237 comments

[ 4.0 ms ] story [ 257 ms ] thread
Wow, didn't even think it was possible to do this.
Interesting. iOS Safari seems to force the address bar to stay visible on this page.
Firefox for android keeps the bar there too.
Just to be clear, you're referring to real Firefox address bar (pointing to TFA), not the fake Chrome address bar (pointing to hsbc.com). So yes, in this case Firefox has (accidentally?) somewhat thwarted this attack vector.
It certainly looks accidental. It hides on scroll on other pages but this one causes it to half hide and then it pops back up again.
I noticed this as well. I'm wondering if FF is smart enough to always show it's own title bar if a CSS element is pinned to the top of the viewport? Gotta do more testing ...
Interesting! So it does. However Firefox does hide the URL bar on other pages! I'll try to figure out what the logic is in Firefox, and whether there's an equivalent trick to hide the URL bar ...
That is a setting you can enable or disable. I think default is to always show title bar.
Opera mobile also keeps it.
Also the scrolling feels "weird". Kinda like when you're on an amp page (although I think they fixed that now).
That’s because the site messes with the scrolling in an attempt to prevent the top chrome to not come back, which unfortunately (or fortunately?) doesn’t do anything because Safari refuses to hide it.
(comment deleted)
Yeah, the scrolling is so janky on the page, I thought my iPad wasn’t properly responding to multitouch input for a moment... Then I opened the HN discussion and smooth, buttery scrolling (tm) was back. Lesson: don’t hijack scrolling behavior, it’s awful. (Very smart hack though.)
> With a little more effort, the page could detect which browser it’s in, and forge an inception bar for that browser.

It’s just a proof of concept, focusing on one browser in one operating system. It would be interesting to see how well this could be done on iOS. The real host name is always shown at the top of the page, so it’s not going to be perfect.

> so it’s not going to be perfect.

doens't have to be perfect - just good enough to fool some people.

Safari doesn’t hide the url bar when you employ the “scroll jail” technique he described. It also doesn’t feel right scrolling because he omitted the css property for inertial scrolling in his “scroll jail.”
For me, it did hide at landscape hold..
Cool - this attack is perhaps worse! Fullscreen should require a more explicit permission dialog, like webcam access, web push notifications, etc.
At least on my computer there is a permission dialog for the fullscreen API. However, if document scripting is disabled (which is what I have by default anyways) then the link does not do those stuff. (I also use an unusual window layout, so if someone tries to spoof the window layout, it is likely that I can easily see the problem immediately anyways.)
Relax, he was just joking.
FWIW, opening that link in mobile Safari shows a large “X” in the top left of the screen and trying to scroll sets of the “it looks like you’re typing in fullscreeen” warning.
Mobile Safari? On which iOS version?

On mine (latest on iPhone 7 at the time of this writing) the site just says my browser doesn’t support the full screen API.

MobileSafari on my iPad running iOS 12.3 (16F5139e).
There is previous work on the matter: A fake Firefox XUL browser if I recall correctly (UI readdressing).

This attack is for sure nice and effective!

Everything looks correct on chrome mobile. I don't ever see the HSBC bar, regardless of how I scroll.
After switching back to chrome, I could see the bar, but the scroll jail didn't work, so scrolling up showed the original page bar.
The number of opened pages is not, especially if it is :D
Not using Chrome, and not having a padlock in the URL bar, and disabling non-ASCII URLs, fixes many of this problem.

Another possibility would be to display a "collapsed" address bar, so that you can see that it is not the actual bar, but rather is another one.

Mobile safari does the collapsed address bar.
IMO, the collapsed address bar is the most pragmatic fix to this issue. (The other fixes are options that users would have to opt in to, rather than being fixed at the source - i.e. Chrome.)
The scroll jail didnt work for my firefox for android latest stable.
The article indicates it's not supposed to. It's a quick and dirty proof of concept, working in one environment (Android/Chrome), with a screenshotted fake header. Just enough to prove the point.
Doesn't seem to work with Firefox on Android but a nifty little trick for sure!
This sort of works on chrome Android, but the critical overflow:hidden trick does not prevent chrome from restoring the real address bar.
I'm surprised that nobody included "clicking on the url bar in order to modify it" as a mitigation.
In principle, it's not a mitigation - I was just too lazy to forge an interactive URL bar! You could make one which acts just like the Chrome URL bar, but e.g. acts as a MITM.
At first I though you wouldn't be able to stay "in the middle" because you'd have to redirect to the typed address. You can't AJAX it in, because of CORS.

But you could go to your own host and have your server sit in the middle. The user wouldn't be logged in, since cookies wouldn't be sent. But maybe they would login through your proxy.

You can simulate that though since it's an html element being rendered with css.
Using Firefox for android: if I open the page and scroll down, the address bar becomes invisible and the hsbc bar shows up. If I keep scrolling down, I just see hsbc. The moment I scroll up, the original address bar is shown, and even if I keep scrolling down, the bar does not disappear.

Edit: it's happening kind of randomly. 1 time it happens, 3 times it doesn't...

(comment deleted)
Using Firefox Beta for Android v67.0b9, I see the hbsc address bar as a second address bar below the real one. It remains in place as I scroll, although a couple of times it disappeared.

Also this version wouldn't fool me because it says I have 26 tabs open. I'm used to the infinity symbol there!

I am using Firefox 66.0.2. (how could I forget to mention that!).
Using Firefox 66.0.2 on Android as well. Pretty much the same behavior here, except that it does not look random at all:

  - at the top of the page, if I scroll, the address bar disappears;
  - as soon as the fake HSBC bar appears, the real address bar comes back;
  - both of them remain here until I reload the page.
It looks like if the use of CSS position: fixed forced the Firefox address bar to be visible. Which given the context looks like a really good thing!
If Firefox doesn't trust elements with position: fixed, one could use position: absolute or even position: static (the default value) instead and move element when scrolling.
I use a persistent navigation bar on Firefox for Android: set 'browser.chrome.dynamictoolbar' to 'false'.

I also disable the fullscreen API: set 'full-screen-api.enabled' to 'false'.

To me it just flickered first, then it stayed visible permanently
Poor Android users .. no blue bubbles and now this!
Security vulnerabilities are discovered across all platforms. Just recently did we find an eavesdropping vulnerability in iOS[0] that certainly qualifies as far more severe. Given how security issues can pop up for any platform, I don't think calling one group of users "poor" is prudent, or a nice thing to do.

[0]: https://www.forbes.com/sites/daveywinder/2019/01/29/apple-co...

I guess this risk could be mitigated if the browser had recognition code running in the background for if the top of the screen was mimicking the search bar. I'm not fond of the idea that we put restrictions of fullscreen mode where it requires user approval when scrolling down or something of that sort.
Doesn’t scale well to small mobile devices (eg iPhone SE)
"Make sure you’ve done a hard refresh of the page"

An inception bar could include a fake refresh button, no?

Could, but chrome mobile doesn't have one at the top level... Guess it could fake the whole menu too
This is why I think removing the physical (as in, below the screen --- whether they're capacitive or actual pushbuttons isn't the point here) buttons from Android devices is a horrible idea; a webpage can mess around with what's on the screen, but it can't stop the user pressing the physical menu button and choosing Refresh from there.
Soft buttons can't be covered by a normal web page either, though.
By "hard refresh" I took that to mean using the keyboard to forcibly reload the page and all assets, e.g. CTRL-F5 on Windows. Of course, the average user probably doesn't use keyboard commands, or even know this one exists.
Your phone has a keyboard?
Hah, yeah, that was a silly thing to say :)
Thanks, and yes! I was originally thinking "pull-to-refresh", but since your comment, I've enhanced the phishing with another trick: a large buffer at the top of the scroll jail, which prevents the user from reaching the top, and thus prevents the user from using "pull-to-refresh". Now, the only way I know to reliably get out of the page is to move to another app, then back to Chrome - this seems to cause it to re-display the true URL bar.
You can scroll down from the inception bar to display the browser bar again
I happened to have 26 tabs while loading this, and spent a minute trying to figure out how the fake bar "knew" my open tab count
... so how does it?

Edit: saw in another comment that it's hardcoded, so it was coincidence. That makes sense.

In Chrome beta 74, the count is in the bottom toolbar, so a variant of this attack that were UA-aware might have an even easier time. (The padlock is no longer green, either, and the leading https:// is omitted.)

On the other hand, scrolling to the very top of the page reveals the original address bar.

A possible mitigation would be to use a custom background or gradient for the bar that a web page can't guess. I'd be tempted to suggest the Google account's picture (if Chrome is logged in), but I don't know how safe that is from cross-site shenanigans.

"Ceci n'est pas un UI."

This specific example may be new, but the concept of fooling users with websites containing images of the system's own UI is not new --- for example, all the fake antivirus alert boxes. That had a relatively easy mitigation --- using non-default appearance on your system (e.g. an XP-style "you have a virus!" dialog box image would just look silly if you weren't using XP with the default theme), but it seems the trend toward un-customisability is just going to lead to this being even more easy to exploit.

Of course, mobile browsers hiding important information and being even more un-customisable makes this worse.

Well, even I, as the creator of the inception bar, found myself accidentally using it!

When reading a product's documentation that has screenshots explaining how to do something, I've also accidentally tried to manipulate them instead of the actual dialogs. I'm sure others here have had similar experiences too.

I have an unquantified theory that the number of users that can distinguish between a Windows 7/8/10 dialog box that is presented directly by the operating system, versus as an image inside a browser coming from external http/https server, is diminishing greatly every year.
Except all the colorblind people who have altered their system defaults enough that anything internal to the browser will look very out of place.
Having the entire web be unaccessible is a somewhat poor compromise, though…
Or Linux users.
Which have a lower overall usage of the proprietary chrome browser, as well.

Firefox is the pre-install default for most distros, and only Chromium is provided in default repos.

They're also significantly more likely to use some form of ad and JS blocking.

So until the appearance changes based on the UA and system theme (and maybe can read bookmarks and plugins), this trick mostly affects mobile Chrome users.

Last time I was in Davis CA, someone was trying to get me to sign up to their charity. They had an iPad, and were adamant that the padlock on the screen proved it was secure.

I couldn’t convince them that it was just a picture, and that I could fake it if I wanted to.

In high school we would screenshot the windows 98 desktop, make it the wallpaper, hide everything, and watch people fluster about.
In office, adding screenshot visual studio startup splash screen to the wallpaper and watch the dev. Best moment is when they see visual studio being first thing to start after system reboot.
ha I did a similar thing too. Except it was fake error messagebox and on Windows 3.1 (or might have even been 3.0?)

It worked quite effectively on 3.x because you could just minimize progman.exe

We did similar with the dos prompt, which must have been about 1991.
That's the era as me (Windows 3.0 was released in 1990, 3.1 a couple of years later). I'm surprised your school let you have unfettered access to the DOS prompt - that would have gotten abused within minutes at our school. Even the BBC BASIC interpreter ended up getting removed from the network because people like myself would abuse the PC Speaker (which, to be honest, was the last the mischief I'd cause).

Frankly though, I preferred the actual BBC Micros and Amiga's that those IBMs were meant to replace.

As popularized in "webdude vs. sales guy"
"You can't arrange by penis."
Older school even -- instead of logging out of (real hardware) terminal sessions, exec a program which prints `login: ` and disables keyboard interrupts.

Read peoples creds and store somewhere, then issue a 'wrong password' msg and exit, resulting in the real login message.

People will just assume they made a typo and continue as if nothing happened.

I've argued before for a genuine out-of-band independent display on machines which can only be written to by some very high privilege process.

That's why Windows can be set to require Ctrl+Alt+Del before login as it can't be intercepted by a fake login screen.
Similarly, the iPhone X requires double-pressing the power button to complete a purchase using Face ID. Previously, with Touch ID, the authentication action itself was also sufficient to establish intent (placing the finger on the sensor). But with Face ID, any app could just pop up the purchase window and Face ID would see your face.

Incidentally, this is why Face ID is strictly worse than Touch ID in my opinion.

Maybe is up to implementation? I've got an X and the intent to pay pops up the native pay modal, which still requires you to double press the power button AND to be authenticated. So what you say never really happens.
how is it worse? touch id’s serving as authentication and approval for payment was actually exploited as a scam. I don’t see how this could be done with face id.

https://www.wired.com/story/iphone-touch-id-scam-apps/

That’s fair. I never encountered anything like that. In my experience Touch ID was faster, more reliable, and more versatile (e.g. able to be activated with the phone lying on a table without peering over it with my face).
I happen to be in a situation where I have a phone with Face ID and one with Touch ID.

Touch ID with wet or slightly dirty fingers are not good. I've been doing some gardening over Easter and Touch ID is barely working because my fingers are more rough than they normally are.

Face ID on the other hand, works just as expected. It doesn't work optimally if I'm lying down, but that's not a problem for me personally.

Yes, but it isn't very effective because if the computer is left with the login screen visible after Ctrl+alt+del opened in a full screen browser, users will simply proceed directly to typing their credentials. Then an endless logging in dialog could be presented, so that the user thinks it is a problem with the computer.
Hmm not if your users are trained to press Ctrl-Alt-Del again... The login screen would also allow them to order the OS to log off the current session too.
now i know why it makes me type that every time :D guess i never wondered. thanks!
We did just that with our Novell Network school computers.

Show a fake login prompt. Write down what gets entered, show wrong password and exit to real prompt.

What did you do with the passwords you captured? Sounds unethical... You'd definitely be facing criminal charges if you got caught doing this today I'd imagine.
Back in the day I made a near-perfect copy of the RM (UK school IT supplier) login page in Visual Basic 6, and had it run on computers with RunServices registry entry. Had a team of mates with custom floppy disks going around installing it on as many PCs as we could. It would log the supplied user/pw to disk, then display the "wrong password" error, then quit, then exposing the real login screen.
What did you do with the passwords you captured? Sounds unethical... You'd definitely be facing criminal charges if you got caught doing this today I'd imagine.
> Criminal charges

Heh, I don't think so. Teachers don't like to send their pupils to court for silly things. They'd just get told why not to do it again and probably get some detention and stuff.

At a uni, the consequences might be more severe.

Yeah it's not like you did anything illicit like change grades or wreak havoc on the network by mass formatting computers, unless you intentionally left out those parts ;)
As long as you do not start a thermonuclear war with Russia you should be ok.
Mine would log you in. Of course the OS (Oasis) had a way to exec the login program and feed it the password. I stole the teacher’s password and then changed it.

He busted me by booting up the system from floppy and typed in the commend to format the hard drive and waited for me to return to the lab after school. I asked him what he was doing and he said he had no choice but to reinstall from scratch because someone changed the password. He then moved to hit the Enter key.

Not wanting my fellow students to lose their projects, I confessed. I logged him in and he changed the password.

He then gave my account admin privileges. I guess I had earned them.

Interesting reaction. What was the thought process behind it? E.g. what did you use them for
I became the help desk. It seemed like an elevated status but in reality it meant I got some of the drudgery piled on to me. Password changes, adding students, disk quota increases and such.
Why would someone that could boot a system from floppy have to "format the hard drive" instead of just setting a new password?
The instructor had the only admin account and I had changed the password to his account; he was locked out.
That exists: look for 'trusted path'. It was a feature of compartmented mode workstation (CMW) operating systems like Trusted Solaris and lives on in the requirement to use Ctrl-Alt-Del to call up the Windows login prompt. In Trusted Solaris (TSOL) it was a dedicated area of the screen—along the bottom—where no user mode process was allowed to write; the OS displayed a special symbol there (sort of like the padlock in a web browser) when the user was interacting directly with the OS. Some CMW systems even implemented that functionality in hardware, electronically compositing windows from different physical frame buffers to the video display. Ctrl-Alt-Del is actually in hardware, too (or it used to be); the keyboard interface on the first IBM PC detected that specific key combination and toggled the reset line on the CPU (or maybe it was an interrupt; I forget). Every subsequent PC-compatible machine, to this day, has the same functionality built in to the hardware, on the A20 reset line. It's mostly vestigial today.
This was how I gained full sysadmin access to our college's VAX 11/780 mini computer in late 1986. This machine ran pretty much everything from accounting to exam marking. There were three terminals that the admins would logon to pretty much regularly on the "student" side of the computer room. I knocked up a script to run on these three terminals that looked exactly like the standard login and mailed me the credentials entered before displaying the standard "incorrect username/password" (and then silently logoff). The risk for me, had the IT team been a bit more up on their game, was spotting my account being logged into these three terminals for long periods of time with me no-where to be seen :)

I kept silent about this until years afterwards for fear of being chucked out of college, which to be honest would've been a good thing seeing as the course was a waste of time.

I mocked up something similar on a VAX system at school as well.
In high school I replicated the entire login UI of NT LAN manager (I think it was called) and had it save the password and then crash the machine (via c:\con\con). Asked the teacher to login for something and tada, admin password.

If you ever wondered why you have to press ctrl-alt-del to log in, that is why (nobody ever fixed this for Linux).

> If you ever wondered why you have to press ctrl-alt-del to log in, that is why (nobody ever fixed this for Linux).

Seems you're not familiar with Linux. It had SAK since forever.

I have never seen a SAK-before-login notice on any linux machine. Only one institutional setting, I suppose.
It doesn't look like the implementation is any good though. First, you have to set it up manually. I've literally never seen anyone do that. Second, it works by killing X. Not exactly elegant. But most importantly you don't have to use the SAK to log in! That's kind of the whole point of it.

It should be "Press ctrl-alt-delete to log in", not "By the way you can press ctrl-alt-delete if you want" because then nobody will bother!

> Second, it works by killing X. Not exactly elegant.

It works by killing everything on that particular terminal, no matter if it's text based or graphical. That's the whole point: whatever spawns after that is created by the init system.

> But most importantly you don't have to use the SAK to log in! That's kind of the whole point of it.

> It should be "Press ctrl-alt-delete to log in", not "By the way you can press ctrl-alt-delete if you want" because then nobody will bother!

I can guarantee you, if I were to copy the design of the login screen that shows up after you press ctrl-alt+del, 99.999% of people who don't work in IT won't bat an eye and enter their credentials straight away. It comes down to educating your users. If you don't explain your users why they have to press it before logging in, they will write it off as just random computer stuff they don't understand and only do so because they get prompted to do so. If next time around they don't, they don't care.

So it comes down to educating your users, and I could very well train them to press alt-print-k before logging in, whereas I agree that a friendly reminder on the login screen is a plus.

The company where I first worked out of university had a custom which the CEO named ‘shemaling’. The company had quite strict security standards. It was encouraged that anyone who found an unlocked screen in the office would ‘shemale’ the wallpaper. It did the job. I never forgot again after being ’shemaled’ the first time.
Charming CEO. I'm hoping this was the 90s.
Funnily enough, it was four years ago, somewhere in continental Europe. Things were a bit freer there. I didn't stay there long. I have a lot more interesting stories from that place.
Downvoting the comment does not downvote the CEO or the practice.

The idea is interesting, and it could've been puppies or some other corny wallpaper that did the trick.

My last work place did something similar, although using Justin Bieber photographs. I was Biebered a few times.
I'm not sure which is worse.
I gay porned an entire company's computers after they refused to crack down on employees watching people being murdered all day. They threatened to fire me so I explained exactly why I had done this and that I would happily explain this at length in any subsequent employment tribunal. I kept my job and the management finally told everyone to stop watching people getting killed on company time.
WTF.... Who the hell would watch murder clips at work and how would management be okay with this, let alone on company time?? Unbelievable....
My co-workers thought it hilarious to line up clips of people being run over by trains or having their throat cut, then tell unsuspecting people that they had something very important to show them. Management didn't like being bothered by people complaining about what they viewed as guys being guys. Until they got an eyeful of guys doing guys, that is.
At a previous job, we had a "pipi" mailing list (pee, in French), where people would send "I went to pee" from unlocked computers. The "victim" themselves would often be members of said mailing list. That worked quite well, so organically, the list ended up being used mainly for random jokes, news and stuff, rather than the "I went to pee" messages.
Back in the days (1990) I found amusing to edit the autoexec.bat on my first CS session and add « You have a virus... of the flu », and signed with my pseudo.

Made me and my friend laugh.

Next session the teacher ask us to sit at the same computer, and after 20mn a guy come to me and ask « Are you pseudo ? »

Turns out that the computers really had viruses and they thought it was me !

They threatened to expel me (more to frighten me I think since they had no proof), and made me the cleaning guy for all the semester.

It gave me an undeserved reputation of the guy who hacked the university computers. And a better sense of caution.

In 1990 I also edited a friend's autoexec.bat to launch a quick basic script that would falsely check the disk for viruses and then prompt the user to delete their entire hard disk. Of course pressing "n" would print "y" on the screen and then display a fake progress bar along with a warning to not interrupt the operation in order to avoid disk damage.

I definitely had too much free time at the times. :)

Prolly need some sort of ml to parse every image used on device and tag potentially dangerous ones. Wouldn’t be too expensive on devices with tensor units...

Apparently Apple already reports your offensive photos already, can’t imagine why browsing should be treated differently.

> potentially dangerous ones

How do you define this?

> Apple already reports your offensive photos already

What?

> How do you define this?

Same as every tech company do with tons of other spam types.

> What?

https://techcrunch.com/2017/10/30/no-iphones-dont-have-a-spe...

>> This analysis generally happens inside a sandbox, and very little of what the systems determine makes it outside of that sandbox. There are special exceptions, of course, for things like child pornography, for which very special classifiers have been created and which are specifically permitted to reach outside that sandbox.

Unsure what is Techcrunch's source for this but it kinda makes sense.

This is not new, antivirus software already shows reactive methods do not work.
New? I think that was around since IE6 times.

Autohide menu bars are bad designs, and you have this on top of that.

Fullscreen API must be removed from browser for security reasons, new window hints should be removed too.

(comment deleted)
Someone I know would constantly leave a macbook unlocked, so I prepared a script that would turn down the volume, whisper the owner's name, open weird sfw pictures online and other mildly annoying things, but not very often (like once a week).

This was meant as a joke, and I never actually went through with it. I know the person very well but it still felt douchebaggy. But the idea was to make an app file, save it to some seemingly legitimate folder, and adding it to the autostart list.

The trick to hide the thing was to drag and drop Safari's logo onto it, and naming the app "Safan": it almost goes unnoticed when checking the Activity Monitor, thanks to the system font's proportions.

Blurred lines aside, for posterity you could name it "Safari Auto-Update Utility" and use an app icon that has the Safari logo coupled with a cog wheel or so.
I thought of something like that, but then the user could kill it as a precaution since an auto-update utility or any other secondary application can be temporarily disabled. Killing "Safari", on the other hand, would terminate everything the user's currently doing in it.

I guess I could have named it Disk Memory Manager or some other important-sounding thing.

If everything were standard then a screen reader could confidently identify fraudulent content.
"Ceci n'est pas un UI."

Shouldn't it be "Ceci n'est pas une UI."? Since interface is a feminine word in French, the article in front of UI need to be feminine too.

Then it should probably be "une IHM", for "Interface Homme-Machine".
I didn't see it working on Chrome on my phone (chrome 73.0.3683.90, OnePlus 6)

Edit: does work with a refresh

Perhaps you have JavaScript disabled.
This is why chrome is a terrible choice - it disregards OS UI/UX choices.
(comment deleted)
I'm not doubting the concerns raised but the fake failed in many ways for me on my phone with the latest chrome. It didn't appear. Then when it did it appeared below the existing bar.

But I guess you just need it to work often enough.

It's like the fake "Allow Notification" dialogs on some sites. They look off to pretty much anyone paying attention, but their target market probably isn't people paying attention
What's the idea behind those? Do they just get permission before showing the real dialog, or is it more sinister than that?
If the user says no to the real dialog, you can never bring up the real dialog again.

Sites with fake dialogs in my experience ask again the next time you open the page.

It’s the same reason many iPhone apps implement their own dialogues to ask about allowing notifications. If the user chooses ‘Deny’ in the system-provided one, the app can never ask again and the only way to turn notifications on later is to have the user go digging around in the Settings app, which few people will bother to do.

I take great pleasure in choosing ‘Allow’ in those custom dialogues and then ‘Deny’ when the native one pops up immediately afterwards.

I would leave them alone entirely, as you can see from my comment they are actually sometimes attempts to compromise your browser.
Oh absolutely, I was referring only to native phone apps.
It can be more sinister. Although I am sure the other answers are right in some circumstances, I was curious a while ago, so I actually clicked one.

Whether you click allow or deny, it shot off a network request to a third party domain. This lets the third party know your browser's user agent, and if they have an exploit for your browser they will send a payload that compromises the browser with the intent of installing an adware extension.

It failed to install on the machine I made for it (Ubuntu18/Chrome) but it did manage to navigate me to an advert from the click.

But any click can do that, right? No need for it to be a fake Allow/Deny prompt.

The best I can think of is that it does 2 things:

1. Preserves the "true" allow/deny prompt for a time when the user will allow.

2. Lulls the user into a sense of security. The page is nice and/or their browser will ask about anything the page tries to do.

My guess is something to do with needing to have a user prompt certain types of cross site javascript actions.

It also needs to seem legitimate so people click it but don't report it.

Well, people still believe that they will help a prince from Nigeria.

Also I've seem some old ladies believing that a younger soldier from US needs help taking money out of %some country%.

A fake address bar, with a fake "look, I'm safe" mark on it? Yes, it'll do it.

A recent example that I've been seeing more and more is pages taking over some system keyboard shortcuts. I've seen pages taking over Command-F and using their own search interface instead of the browsers. I've found utilities for not messing with copy/paste, but is there a way to block pages with keyboard shortcuts in Chrome?
Hijacking CTRL-F drives me nuts!

I really think this should result in a permissions dialog from the browser.