Understanding SmartScreen Blocking

  • Article

I’ve received a few emails recently, asking “Why is SmartScreen blocking my newspaper’s website?” Usually, the person asking assumes that, because they trust and regularly visit the website in question, this must be a false positive in SmartScreen.

The reality is a bit more complicated, and a bit more interesting.

Many websites rely upon advertising for revenue, and those advertisements are typically delivered within subframes inside the top-level page. The problem is that advertising networks, from time to time, unknowingly deliver malicious advertising. Typically, such “malvertising” relies upon navigating the frame to a malicious website. That website, in turn, then shows prompts, pop-ups, or other messages to trick the user into installing malicious software, often called scareware.

SmartScreen is designed to perform reputation checks against frames, and when it detects that a browser subframe has been navigated to a malicious site, it replaces the top-level page with the block experience. The blocking page shows the address of the top-level page that was hosting malicious content, allowing the user to more easily detect typos or other misleading URLs.

SmartScreen blocking page on victim site with malicious subframe

In many cases, this design makes sense: if a given top-level page is hosting an IFRAME containing a phishing or malware attack, then there’s a good chance that the top-level page itself is malicious. It might, for instance, contain code to determine whether the attack’s subframe was blocked and then navigate the subframe to a different or new page on a different server, in an attempt to bypass SmartScreen. If SmartScreen blocked only the known-malicious subframe, the user could be put at risk.

When we designed the error page, we worried that technical subtleties like “inline frames” would be confusing to normal users, who might wonder why “https://good.example.com” appears in the addressbar, but “https://evil” appears within the blocking page. The user might (not unreasonably) assume that SmartScreen had simply made a mistake. Unsuspecting users might “click through” the blocking page and subject themselves to attack.

Unfortunately, this user-experience leads to confusion in the cases where the top-level page isn’t intentionally hosting malicious sub-frames. The user sees a legitimate address in the blocking page, and thinks “My friendly neighborhood newspaper can’t be evil… could it?” What’s worse, most advertising scripts randomly select an advertisement to show, and if the user (or the site owner) revisits the legitimate site in a new window, they likely will not randomly receive the malicious advertisement again and thus not encounter the SmartScreen blocking page.

If you ever encounter a SmartScreen block experience on a legitimate site, chances are very good that the browser has just blocked a malicious ad.

-Eric

PS: FiddlerCap is a tool I’ve released to help users and site-owners capture malicious advertisements. FiddlerCap easily collects all of the web traffic from your browser and saves it in a single file which can later be analyzed to determine which advertisements should be removed from the network.