Prevent phishing using images as text by clearly identifying images in comments

[VIM-Arcange]

Many phishing attempts are using images as text to dupe users.

On recent example is described in this post: https://steemit.com/steemit/@arcange/phishing-attempts-are-running-and-use-fake-comments-with-images

To avoid this, steemit.com could highlight images when users hoover on it or add an easily identifiable sign that the "text" is actually an image.

[pkattera]

This is a challenging problem. We want to protect people from phishing attempts, without detracting the overall user experience for the majority of users.

Check out Option 1 below. We could place a light border with a box-shadow on every single image displayed within comments. We need to have a state like this before the hover interaction, because a lot of our users will be on mobile devices without hover states. On hover, we can darken the shadow to make it even more obvious.

If Option 1 is too subtle, we could actually place an image icon above every single image as per Option 2. But first, lets try Option 1.

[TimCliff]

What about a pop up warning anytime someone is leaving the site? They can seem a little intrusive, but they should prevent anyone from unknowingly clicking on a link that takes them to an external site.

[syvb]

I think @TimCliff's idea could work, if there was a whitelist of known, non-phishing domains.

[gryter]

The popup warning would be best, coupled with a hover over border. The border would just be simple CSS (let's say green border). It should be as easy to understand as possible for non-tech savvy users.

[pkattera]

I'm reluctant to use a pop-up warning any time a user clicks on a link to an external site. A better solution may be to combine a Steemit specific blacklist with a service like Google's Safe Browsing. This would allow us to block or trigger a pop-up warning when a link goes to known phishing / malware sites.

[syvb]

The problem with that is that many phishing attacks use URL shorteners like Bitly, which would seem to be a safe URL at first.

[VIM-Arcange]

Having a box shadow on every image (without hover) could break the good looking appearance of some posts.

Many users make appropriate use of images to highlight their articles. I am thinking in particular of images with a transparent background.

One (imperfect) solution would be to display the shadow on mobile devices only.

[quochuy]

@VIM-Arcange @roadscape What is the agreed method here? Do a hybrid ie: box shadow on hover for desktop and box shadow all the time for mobile?

[quochuy]

Also here are some blacklists:

• https://tools.steemulant.com/steemed-phish/conf/siteList.v2.json
• https://raw.githubusercontent.com/gryter/plentyofphish/master/phishingurls.txt

[quochuy]

Fix proposal in PR https://github.com/steemit/condenser/pull/3421