Forgot your password?
typodupeerror
Security Spam

Anti-Phishing Tools 233

Posted by CmdrTaco
from the escalating-the-arms-race dept.
mikeage writes "PCWorld has an article about an anti-phishing tool available that tries to detect fake websites." This is about Web Caller-ID already in use by eBay's custom user toolbar. The article also talks a bit about the incredible increase in phishing scams.
This discussion has been archived. No new comments can be posted.

Anti-Phishing Tools

Comments Filter:
  • Huh (Score:5, Insightful)

    by Lord Grey (463613) * on Tuesday August 17, 2004 @11:34AM (#9991674)
    Unless I missed something, neither the article nor the summary provides a link to the product. Here is what I found: Web Caller-ID [wholesecurity.com]. That link contains this paragraph:
    Web Caller-ID's detection engine includes hundreds of routines that examine the elements of a web site, ranging from the site's content and links to its page history, and then determine if they are indicative of a spoof. For example, the URL of a particular site might be analyzed for phishing characteristics, such as the inclusion of an IP address at the beginning of the URL, or the source code might be analyzed for calls to a different web site. In production environments, Web Caller-ID consistently detects more than 98% of previously unknown spoof sites using behavioral technology.
    This product sounds interesting at first blush, but don't most phishing scams begin with an email? Web sites that support phishing aren't going to have as many of these charactistics as the email that lured the victims there to begin with. I have to wonder just how well this really works, despite the, "consistently detects more than 98% of previously unknown spoof sites" quote.
    • Email Phishing (Score:5, Insightful)

      by TheOtherAgentM (700696) on Tuesday August 17, 2004 @11:41AM (#9991757)
      From what you and I probably see, yes. Phishing begins with an email, because we probably don't browse shady sites regularly. I don't know what the average user sees in their regular browsing. I can't even figure out where people get all the spyware from in the first place. As far as phishing emails, I know I get one email regularly that looks like a CitiBank email, but it is a .jpg file embedded. The URL has citi in it, but if you look closer, it's obviously not the right sight. I'd report it, but Citi Bank's online reporting sucks.
      • I got it too, though thunderbird marked it as spam and my anti-phishing tool in firefox told me "you are at 31337.h4x0rz.cn" or wherever. I'm not sure what good it would do to report it to citi since there's nothing they can do about it except maybe send out emails to everyone in the world telling them not to believe emails claiming to be from them.

        • by james_marsh (147079) on Tuesday August 17, 2004 @11:54AM (#9991930)
          I'm not sure what good it would do to report it to citi since there's nothing they can do about it except maybe send out emails to everyone in the world telling them not to believe emails claiming to be from them.
          There's just a slight flaw in that logic...
          • Re:Email Phishing (Score:3, Insightful)

            by Anonymous Coward
            > There's just a slight flaw in that logic...

            No there isn't.

            You receive an email supposedly from Citibank, telling you not to trust emails from Citibank.

            If it's a fake email, it means you can't trust emails claiming to be from Citibank anymore, because someone's faking them.

            If it's legit, it's telling you not to trust emails from Citibank, so you'd better not.

            So, for this particular message, it doesn't matter whether it's fake or for real - you still know not to trust any more emails.

            So how do the
        • Re:Email Phishing (Score:5, Informative)

          by realdpk (116490) on Tuesday August 17, 2004 @12:14PM (#9992143) Homepage Journal
          Actually, as someone who's working at a web host, I can tell you Citibank does take this sort of thing seriously, and they are interested to know where the sites are being hosted.

          Who knows what they do with that information. Maybe nothing. Still, it's worth reporting, if only to show that the community is against these frauds.
          • Re:Email Phishing (Score:2, Interesting)

            by Andrewkov (140579)
            I reported one of these scams to Citibank through their website (I'm not even a customer, just a nice guy). They didn't even ackknowledge my report, let alone fix it.
      • Re:Email Phishing (Score:5, Interesting)

        by aussersterne (212916) on Tuesday August 17, 2004 @12:18PM (#9992186) Homepage
        Citibank can't do anything about it anyway; they're not law enforcement, and even if they were, what exactly do you see law enforcement doing about SPAM or phish emails? Nada.

        I used to work at eBay and the phishing problem was terrible (though I didn't deal with it directly, that wasn't my department). When users would find out, they'd demand to know why eBay didn't do something about it. The people who worked on that floor would stand around in the smoking shed and bitch, "What do they want us to do, buy some guns and go to Romania and raid the guy's house wearing little eBay uniforms?"
        • It would be fucking awesome if they did, in a very frightening way.

          It leads me to think of the dystopia that is Shadowrun's game world, where corporations have their own standing armies.
        • Re:Email Phishing (Score:5, Insightful)

          by Ra5pu7in (603513) <ra5pu7inNO@SPAMgmail.com> on Tuesday August 17, 2004 @12:37PM (#9992374) Journal
          They can't do much about it upfront. However, as soon as it involves withdrawals from customer's accounts it moves over into fraud ... which they can do something about (via usual legal means). Neither Citibank, nor any of the others (I've seen BofA, Wells Fargo, and others) are going to acknowledge all the emails they get reporting these scams. Instead, the data is accumulated and those that report they lost money this way will be prioritized because these can be used for prosecution.

          Personally, I'm waiting for the point where we can have a Darwin's Award for the idiots who answer those emails ... y'know the point when one of them loses every last dime in a scam and commits suicide, dies from a badly produced batch of V@l1um or V1agr@, or tries to gain or lose inches and has an accident with the means thereto. When this garbage produces 0 results, no matter how many millions are sent out, it will self-destruct.
        • Re:Email Phishing (Score:2, Interesting)

          by Volmarias (705460)

          You know? That would be absolutely delightful. Hell, I'm sure there would be legions of geeks willing to ensure that the information entered into their systems wasn't "Murder", but "Tickling with fluffy bunnies" instead.

          I've always wondered just what law enforcement would do if someone started to serially hunt spammers, and I keep coming to the conclusion that all you need to keep the trail cold is leave a note saying "This man sent your daughter emails about zoo porn"

        • Re:Email Phishing (Score:2, Interesting)

          by Anonymous Coward

          "What do they want us to do, buy some guns and go to Romania and raid the guy's house wearing little eBay uniforms?"

          How about persuading the government to put pressure on the foreign country's government until they sort the problem out? If the MPAA can get "DVD Jon" arrested all the way over in Norway, surely eBay can get some spammers arrested?

        • Re:Email Phishing (Score:3, Interesting)

          by glesga_kiss (596639)
          "What do they want us to do, buy some guns and go to Romania and raid the guy's house wearing little eBay uniforms?"

          That's not all that far from the real world. Goverment is corporations; corporations is government.

        • I've bought some large items on ebay, but the best place to find scammers is when your buying expensive laptops. I've seen a lot of phishing for ebay. I saw a recent report, in which perdicted that for every legit technology buisness, there are two scam ones.

          The most important thing, Citibank and Ebay and the others is to inform their current and future customers about problems such as this. The worst thing they can do is not talk about it, pretend the problem will go away, or it is an isolated innceden
        • Re:Email Phishing (Score:3, Insightful)

          by jlechem (613317)
          I too used to work for eBay and in that very department and know this smoke shack you speak of. The phishing problem there was terrible but they were getting better. And not only was there phishing but a big problem was assholes that would embed torjan viruses in their auction listings that would install keystroke loggers, etc on peoples machines. But that is another post and whole other thread.

          I know how the toolbar program worked. It worked on scanning the HTML source and based on various factors wo
      • I got several of those. The first one was an eye opener to the world of phishing for me. I did actually report it to Citi Bank through their online reporting mechanism. I'm hoping they are working with law enforcement to go after the purpetrators....ok, just kidding. At least I'm hoping that if enough people complain they might just have to come up with something that helps their real customers. I dunno, send out an 'awareness email', I know that my parents don't have a clue when it comes to phishing, they
    • I thought this at first as well... but considering that those phishing emails usually end up sending you to a website, I think it might help.

      I'm skeptical about the 98% thing as well.
    • Re:Huh (Score:5, Insightful)

      by beh (4759) * on Tuesday August 17, 2004 @11:43AM (#9991785)
      There is, of course, another issue as well - if you eliminate 98% of the phish scams - that'll probably also mean that people will start paying less attention to the problem at hand and might hence become less careful about those phish scams that DO make it into their inbox.

      This might be in a way comparable to the rates of HIV/AIDS spread during the late 80s/early 90s when there was LOTS of media attention to the issue, and people would actually think about what they were doing. Now, a couple of years after the height of media attention to it, the problems are rising again (simply because people no longer think about the issue).

      In the same way, I would guess people might fall more easily for phish scams, once the become more rare again.
      • Re:Huh (Score:2, Insightful)

        by Glog (303500)
        Which moon do you live on? Think about spam for a second - it's been around for years and it almost doubles every year. It's become like the most-reviled thing on the internet. And there are STILL people who buy things through spammed ads.

        I don't believe the general populace will get the danger of phishing even if you aired 2 minute warnings every hour on the hour for a month during prime time TV.

        There's always going to be some sucker who falls for a phishing scam. They've become too sophisticated for the
    • Re:Huh (Score:3, Interesting)

      by Mysticalfruit (533341)
      Actually there have been a large number of cases where an ISP's DNS server has been poisoned so users type in the legimate www.somehugebank.com and it brings them to a proxy mirror image of the site where you gleefully login in and they scarf your information.
  • Educate (Score:5, Insightful)

    by Klar (522420) * <(moc.liamg) (ta) (nihcruc)> on Tuesday August 17, 2004 @11:34AM (#9991675) Homepage Journal
    However, better user education and stronger security from online retailers, banks, and financial institutions is also needed to protect technically unsophisticated consumers from complex online cons like phishing attacks, Schmidt says.
    I have to say that I agree. These tools are great for newbie computer users. But I really think educating people on how to read a URL and not have to rely on a tool like this. If they don't understand the URL, using a 'caller id' program may not always be affective at preventing scams.

    Also, I would like to see a program that would pre-scan a URL and if it appears to be a fake Paypal or Visa site to put the actual domain, and display a warning to alert newbie users.
    • Ignore my last paragraph, and read Lord Grey's post above :$
    • Re:Educate (Score:2, Informative)

      by Anonymous Coward
      I've seen some intense scam sites where a graphic covers the address bar, and it looks like you are really at citibank. I was actually taken back for a few seconds. I KNEW I was on a phishing site, but the URL was clearly citibank's (I have accounts there). Played with the address bar, and noticed... hmmm.

      This would fool 98% of semi-experienced users.
      • Re:Educate (Score:2, Interesting)

        by Mouse42 (765369)
        98%, eh? heh.

        One other problem companies have is changing their website's appearance. For example, CapitalOne recently changed their homepage and I was actually too nervous to log in for a few days.

        Also, a poor quality website can make people suspicious. A friend of mine asked me to inspect his cable company's website to see if it were real or not because it was so poorly designed. I told him since it was so poorly designed to not trust it's security, either, and not bother doing the online bill pay.
      • Re:Educate (Score:4, Informative)

        by donnyspi (701349) <junk5 AT donnyspi DOT com> on Tuesday August 17, 2004 @12:48PM (#9992494) Homepage
        This Citibank one's even more sophisticated than having an image cover the address bar: http://www.antiphishing.org/phishing_archive/07-05 -04_Citibank_(Citisafe_by_Citibank).html
    • Re:Educate (Score:4, Insightful)

      by psin psycle (118560) <psinpsycle@NosPAm.yahoo.com> on Tuesday August 17, 2004 @12:29PM (#9992303) Homepage
      Education will only help so long. What happens when someone writes a worm/virus that replaces the /etc/hosts file with one hacked up to send people to phishing sites instead of banking sites? Not only could the phishing websites capture account data, they could also forward the user on to the correct site so they don't even notice a problem. Who's going to check their /etc/hosts file to make sure this isn't happening!
  • Glasses (Score:4, Insightful)

    by jobeus (639434) <jobe-slash@jobeu[ ]et ['s.n' in gap]> on Tuesday August 17, 2004 @11:35AM (#9991683) Homepage
    Glasses would be a good anti-phishing tool... Seems almost 95% of the sites I come across just replace a . with a - somewhere. If people could see it more clearly......... :D
    • Re:Glasses (Score:5, Insightful)

      by Rosco P. Coltrane (209368) on Tuesday August 17, 2004 @11:49AM (#9991875)
      Glasses would be a good anti-phishing tool... Seems almost 95% of the sites I come across just replace a . with a - somewhere

      A normal-sized brain behind the glasses would work very well too. I mean, for example, the Microsoft-looking emails that require you to give a password, or a CC number or something: who the hell with a normal intelligence would fall for that one?

      Most scams look exactly like that: scams. They're so easy to spot with a vaguely critical eye that it's not funny. The problem is, who will educate a public that doesn't understand much about computers in the first place?
      • Re:Glasses (Score:4, Insightful)

        by wan-fu (746576) on Tuesday August 17, 2004 @12:04PM (#9992019)

        While I agree that helping people understand computers is partly the issue here, there's an even bigger issue and that's educating the public in general to be more aware of scams. Remember, though the internet is a haven for scammers, there are plenty of them out there sending direct mailings or using infomercials. People still fall for those and not just the tricks on the net.

        I think a big part of it is people are simply more lazy these days. As a result, they are more willing to believe in a get-rich quick scheme or an identification check for a bank or sweepstakes or whatever (especially the old who are more trusting). But who knows, maybe it's not that, it could very well be that people are just stupid and gullible by nature (which many /.'ers seem to think given the number of times I've seen references to "sheeple" and the like).

  • Already sluggish... (Score:5, Informative)

    by La_Boca (201988) on Tuesday August 17, 2004 @11:35AM (#9991688) Journal
    Does That Web Site Look Phishy?

    WholeSecurity's new software claims to identify fraudulent sites.

    Paul Roberts, IDG News Service
    Monday, August 16, 2004

    A new software tool from WholeSecurity can spot fraudulent Web sites used in online cons known as "phishing" scams, according to a statement from the company.

    Advertisement

    The new product, called Web Caller-ID, can detect Web pages dressed up to look like legitimate e-commerce sites. WholeSecurity is marketing the technology to banks, credit card companies, and online retailers as a way to prevent unwitting customers from accessing false sites, to reduce fraud, and increase confidence in online commerce, the company says.

    Phishing scams are online crimes that use unsolicited commercial, or "spam," e-mail to direct Internet users to Web sites controlled by thieves, but are designed to look like legitimate e-commerce sites. Users are asked to provide sensitive information such as a password, Social Security number, bank account, or credit card number, often under the guise of updating account information.

    Already in Use

    A version of Web Caller-ID is already being used by EBay in a feature called Account Guard, part of an EBay Web browser toolbar that users of the online auction site can download for free. The feature detects suspicious behavior, such as Web URLs that disguise the true Internet address of the site the user is visiting.

    Companies can license a Web browser plug-in from WholeSecurity, which can then be distributed to customers directly or as part of a Web browser toolbar. Alternatively, companies can sign up for an e-mail processing service from WholeSecurity that harvests information on phishing scams from spam e-mail or customer complaint e-mail sent to the company, WholeSecurity says.

    A Web browser-based management console lets administrators view suspected phisher sites, file complaints against spoof Web sites, or fine-tune the Web Caller-ID technology to adapt to their company's Web site.

    On the Rise

    Reports of phishing attacks have skyrocketed in recent months, according to the Anti-Phishing Working Group (APWG), a joint industry-law enforcement group.

    There were 1422 new, unique attacks reported to the APWG in June, a 19 percent increase over the previous month. Since the beginning of 2004, reports of the attacks have grown by 52 percent a month on average, the group says.

    A survey of 5000 adult Internet users by research firm Gartner released in April found that the number of phishing attacks spiked in the last year and that around 3 percent of those surveyed reported giving up personal financial or personal information after being drawn into a phishing scam. The results suggest that as many as 30 million adults have experienced a phishing attack and that 1.78 million adults could have fallen victim to the scams, Gartner says.

    Taking the First Step

    Web Caller-ID is not a cure-all for the phishing problem, but is a good first step to provide comprehensive protection from the scams, says Howard Schmidt, former White House cybersecurity advisor and the current chief information security officer at EBay.

    "These are some of the things we need to do moving forward--getting technology built into the Web browsers themselves to do these things," he says.

    However, better user education and stronger security from online retailers, banks, and financial institutions is also needed to protect technically unsophisticated consumers from complex online cons like phishing attacks, Schmidt says.

    "You can't put somebody in a car and tell them to drive, but not tell them what the brake and gas pedal are for," he says.
  • by wheany (460585) <wheany+sd@iki.fi> on Tuesday August 17, 2004 @11:35AM (#9991690) Homepage Journal
    I thought the general consensus was that technological solutions to a social problems don't work.
  • by NewbieV (568310) * <[moc.liamg] [ta] ... smaharba.rotciv]> on Tuesday August 17, 2004 @11:35AM (#9991693)

    Spoofstick [corestreet.com] is a plugin for FireFox or Internet Explorer that can help identify 'phishy' sites while surfing.

    It does take a little more real estate out of the browser's window, but it's a pretty useful tool when teaching people about the dangers of clicking links blindly.

    • The problem arises with this when a website has multiple domains to cover their content. That can confuse users. Multiple domains shouldn't be used just to serve media from another server, but I've seen it done. Also, what happens when you are drawing content from other domains? Will Spoofstick list all the domains?
      • Sites like apple use other domains for their images. It looks like apple has recently changed a bit though. Instead of all images coming from akamai directly, they come from images.apple.com.

        But...

        ping images.apple.com
        PING a932.g.akamai.net (38.115.177.150) 56(84) bytes of data.
        64 bytes from 38.115.177.150: icmp_seq=1 ttl=57 time=30.6 ms

        • Still, you're relying on the DNS of apple.com being correct. The root domain.
          The problem comes when apple.com loads images from images-apple.com or something that's a separate domain, rather than simply a sub-domain.
  • You mean... (Score:5, Funny)

    by Black Parrot (19622) on Tuesday August 17, 2004 @11:36AM (#9991698)

    ...I wasn't supposed to give s1ashdot my credit card number to read this story?

  • Wrong Solution (Score:4, Insightful)

    by Anonymous Coward on Tuesday August 17, 2004 @11:36AM (#9991699)
    The proper solution to phishing scams is
    1) Educate everyone not to give out confidential information to anyone.
    2) Track the phishing sites and publically hang the owner. These things are not difficult to track by the very nature of the scam.
    • Re:Wrong Solution (Score:2, Insightful)

      by MindStalker (22827)
      In the US or UK maybe, but many of these sites are located in parts of the world where you can get anonymous internet access.
      • Can you get a anonymous access with enough bandwidth to run a server? Or maybe they don't expect to have enough hits at any one time to actually care.
        • Well, if they are expert phishers, then they probably have a few spare identities they can use to set up the server. And even if they aren't annonymous, you stll have the problem of the host country actually being able to/wanting to prosecute them. that isn't always a given....
    • Also important: educate companies who do business on the web to never send out legitimate requests for account updates via email. Most large companies would not do this, but some of the smaller players do not think about how this could cause major confusion and problems for users.
    • Re:Wrong Solution (Score:3, Insightful)

      by PsiPsiStar (95676)
      Or

      b. Send out a massive phishing e-mail and scold anyone who falls for it.
    • by j1m+5n0w (749199) on Tuesday August 17, 2004 @12:28PM (#9992290) Homepage Journal
      The proper solution to phishing scams is 1) Educate everyone not to give out confidential information to anyone. 2) Track the phishing sites and publically hang the owner. These things are not difficult to track by the very nature of the scam.

      Don't forget

      3) Use public key cryptography to verify the authenticity of sites you do business with.

      -jim

  • by tekiegreg (674773) * <tekieg1-slashdot@yahoo.com> on Tuesday August 17, 2004 @11:36AM (#9991702) Homepage Journal
    Just don't click on any links via email to anything unless you solicited it (such as an email verification to a mailing list you're subscribing to). When I'm in doubt, all I do is type in the URL to the bank/brokerage/etc. web site myself (fire up browser and type in homepage URL), log in and find out if there is anything going on. Most such websites have a way to look at everything and take any needed action right away after you type in a user/pass.

    *sigh* and on that note there is a sucker born every minute I suppose.
  • by djtech (513550) on Tuesday August 17, 2004 @11:36AM (#9991703)
    What we need is a way to automatically reply to these phishing scams with bogus information. I'd like to be able to order everything sent in a spam message too with bogus information. Beat them at their own game!
    • What we need is a way to automatically reply to these phishing scams with bogus information.

      The next time a banking official from Nigeria requests your assistance in getting some money out of the country, explain that you need to verify that he's "on the up and up" and ask him for whatever information the phishing site wants....

    • i would like to have a central list that we can send the links to phishing websites. then someone smarter than me could write a script that just goes through the sites and enters bogus info (that looks real). if we reduce their signal to noise, it'll become much less profitable for them.
    • by The Ultimate Fartkno (756456) on Tuesday August 17, 2004 @11:58AM (#9991955)
      It's for mortgage spammers and not phishers, but I'm a fan of the Unsolicited Commando [astrobastards.net] project. It's a little Java app that spends its day filling out mortgage applications on spamvertised sites with completely believable - but totally bogus - personal data. The source is available so perhaps a clever person could randomly generate credit card numbers and adapt the program to attack phish sites.
  • by broothal (186066) <christian@fabel.dk> on Tuesday August 17, 2004 @11:38AM (#9991723) Homepage Journal
    People who are likely to fall for the usual phishing techniques are, unfortunately, not likely to install any tools to prevent phising. Odds are, that they never knew it existed before they fell for it.
    • Worse yet, Malware makers will switch to disguising their downloads as anti-phish tools.

      Novice users hear about phishing, will think any old anti-phish tool will do.

  • phishers of men (Score:3, Interesting)

    by celeritas_2 (750289) <ranmyaku@gmail.com> on Tuesday August 17, 2004 @11:40AM (#9991750)
    I've tried to actually reply to some of the money-caught-in-forign-bank phish attempts and the only thing i get back is more and more phishing. I've failed to reach the point where they ask for your SSN credit card or my first born child. Either they're stupid and don't want my information, or they're smart and realize i know what they're up to.
    • Re:phishers of men (Score:3, Informative)

      by berkowow (805369)
      It is a major misconception that the Nigerian e-mail scammers are after your bank account information. What they are actually running is an "advance-fee fraud." After you give them your account info and all the rest of that stuff, they will tell you that they were just about the send you the money, but that the bank needs you to pay a $500 fee to get the money out of escrow. If you wire them the $500 over Western Union, they'll come up with something else which needs to be done, e.g. a sick relative, a b
  • by JosKarith (757063) on Tuesday August 17, 2004 @11:41AM (#9991766)
    It's called a healthy dose of cynicism.
    If somebody I have financial dealings with contacts me out of the blue to check my password/account number/mother's maiden name etc. I contact them back - not using the linkback on that e-mail but using the contact details from the documentation I got when I signed up. And I ask them if it's a scam or not.
    And I don't reply until the bank/whatever has got back to me.
  • by Chanc_Gorkon (94133) <gorkon AT gmail DOT com> on Tuesday August 17, 2004 @11:43AM (#9991778)
    My Anti Phishing tool is my brain. I mean sometimes these phishing e-mails are nto even spoof so that they appear to come from the company that they are spoofing. Sometimes the website has graphics for the company they are trying to appear as and the URL is in CHINA! First off, No company shuld EVER ask you to click on a link and enter personal information for things. No mortgage company I know of will actually advertise in a spam and if they do, then your alert flag should go up. If you just use common sense, you should be more then able to determine if a web page or e-mail is a phishing attempt. Unfortunately, your grandma or your mom may not. I think that companies liek AOL need to add more training wheels to their service so to speak and help them with determining if something is legit or not. Would I ever load such software? No I would not because I don't need it....but my mom might.
    • Hmmm (Score:2, Funny)

      by Anonymous Coward

      My Anti Phishing tool is my brain. I mean sometimes these phishing e-mails are nto even spoof so that they appear to come from the company that they are spoofing. Sometimes the website has graphics for the company they are trying to appear as and the URL is in CHINA! First off, No company shuld EVER ask you to click on a link and enter personal information for things. No mortgage company I know of will actually advertise in a spam and if they do, then your alert flag should go up. If you just use common se

  • AntiPhishiing.org (Score:5, Informative)

    by hot_Karls_bad_cavern (759797) on Tuesday August 17, 2004 @11:44AM (#9991797) Journal
    Here is more information [antiphishing.org], the SANS Internet Storm Center has seen much activity (and growing) of this shit.



    --------
  • by Anonymous Coward

    is to install a spyware toolbar ?

    i have enough trouble persuading users NOT to install crappy toolbars and plugins as it is without people reccomending that they do,
    MS ActiveX and to a lesser extent Mozilla's XPInstall xpi features coupled with uninformed users are the main reason spyware/malware exists and is so easy to exploit, can you explain the difference to a (l)user between a good plugin/toolbar and a bad one ?

    security should be built into the browser

  • by gtrubetskoy (734033) * on Tuesday August 17, 2004 @11:46AM (#9991834)
    Phishers need a place to host their fake sites, and hosting companies like ours are prime targets for phishers to set up their "collection points", and we see a lot of those.

    My theory is that unlike the script-kiddies of the old days, 99% of all phishing is work of organized crime. I believe that they recruit users at ISP's in places where internet (or any for that matter) law is not enforced (like Kosovo), they provide people simple step-by-step instructions on what to do, give them lists of fake card numbers and pay them based on the number of accounts hacked (e.g. $1 for every 50 good passwords). The actual cleaning out of the accounts probably happens elsewhere and at a much higher level because you need a much more elaborate system for it (off-shore bank accounts, etc). At least if I was doing it, this is how I would set it up. The users appear to be not very smart - we often see weird typos, names spelled in all caps and other dead giveaways - why would ANNE FISHER from Ohio signup for a year of virtual hosting and register a domain XABCDFERNG.COM for 10 years?

    We see that they are getting more elaborate in their attempts to sign up for an account. They try to use proxies or zombies now (because most same companies will flat out refuse any attempts to sign up from Indonesia, Romania, etc.).

    A funny side note - we got a copy of a credit card statement from one of the unfortunate cardmembers whose card's been stolen as part of the "chargeback" report, and among various hosting accounts they signed up for, there was an $20 contribution to moveon.org - go figure!

    Right now the best way to fight off phishers is to attempt to speak to the customer in person, it has worked 100% for us so far. But since this phishing thing is probably big money for some mafia boss, I think the motivation is there for them to get more technologically advanced, and I wouldn't be surprised if we start seeing fake VoIP phone numbers provided where the criminals would answer the phone in English and pretend to be cardmembers.

    Another very unfortunate side-ffect of this is that it's the merchants who east the cost of it. For every instance of fraud, we get the funds withheld and transferred back to the cardmember (don't be fooled by those reports of "poor" cc companies bearing the cost of fraud!) AND we get slapped with an $25-$50 penalty by the CC processing company AND our rates go up. So it's almost in their interest that cards get stolen, it simply means more revenue for them. Now our services are "virtual", but for those who actually ship something physical (like a shirt), they get to eat the cost of that as well.

    • "My theory is that unlike the script-kiddies of the old days, 99% of all phishing is work of organized crime."

      This is very true, not only of Phishing but also of eBay scams and the like. Most of the "Work At Home for $$$$" style of adds are buying and selling items for the Russian mafia.

    • I've always found the credit card companies and banks ability to shift the financial responsibility onto merchants and users for their insecure system to be one of the greatest ripoffs in history. Merchants in particular take it up the dirt road -- chargebacks, penalties AND rate increases! And zero incentive for the people who created and control the system to do anything about it.

      I hate to say "they should pass a law", but they SHOULD pass a law that pushes the cost of CC fraud back onto banks and the
    • Every phishing scam I've seen get through my spam filters gave itself away, because the e-mails are all written by people who are either not fluent in English or who are too illiterate to get a job as a junior secretary in any English-speaking country.

      The biggest threat would be if any of these guys ever hires a native English speaker who can write, and thinks a bit about what a real e-mail from a big corporation might look like.

  • Backwards (Score:2, Interesting)

    by RU_Areo (804621)
    You can't put somebody in a car and tell them to drive, but not tell them what the brake and gas pedal are for

    I think this statement is completely backwards. You can give someone the tools; ie. tell them what the gas and brake are for, but under no circumstances can you make them use them (properly) or understand the full consequences of not using them this is especially true for users who are not technically inclined.
  • Kaput? (Score:2, Informative)

    by BigBadBus (653823)
    Is this the "eBay custom user toolbar" thats been broken by XP SP2?

  • by Anonymous Coward on Tuesday August 17, 2004 @11:48AM (#9991866)
    Phish Net [spamfo.co.uk]

    Some folks here may find it usefull.

    • There are not many unique addresses in the list; most are repeated many times throughout the it. And there are a couple that just aren't valid IP addresses at all. Not much of a list yet, but good luck with it anyway.
  • by frozenray (308282) on Tuesday August 17, 2004 @11:49AM (#9991877)

    This [mailfrontier.com] nifty quiz can help you assess your phishing detection abilities. Recommended.
    • I did pretty good on that quiz, but the only one I got wrong was #4 (the U.S. Bank one). Interestingly enough, I don't really know why, unless it's because U.S. bank doesn't exist. The URL looks valid (it's of the form https://*.usbank.com/*), and the format of the quiz means you can't see where that URL is actually pointing to.

      Is there something I can be doing better?

      • look again at the URL. www4?

        I got suckered by the earthlink one. The address looked valid, although, if I got this, I would never use the link.

        My rule is to navigate to my providers website myself, log on, and see if there was anything that needed updating.

    • by Anonymous Coward
      100% .. was not that hard. Of course I stop phishing for a living. I only got the hotmail one because it was professionally written and mentioned only losing messages and addresses, something I know to be a fact of life about account expiration on hotmail and yahoo mail both. That it didn't say "your account will be suspended" or some other stern warning made it look less like a phish. All the others were just dead giveaways.

      No one who wants your business is going to waggle their finger and scold you a
  • by jdkane (588293) on Tuesday August 17, 2004 @11:53AM (#9991914)
    Someone should create a phishing-detection extension for Mozilla. Does anybody have any ideas about how that would work efficiently/effectively? Same as EBay technology?
  • Firefox/IE (Score:5, Interesting)

    by mrseigen (518390) on Tuesday August 17, 2004 @12:01PM (#9991989) Homepage Journal
    I've noticed that neither Firefox nor new versions of IE let you do the www.cnn.com@http://myattackersite.com phishing vulnerability; Firefox warns you (as long as myattackersite.com doesn't request authentication), IE just doesn't let you do it as far as I've seen (but this is hearsay; I haven't used IE in years).
    • Just tested on IE 6.0 on Windows 2000. It allows you to click on such a link without any warnings, but the '...@' section disappears from the URL when it is displayed in the address bar, which ought to give you at least some feedback.
  • What about using something similar to the Sender Policy Framework (SPF) [pobox.com] for web sites. Create a list of known good websites for your company, and if the browser attempts to access something say eBay related, it will look at eBay's SPF list and see wether it's an authorized server or not.
  • this needs to happen, but it's like a spam Blacklist, it's pretty much out of date once it's created! better would be to have ISPs build a lists and flag certain sites as possible phishing grounds, but there again, how up to date would they be?

    Bottom line is, all of our parents/kids/friends need to know; don't give info out online unless YOU initiated the contact.

    CB#__8&*(#@
  • A better start (Score:3, Insightful)

    by portwojc (201398) on Tuesday August 17, 2004 @12:10PM (#9992104) Homepage
    Web Caller-ID is not a cure-all for the phishing problem

    How about actually going after the people doing the scams as a solution. Also the providers who don't shut them down.

    I must have missed that part in the article. This is going to be just like the spam problem. It's a problem that the end user needs to deal with and not something to be corrected at the source. Well not until at least it gets to epidemic proportions.
  • by sulli (195030) * on Tuesday August 17, 2004 @12:11PM (#9992116) Journal
  • by TomorrowPlusX (571956) on Tuesday August 17, 2004 @12:24PM (#9992245)
    I got an email from Earthlink that looks SO MUCH like a textbook Phishing scam ( your credit card number's going to expire... ) that I deleted it the first couple times it came my way.

    It kept on coming, however, and I decided to go to earthlink myself ( e.g., not clicking the link ) and see what the deal was.

    Turned out, it was legit. Amazing.

    The trouble here, really, is how do we handle legitimate email from banks, ISPs, etc?
  • by callipygian-showsyst (631222) on Tuesday August 17, 2004 @12:25PM (#9992256) Homepage
    What banks (and eBay) should do is NEVER, EVER send an email to customers. Period.

    And on their websites they should say on top: "REMEMBER: WE *NEVER* SEND YOU EMAIL ABOUT ANYTHING."

    If you want to know something, you just visit eBay or your bank account.

    • What banks (and eBay) should do is NEVER, EVER send an email to customers.

      What a shame that it's come to this. Once upon a time, we were all clamoring for all correspondence to be moved to email--and for good reason, too.

      sigh

      b&

  • Simple idea. (Score:4, Interesting)

    by JessLeah (625838) on Tuesday August 17, 2004 @12:35PM (#9992348)
    When you get an email, at the top, 'caller ID' shows up (e.g. "This email was sent from: SOMEWHERE IN CHINA", vs. "This email was sent from: CITIBANK'S servers")

    When you mouseover a link, a LARGE JavaScript thingy pops up saying "This link is to: SOMEWHERE IN NIGERIA" or "This link is to: CITIBANK'S site"
  • by veritron (637136) on Tuesday August 17, 2004 @12:35PM (#9992351)
    Phishing scams have no way to determine whether the password you enter is correct or incorrect.

    If you enter in an incorrect password/username combo and the site redirects you to the real site's password and login prompt or does something other than telling you your username/password combo is incorrect, then you're definitely dealing with a phishing scam.

    Of course, you can be clever and have the scam always return "wrong username/password." If the scam's set up to do that, the only way to tell that it's a scam is to enter... your correct password and username. Clever, eh?

    So if your password "doesn't work" for an indefinite period, and then suddenly starts working again when you actually go to the site that requires your name/password via google, do yourself a favor and change your damn password.
    • by dozer (30790)
      Phishing scams have no way to determine whether the password you enter is correct or incorrect.

      You're wrong. The phisher's site can immediately attempt logging into the legit site with the stolen credentials, then return an appropriate response to your browser. To you, at worst, it would look like typical net lag. This is so trivial to do that some phishers must already be doing this.

      In fact, they could just proxy your connection to the original site. This way, you would actually be using the legimat
  • by BilSabab (583082) <ericanderson1999@@@mac...com> on Tuesday August 17, 2004 @12:36PM (#9992360) Homepage
    Let's make a couple of risky assumptions

    1) That as an educated user I only submit sensitive information over an SSL encrypted connection using an SSL certificate signed by a third party.

    2) That I check that the certificate corresponds to the site I'm visiting.

    This should prevent me from submitting any information to a phishing scam provided that I'm using a browser which correctly implements the SSL/TLS exchange.

    So why would a hosting company or a user bother with Web caller ID? A properly configured browser and SSL should prevent phishing attacks. Correct?

    --- Friends don't let friends sig
    • Would a certificate authority refuse to issue a certificate to a website called "services-paypal.com"? If not, then just checking for an SSL icon wouldn't do much. If people are fooled by "services-paypal.com" in the address bar, they'll probably be fooled by it again in the SSL information dialog box.

    • Unfortunatly... (Score:3, Insightful)

      by Phil John (576633)
      ...a large proportion of people using the internet don't even know what SSL means (or is), let alone what to check for. They just look for a padlock and think they're safe (many don't even do this).

      Users normally glaze over when they hear about certificate signing and how to check site authenticity and it's not like it's particularly hard (or expensive) to get an SSL cert these days, the last one I purchased only performed the bare minimum of checks (that I had an invoice for the server I was using to "p
    • SSL doesn't help against lookalike domain names. Of course, anyone with eyes and abrain ought to be able to spot that, but most people need something a little more blatant.
  • phishing (Score:4, Interesting)

    by ajs318 (655362) <sd_resp2.earthshod@co@uk> on Tuesday August 17, 2004 @12:49PM (#9992504)
    Most of the scam e-mails don't render properly in KMail -- which is what I mostly use -- anyway. But if they did, I'd probably go ahead and fill in a whole bunch of bogus details anyway. Can't be too hard to write a script that does a HTTP GET on the site URL, then submits random data. Preferably plausible data ..... maybe we could borrow the spammers' trick of picking words that seem to go together? And, of course, credit card numbers that pass The Test ..... not difficult, you just generate a 15 digit random string, and calculate the check digit.

    IMHO the only thing missing from KMail is the ability to turn on and off off HTML rendering and image loading on a folder-by-folder basis (so I can view known "ham" e-mail in the format it was sent; but my brain already renders HTML so well that <em>this looks a bit slanty</em>).
  • First step (Score:5, Informative)

    by bigberk (547360) <bigberk@users.pc9.org> on Tuesday August 17, 2004 @12:56PM (#9992600)

    The first step is obviously to check the headers of an email you receive. Just see who sent you the damn thing (from Received headers). Was it actually an IP belonging to .paypal.com? This is easy to check using 'whois'. If the whois lookup shows the IP delivering you the email is from the company you expect (VISA, Paypal, Ebay) then it's fine.

    OK, how about an example. Take this US Bank phishing scam, here are the Received headers:

    Received: by mail.pc9.org (Postfix, from userid 82)
    id 2E7E6AC1B; Tue, 17 Aug 2004 07:13:50 -0700 (PDT)
    Received: from usbank.com (unknown [211.209.208.87])
    by mail.pc9.org (Postfix) with SMTP id BCF24AC03
    for <bigberk@users.pc9.org>; Tue, 17 Aug 2004 07:13:47 -0700 (PDT)
    Received: from 0.212.252.18 by 211.209.208.87; Tue, 17 Aug 2004 09:08:18 -0600

    The first Received hop is my ISP. The second Received hop is the only important one; it describes the connecting host. Note that the host here pretended to be usbank.com but that name is a sender-supplied ID; it's worthless. What you're looking for is the IP address between square brackets, which can not be forged. Now just check 211.209.208.87 using whois

    $ whois 211.209.208.87
    ...
    [ Organization Information ]
    Organization ID : ORG3930
    Org Name : Hanaro Telecom Inc.
    State : SEOUL
    Address : Shindongah Bldg., 43 Taepyeongno2-Ga Jung-Gu
    Zip Code : 100-733
    ...

    See, easy. This email came from Korea, not US Bank. It's a scam!

"Hey Ivan, check your six." -- Sidewinder missile jacket patch, showing a Sidewinder driving up the tail of a Russian Su-27

Working...