Anti-Phishing Tools

mikeage writes "PCWorld has an article about an anti-phishing tool available that tries to detect fake websites." This is about Web Caller-ID already in use by eBay's custom user toolbar. The article also talks a bit about the incredible increase in phishing scams.

Already sluggish...

[La_Boca]

Does That Web Site Look Phishy?

WholeSecurity's new software claims to identify fraudulent sites.

Paul Roberts, IDG News Service
Monday, August 16, 2004

A new software tool from WholeSecurity can spot fraudulent Web sites used in online cons known as "phishing" scams, according to a statement from the company.

Advertisement

The new product, called Web Caller-ID, can detect Web pages dressed up to look like legitimate e-commerce sites. WholeSecurity is marketing the technology to banks, credit card companies, and online retailers as a way to prevent unwitting customers from accessing false sites, to reduce fraud, and increase confidence in online commerce, the company says.

Phishing scams are online crimes that use unsolicited commercial, or "spam," e-mail to direct Internet users to Web sites controlled by thieves, but are designed to look like legitimate e-commerce sites. Users are asked to provide sensitive information such as a password, Social Security number, bank account, or credit card number, often under the guise of updating account information.

Already in Use

A version of Web Caller-ID is already being used by EBay in a feature called Account Guard, part of an EBay Web browser toolbar that users of the online auction site can download for free. The feature detects suspicious behavior, such as Web URLs that disguise the true Internet address of the site the user is visiting.

Companies can license a Web browser plug-in from WholeSecurity, which can then be distributed to customers directly or as part of a Web browser toolbar. Alternatively, companies can sign up for an e-mail processing service from WholeSecurity that harvests information on phishing scams from spam e-mail or customer complaint e-mail sent to the company, WholeSecurity says.

A Web browser-based management console lets administrators view suspected phisher sites, file complaints against spoof Web sites, or fine-tune the Web Caller-ID technology to adapt to their company's Web site.

On the Rise

Reports of phishing attacks have skyrocketed in recent months, according to the Anti-Phishing Working Group (APWG), a joint industry-law enforcement group.

There were 1422 new, unique attacks reported to the APWG in June, a 19 percent increase over the previous month. Since the beginning of 2004, reports of the attacks have grown by 52 percent a month on average, the group says.

A survey of 5000 adult Internet users by research firm Gartner released in April found that the number of phishing attacks spiked in the last year and that around 3 percent of those surveyed reported giving up personal financial or personal information after being drawn into a phishing scam. The results suggest that as many as 30 million adults have experienced a phishing attack and that 1.78 million adults could have fallen victim to the scams, Gartner says.

Taking the First Step

Web Caller-ID is not a cure-all for the phishing problem, but is a good first step to provide comprehensive protection from the scams, says Howard Schmidt, former White House cybersecurity advisor and the current chief information security officer at EBay.

"These are some of the things we need to do moving forward--getting technology built into the Web browsers themselves to do these things," he says.

However, better user education and stronger security from online retailers, banks, and financial institutions is also needed to protect technically unsophisticated consumers from complex online cons like phishing attacks, Schmidt says.

"You can't put somebody in a car and tell them to drive, but not tell them what the brake and gas pedal are for," he says.

Anti-phishing toolbar for FireFox

[NewbieV]

Spoofstick [corestreet.com] is a plugin for FireFox or Internet Explorer that can help identify 'phishy' sites while surfing.

It does take a little more real estate out of the browser's window, but it's a pretty useful tool when teaching people about the dangers of clicking links blindly.

Re:Educate

[Anonymous Coward]

I've seen some intense scam sites where a graphic covers the address bar, and it looks like you are really at citibank. I was actually taken back for a few seconds. I KNEW I was on a phishing site, but the URL was clearly citibank's (I have accounts there). Played with the address bar, and noticed... hmmm.

This would fool 98% of semi-experienced users.

AntiPhishiing.org

[hot_Karls_bad_cavern]

Here is more information [antiphishing.org], the SANS Internet Storm Center has seen much activity (and growing) of this shit.



--------

Kaput?

[BigBadBus]

Is this the "eBay custom user toolbar" thats been broken by XP SP2?

List of IPs used by phishers

[Anonymous Coward]

Phish Net [spamfo.co.uk]

Some folks here may find it usefull.

Cool phishing detection quiz

[frozenray]

This [mailfrontier.com] nifty quiz can help you assess your phishing detection abilities. Recommended.

I just looked at the list

[G27 Radio]

There are not many unique addresses in the list; most are repeated many times throughout the it. And there are a couple that just aren't valid IP addresses at all. Not much of a list yet, but good luck with it anyway.

Re:phishers of men

[berkowow]

It is a major misconception that the Nigerian e-mail scammers are after your bank account information. What they are actually running is an "advance-fee fraud." After you give them your account info and all the rest of that stuff, they will tell you that they were just about the send you the money, but that the bank needs you to pay a $500 fee to get the money out of escrow. If you wire them the $500 over Western Union, they'll come up with something else which needs to be done, e.g. a sick relative, a bribe to a state official, etc. They'll string you along with these advance fees for as long as possible. In some cases, they'll try to get you to go down to Nigeria yourself where you'll be kidnapped and held for ransom. The whole scam is remarkably low-tech, and not at all what most people expect.

Re:Cool phishing detection quiz

[Anonymous Coward]

100% .. was not that hard. Of course I stop phishing for a living. I only got the hotmail one because it was professionally written and mentioned only losing messages and addresses, something I know to be a fact of life about account expiration on hotmail and yahoo mail both. That it didn't say "your account will be suspended" or some other stern warning made it look less like a phish. All the others were just dead giveaways.

No one who wants your business is going to waggle their finger and scold you about taking action NOW or you will lose your account, the way most of the phishers do. Even if you haven't payed them -- they just suspend it and tell you to call them on the phone.

Re:Email Phishing

[realdpk]

Actually, as someone who's working at a web host, I can tell you Citibank does take this sort of thing seriously, and they are interested to know where the sites are being hosted.

Who knows what they do with that information. Maybe nothing. Still, it's worth reporting, if only to show that the community is against these frauds.

Re:Educate

[donnyspi]

This Citibank one's even more sophisticated than having an image cover the address bar: http://www.antiphishing.org/phishing_archive/07-05 -04_Citibank_(Citisafe_by_Citibank).html

Re:phishers of men

[Sarastrobert]

It might be worth mentioning (not that I think you are serious or anything) that people have gone down to Nigeria to get their money back, and have been murdered by the scammers.

I wouldn't go there even with 10 bouncer friends, but then again, I wouldn't fall for a Nigeria letter either.

Re:Email Phishing

[Anonymous Coward]

Like Halliburton's army of private security in Iraq? Just a fancy-pants way of saying mercenaries.

First step

[bigberk]

The first step is obviously to check the headers of an email you receive. Just see who sent you the damn thing (from Received headers). Was it actually an IP belonging to .paypal.com? This is easy to check using 'whois'. If the whois lookup shows the IP delivering you the email is from the company you expect (VISA, Paypal, Ebay) then it's fine.

OK, how about an example. Take this US Bank phishing scam, here are the Received headers:

Received: by mail.pc9.org (Postfix, from userid 82)
id 2E7E6AC1B; Tue, 17 Aug 2004 07:13:50 -0700 (PDT)
Received: from usbank.com (unknown [211.209.208.87])
by mail.pc9.org (Postfix) with SMTP id BCF24AC03
for <bigberk@users.pc9.org>; Tue, 17 Aug 2004 07:13:47 -0700 (PDT)
Received: from 0.212.252.18 by 211.209.208.87; Tue, 17 Aug 2004 09:08:18 -0600

The first Received hop is my ISP. The second Received hop is the only important one; it describes the connecting host. Note that the host here pretended to be usbank.com but that name is a sender-supplied ID; it's worthless. What you're looking for is the IP address between square brackets, which can not be forged. Now just check 211.209.208.87 using whois

$ whois 211.209.208.87
...
[ Organization Information ]
Organization ID : ORG3930
Org Name : Hanaro Telecom Inc.
State : SEOUL
Address : Shindongah Bldg., 43 Taepyeongno2-Ga Jung-Gu
Zip Code : 100-733
...

See, easy. This email came from Korea, not US Bank. It's a scam!

Re:Here's a good way...

[dozer]

Phishing scams have no way to determine whether the password you enter is correct or incorrect.

You're wrong. The phisher's site can immediately attempt logging into the legit site with the stolen credentials, then return an appropriate response to your browser. To you, at worst, it would look like typical net lag. This is so trivial to do that some phishers must already be doing this.

In fact, they could just proxy your connection to the original site. This way, you would actually be using the legimate site -- you could not tell any difference. It's just that all traffic would be passing through the phisher's computers too, and they could grab whatever information they wanted.

Re:Email Phishing

[pnutjam]

I saw a similar one, if you look closely they are using frames. The one I had was a 3 frame page, top and bottom frames were the actual website, so it showed that in the address bar, only the middle frame was haxor.ru or some such crap.

Re:Email Phishing

[Anonymous Coward]

Hey man, I trust you'll love Pohl & Kornbluth's old sci-fi classic "Merchants Of Space".

Corporations have private armies (and strict rules for "business war" which is quite literally just that), US Senators represent corporations instead of geographical and political factions (states and parties), advertising agencies don't just advertise or create products but re-organise entire industries and the consumptions of entire continents...

And nobody talks about "commies" any more, the "consies" (conservatives) are the enemy of progress and free capitalism ;-)

And it's just a plain good story regardless of the dizzying visionaryism in it.

Re:Email Phishing

[pyros]

This finally pushed me over to Thunderbird, even though it's not ready for my needs (for the love of Linus, people, make the SMTP server definable per email account, just like the POP server). Thunderbird displays the same URL on mouseover as it will use when one clicks on it (I actually filed a bug report with Microsoft that OE/IE do not).

While the interface probably isn't what you're expecting, that is already possible. In the Account Settings dialog, select SMTP in the pane on the left. Then click the Advanced button on the right, and you can add multiple SMTP servers. Then for each account select Server Settings in the left pane, and click the Advanced button on the right. You can specify any of the configured SMTP servers there. You can also select from any of the configured SMTP servers during email composition, the from line should have a pull-down arrow next to it.