Put simply, the objective of Norn Labs is to create tools to help solve phishing. We chose to work on phishing because we believe it to be one of the highest leverage problems in cybersecurity. Not only do we suspect that nearly everyone reading this blog has been a victim of phishing or knows someone who has, but just about every major hack you have heard of started with a targeted phishing campaign. There is often a direct financial impact from these attacks which gets widely reported, but these numbers don't show the whole picture. They do not account for the emotional toll caused by losing your life savings, or even the physical toll when hospitals lose the ability to properly care for patients due to their systems being compromised. What this means is that any impact we can have on reducing the effectiveness of these attacks translates to significant savings, both monetary and emotional.
Phishing is an overarching name for a varied number of malicious behaviors. This includes everything from convincing an employee to wire a payment to their boss to collecting the password to your grandmother's bank account. Because the attack surface is so varied, with each attack potentially warranting its own set of protective tools, we needed to pick a method to focus our efforts on. As you will see from our initial offerings, we chose to focus (at first) on phishing websites. Broadly speaking, a phishing website is a website controlled by a malicious actor that is made to look like a trustworthy institution with the objective of getting someone to enter their credentials or download a piece of malicious software.
Concretely, a common phishing attack looks like receiving an email that appears to have come from your email provider saying that you need to sign into your account to verify a security alert. The email will contain a link to a sign in page that will be indistinguishable from your email provider's actual sign in page. Once you have entered your credentials into the malicious page, the attacker will be able to access your account.
You may be thinking, well what about my two-factor authentication (2FA), isn't that a clean way to avoid this attack? While 2FA does make it slightly harder on an attacker, it doesn't stop them. After you enter your password on the fake page, the attacker can present you with a second page asking for your 2FA code. You enter it thinking you're on the real site, and the attacker immediately forwards that code to the actual service before it expires. From your perspective the whole thing looks completely normal.
We believe that the weak link in this chain is the phishing website itself. It has always been the case that a security professional would be able to determine if a particular website is a phishing attempt, but the problem is not everyone has a security professional they can consult. It simply doesn't scale. However, with the advances in AI, we think it has now reached the point where tooling can give everyone something close to their own real-time security professional. Maybe we're not all the way there yet, but we think we can get closer to that ideal than ever before.
Before we get into the tools, a quick word on the names since they might look intimidating. Yggdrasil (pronounced ig-druh-sil) is the tree of life in Norse mythology which holds all the worlds in its branches. We think it's a pretty good name for the tool which holds all our data and is the system that all other tools integrate with. The Norns are three Norse deities that weave the tapestry of fate and tend to Yggdrasil. Because Yggdrasil is the first tool we started to work on, naming this project after the Norns was really the only option if we wanted to stay on theme. Finally, Huginn (HOO-gin) and Muninn (MOO-nin), or thought and memory, are Odin's ravens that each day fly out to keep watch over the worlds and return to share what they have seen. We named our browser extension after Muninn as we see the tool as being watchful for its users and as an important contributor to the knowledge around online threats. Our system for actively collecting phishing websites is named after Huginn for the same reasons.
Yggdrasil
This will not come as a surprise, but in this day and age often the most important variable when solving a problem is access to good data. We knew this going in, and so our first tool is a database for phishing websites. The idea is to have a repository where we can store all our confirmed webpages, making it possible for every tool in our ecosystem to draw from the same source of truth. This idea is in no way new, and if PhishTank hadn't closed their registration it's likely we would not have created our own.
We recognize there are plenty of services where users can submit a URL for verification. However, in our experience most of these services suffer from serious limitations. They often only aggregate across blocklists and do some simple DNS checks. What this means is that if a phishing website hasn't made it into a blocklist yet, it will not be identified as dangerous. It also means that a perfectly legitimate service can look suspicious if it was just created recently. We think these limitations are pretty damning, as any new attack will often slip by undetected. We want Yggdrasil to be a place where if a webpage has been confirmed safe or phishing, you can be absolutely sure that label is correct.
Muninn
The security industry has produced countless phishing detection tools for enterprises, but there is a surprising lack of tooling for the average user of the internet. We think this is a shame and are determined to remedy the problem. We believe there is nothing inherently different in the way phishing attacks work against individuals at a company and individuals using the internet in their daily lives. Because of this, we think any attempt at a solution should be equally useful in both contexts and should be made available to both individuals and companies alike.
As discussed previously, we believe the current batch of online services for detecting phishing websites have some real limitations. But perhaps the biggest limitation of these services is that you have to be proactive to use them. You have to copy a potentially dangerous URL and paste it into the service. This requires you to know that a URL is potentially dangerous in the first place. Herein lies the problem, as most successful phishing attacks are successful because the target doesn't know there is any potential for danger. A better solution looks like a system which quietly evaluates each webpage you visit and notifies you when it thinks there is potential for danger. This is the system we are trying to create with Muninn.
To get the desired experience we knew the tool had to be built as a browser extension. We started with a Chrome extension purely because that is the ecosystem we use and are most comfortable with. We also knew that to be effective the tool would need to check every webpage, and that this would raise major concerns from a data privacy standpoint. With that in mind, we tried to come up with an approach that would maintain as much privacy as possible while still being able to meet the requirements that make such a tool actually useful.
The approach we landed on is a tiered system of scans. The initial scan is as lightweight as possible and uses just the page URL. For each URL, we do our best to remove any identifying information from it, and anytime we save a scan result we never link it to a particular user. What this means is that there is no feasible way to tie a particular URL to a particular person.
If the initial scan determines the page is potentially phishing, we give the user the opportunity to run a more comprehensive scan. This scan involves taking a screenshot of the page and thus could have implications for data privacy. To address this we never save the screenshot taken for this scan. We think the combination of having the user actively trigger the deeper scan along with the fact that we do not save the screenshot maintains as much data privacy as possible while also allowing us to use more data for better accuracy.
Finally, if the deeper scan detects a phishing attempt, we give the user the option to send the website to Yggdrasil. It is only at this point that we would save a screenshot of the webpage for the Yggdrasil entry, as this is one of the best ways for us to confirm the tool's result. With this setup, any user of Muninn has a lot of control over what information is collected and saved while also getting what we believe to be the gold standard of phishing detection.
We recognize that some folks do not like that for Muninn to detect a phishing website it means they will have actually visited the site. Mainly this stems from the fear that purely visiting a malicious webpage means that their browser has been hacked in some way. This fear is in the vast majority of cases a misconception, as the goal of a phishing page is most often to trick you into thinking it is a legitimate service and to enter your credentials for that service. That being said, we are exploring options for detecting phishing pages without the user ever landing on them. Our first offering here will be the ability to scan a URL without having to visit the page. We recognize this is not ideal as it suffers from the proactivity problem we discussed previously, but it's just a starting place and we expect to have better tooling around this before too long.
Another pushback we anticipate is, doesn't my browser already do this? Some browsers like Chrome have solutions in place, however they are severely lacking as they are built around blocklists. Once a phishing website has been identified your browser will block it (you may have seen the red screen of doom), but for any new attack there is a period where it will go undetected. Now this doesn't mean browser providers aren't also working on solutions and they may even come up with better solutions than ours. If they do, we think that's great. We see phishing as a largely unsolved problem that has a seriously negative impact on the world, and whether it's us or someone else who improves on the status quo, it's all gravy in our eyes.
Huginn
Huginn is our newest tool and is largely internal at the moment. The goal is to have a system which does active discovery of phishing websites and feeds them back to Yggdrasil so that the results can be shared across the ecosystem. We are currently using the tool as a way to seed Yggdrasil (pun absolutely intended) and we'll have more to share here soon. We plan to publish some of our findings on this blog as the data comes in.
This project is very new and we could use all the help we can get. If you've read this far and are interested in giving our tools a shot, we would love any feedback you might have. And if you're interested in helping out or working with us in any capacity, please reach out to the email on the contact page. We're just getting started and there's a lot more to build.