Anti-Phishing Tools 233
mikeage writes "PCWorld has an article about an anti-phishing tool available that tries to detect fake websites." This is about Web Caller-ID already in use by eBay's custom user toolbar. The article also talks a bit about the incredible increase in phishing scams.
Huh (Score:5, Insightful)
Educate (Score:5, Insightful)
Also, I would like to see a program that would pre-scan a URL and if it appears to be a fake Paypal or Visa site to put the actual domain, and display a warning to alert newbie users.
Glasses (Score:4, Insightful)
Technological solution to a social problem (Score:4, Insightful)
Wrong Solution (Score:4, Insightful)
1) Educate everyone not to give out confidential information to anyone.
2) Track the phishing sites and publically hang the owner. These things are not difficult to track by the very nature of the scam.
My rule is usually fairly simple (Score:5, Insightful)
*sigh* and on that note there is a sucker born every minute I suppose.
Will this reach the intended users? (Score:5, Insightful)
Email Phishing (Score:5, Insightful)
I have a fairly good anti-phishing tool (Score:4, Insightful)
If somebody I have financial dealings with contacts me out of the blue to check my password/account number/mother's maiden name etc. I contact them back - not using the linkback on that e-mail but using the contact details from the documentation I got when I signed up. And I ask them if it's a scam or not.
And I don't reply until the bank/whatever has got back to me.
Here's my Anti-Phishing tool (Score:5, Insightful)
Re:Huh (Score:5, Insightful)
This might be in a way comparable to the rates of HIV/AIDS spread during the late 80s/early 90s when there was LOTS of media attention to the issue, and people would actually think about what they were doing. Now, a couple of years after the height of media attention to it, the problems are rising again (simply because people no longer think about the issue).
In the same way, I would guess people might fall more easily for phish scams, once the become more rare again.
Re:Technological solution to a social problem (Score:5, Insightful)
User education is the most important, but technical solutions have to be used. Thats like saying you shouldn't bother with having a virus scanner, because people should all be taught to avoid viruses.
Re:Wrong Solution (Score:2, Insightful)
Re:Glasses (Score:5, Insightful)
A normal-sized brain behind the glasses would work very well too. I mean, for example, the Microsoft-looking emails that require you to give a password, or a CC number or something: who the hell with a normal intelligence would fall for that one?
Most scams look exactly like that: scams. They're so easy to spot with a vaguely critical eye that it's not funny. The problem is, who will educate a public that doesn't understand much about computers in the first place?
Re:Glasses (Score:4, Insightful)
While I agree that helping people understand computers is partly the issue here, there's an even bigger issue and that's educating the public in general to be more aware of scams. Remember, though the internet is a haven for scammers, there are plenty of them out there sending direct mailings or using infomercials. People still fall for those and not just the tricks on the net.
I think a big part of it is people are simply more lazy these days. As a result, they are more willing to believe in a get-rich quick scheme or an identification check for a bank or sweepstakes or whatever (especially the old who are more trusting). But who knows, maybe it's not that, it could very well be that people are just stupid and gullible by nature (which many /.'ers seem to think given the number of times I've seen references to "sheeple" and the like).
Re:should be a firefox plugin (Score:3, Insightful)
A better start (Score:3, Insightful)
How about actually going after the people doing the scams as a solution. Also the providers who don't shut them down.
I must have missed that part in the article. This is going to be just like the spam problem. It's a problem that the end user needs to deal with and not something to be corrected at the source. Well not until at least it gets to epidemic proportions.
Re:Email Phishing (Score:3, Insightful)
No there isn't.
You receive an email supposedly from Citibank, telling you not to trust emails from Citibank.
If it's a fake email, it means you can't trust emails claiming to be from Citibank anymore, because someone's faking them.
If it's legit, it's telling you not to trust emails from Citibank, so you'd better not.
So, for this particular message, it doesn't matter whether it's fake or for real - you still know not to trust any more emails.
So how do the real Citibank communicate with you? By waiting till you next log into your internet bankning account (for minor stuff), or sending you a physical letter, or phoning you (for important stuff - which shouldn't be going by email anyway).
Re:Wrong Solution (Score:3, Insightful)
b. Send out a massive phishing e-mail and scold anyone who falls for it.
Re:Wrong Solution (need PK crypto) (Score:4, Insightful)
Don't forget
3) Use public key cryptography to verify the authenticity of sites you do business with.
-jim
Re:Educate (Score:4, Insightful)
Here's a good way... (Score:3, Insightful)
If you enter in an incorrect password/username combo and the site redirects you to the real site's password and login prompt or does something other than telling you your username/password combo is incorrect, then you're definitely dealing with a phishing scam.
Of course, you can be clever and have the scam always return "wrong username/password." If the scam's set up to do that, the only way to tell that it's a scam is to enter... your correct password and username. Clever, eh?
So if your password "doesn't work" for an indefinite period, and then suddenly starts working again when you actually go to the site that requires your name/password via google, do yourself a favor and change your damn password.
How is this better than SSL? (Score:3, Insightful)
1) That as an educated user I only submit sensitive information over an SSL encrypted connection using an SSL certificate signed by a third party.
2) That I check that the certificate corresponds to the site I'm visiting.
This should prevent me from submitting any information to a phishing scam provided that I'm using a browser which correctly implements the SSL/TLS exchange.
So why would a hosting company or a user bother with Web caller ID? A properly configured browser and SSL should prevent phishing attacks. Correct?
--- Friends don't let friends sig
Re:Email Phishing (Score:5, Insightful)
Personally, I'm waiting for the point where we can have a Darwin's Award for the idiots who answer those emails
Re:Huh (Score:1, Insightful)
Re:How is this better than SSL? (Score:3, Insightful)
Re:Huh (Score:2, Insightful)
I don't believe the general populace will get the danger of phishing even if you aired 2 minute warnings every hour on the hour for a month during prime time TV.
There's always going to be some sucker who falls for a phishing scam. They've become too sophisticated for the average user to detect anyway.
Re:My rule is usually fairly simple (Score:4, Insightful)
Then again, I work in the security sector so all these flaws bring home the bacon. It is still frustrating to watch such broken systems dominate the world.
Unfortunatly... (Score:3, Insightful)
Users normally glaze over when they hear about certificate signing and how to check site authenticity and it's not like it's particularly hard (or expensive) to get an SSL cert these days, the last one I purchased only performed the bare minimum of checks (that I had an invoice for the server I was using to "prove" my identity, hardly what I call a method of high integrity).
This kind of tech is just what the hordes of clueless AOL/internet users need, something to stop them hurting themselves on the internet, they are just like children that need looking after around the knife drawer.
Re:How is this better than SSL? (Score:3, Insightful)
Now make it useable (Score:2, Insightful)
However I recently found myself in the middle of a transaction in cold sweat realising that it could have been phishing! ( I did my first SSL related project in 2000, and I still believe there is smth behind the glasses :)
Ok, imagine receiving a message from MIT press advertising a discount on a book you wanted to buy. Should I tell that I did not whois the senders IP but when credit card authorisation failed I freaked out. Fortunatly, this was a genuine email and a genuine error this time, but what if it were not!
Another scenario: You google for a thing and in the second page of results you find a very good price. Will you check the certificates of the http over SSL site and whois the IPs?
Actually in all email programs from the very early years to the latest Outlook there is a facility to see the whole header of the message. It should not be too difficult to incorporate the whois requests in a similar way. So that when the user receives an email with a link that she wants to follow, she can get a report similar to the one that bigberk found manualy.
It is not a bit more difficult to do the same thing with google: Just add a link to a script that generates a whois report.
One problem I see is that if this feature will become popular, the present whois service capacity may not be sufficient: as far as I know there is a single server to cover the whole of Asia-Pacific domains.
At Least inform the public about this (Score:3, Insightful)
The most important thing, Citibank and Ebay and the others is to inform their current and future customers about problems such as this. The worst thing they can do is not talk about it, pretend the problem will go away, or it is an isolated inncedent. (I'm telling ya, if Firefighters took the same approach at doing their job...)
I like to think that some of my attention I brought to ebay, has paved some of the way, as they seem to be taking a stand to this kind of scam. For instance, now you can forward phishy looking emails to spoof@ebay.com.
Now if you surf the web, hundreds of hits come up when discussing phish and spoof emails regarding Ebay and the like, but just 8 months ago, I found only one hit (and it was actually claiming this to be a real email, not a fake), regarding a fake authentic ebay email, encoraging me that it was alright to pay Western Union with this one particular seller, because he has special circumstances, and ebay will give buyer protection, up to 80% of the sell price. And Ebay themselves gave NO reference to any kind of knowledge or other cases that this kind of stuff was going on and one should be catious.
I hate to mention it, but it is rumored that alot of this stuff, being so well organized with their i's dotted and T's crossed is because some/most of these scams is being ran by various mafia.
Re:Email Phishing (Score:3, Insightful)
I know how the toolbar program worked. It worked on scanning the HTML source and based on various factors would tell the user via the toolbar if it thought the site was a spoof site. It wouldn't work in outlook email but I caught a lot of sites that users would see in their web email. If it thought the site was a spoof the user could report it to whole security , visit the site, or just leave. If they reported the site it would get put into a black list. This black list contained a huge list of reported sites. This black list was reviewed by reps on a daily basis. Sites that were spoof/phishing were permanently added to the black list of bad sites. Non spoof sites were added to a white list of good sites.
As far as prosecuting eBay did work with the FBI and secret service but they can only do things if the host country gives a shit. Since most of this stuff happens in Romania, Russia, India and is being run by pro mafia dudes there's nothing they can do. Just be smart and don't fall for the scam. Never give out personal info via email.