on the web” by displaying a favicon inside the search result. You can read more about it on TechCrunch here.
Threat actors today, more than ever, use free automatically issued DV certificates to trick users into trusting their counterfeit website. Everyone has been trained to look for the browser padlock when seeking trust related information for a site. 90% of all new phishing sites display a padlock, while 43% of malware sites display the lock. So, what used to be a reliable trust indicator, has turned into a honeytrap for fraud, data breaches and other forms of harm.
Threat actors will do everything they can, to trick people into trusting their phishing scams, especially if it’s free and easy.
I’m calling it
I predict that we will soon see phishing scams use the favicon inside search results to draw people’s attention to their website, instead of the real one — big companies aren’t likely to adopt this new feature anytime soon, so there’s time for the bad guys to move in.
I have 15 years experience with visual indicators inside browsers and search engines, as well as the human reaction to them. My R&D started in 2004 when I co-instigated the creation of the W3C Standard for URL Classification & Content Labeling. Below is a browser add-on that my first company built in 2006 — formally endorsed by the W3C as one of the best implementations of the Semantic Web.
And at MetaCert, we provide the new Green Shield of trust so you always know which links are safe to open, and which websites and other internet addresses you can trust.
It’s my opinion that people generally feel safer when they see some kind of visual indicator. You could put an icon of a teddy bear on the footer of your website and some people will feel it represents trust of some kind. Imagine the Dropbox favicon being used by a phishing scam inside Google search results — of course many people will immediately assume that’s the legit one. And then when they see the free SSL cert displaying the browser padlock? Gotta be real. 🤦♂️
The clock starts now… ⏳
Personally, I’d love to see Google stop playing around with other people’s content and just show search results. If they’d like to add true value, how about providing more information that’s meaningful — here are some example; which sites are child safe? which sites use encryption? which sites comply with privacy best practices? which sites provide free content? which sites have had their identity verified?
Google’s new look for mobile search results will likely attract people to phishing scams was originally published in Hacker Noon on Medium, where people are continuing the conversation by highlighting and responding to this story.