Anti-Phishing Tools

mikeage writes "PCWorld has an article about an anti-phishing tool available that tries to detect fake websites." This is about Web Caller-ID already in use by eBay's custom user toolbar. The article also talks a bit about the incredible increase in phishing scams.

Huh

[Lord Grey]

Unless I missed something, neither the article nor the summary provides a link to the product. Here is what I found: Web Caller-ID [wholesecurity.com]. That link contains this paragraph:

Web Caller-ID's detection engine includes hundreds of routines that examine the elements of a web site, ranging from the site's content and links to its page history, and then determine if they are indicative of a spoof. For example, the URL of a particular site might be analyzed for phishing characteristics, such as the inclusion of an IP address at the beginning of the URL, or the source code might be analyzed for calls to a different web site. In production environments, Web Caller-ID consistently detects more than 98% of previously unknown spoof sites using behavioral technology.

This product sounds interesting at first blush, but don't most phishing scams begin with an email? Web sites that support phishing aren't going to have as many of these charactistics as the email that lured the victims there to begin with. I have to wonder just how well this really works, despite the, "consistently detects more than 98% of previously unknown spoof sites" quote.

Educate

[Klar]

However, better user education and stronger security from online retailers, banks, and financial institutions is also needed to protect technically unsophisticated consumers from complex online cons like phishing attacks, Schmidt says.

I have to say that I agree. These tools are great for newbie computer users. But I really think educating people on how to read a URL and not have to rely on a tool like this. If they don't understand the URL, using a 'caller id' program may not always be affective at preventing scams.

Also, I would like to see a program that would pre-scan a URL and if it appears to be a fake Paypal or Visa site to put the actual domain, and display a warning to alert newbie users.

Glasses

[jobeus]

Glasses would be a good anti-phishing tool... Seems almost 95% of the sites I come across just replace a . with a - somewhere. If people could see it more clearly......... :D

Technological solution to a social problem

[wheany]

I thought the general consensus was that technological solutions to a social problems don't work.

Wrong Solution

[Anonymous Coward]

The proper solution to phishing scams is
1) Educate everyone not to give out confidential information to anyone.
2) Track the phishing sites and publically hang the owner. These things are not difficult to track by the very nature of the scam.

My rule is usually fairly simple

[tekiegreg]

Just don't click on any links via email to anything unless you solicited it (such as an email verification to a mailing list you're subscribing to). When I'm in doubt, all I do is type in the URL to the bank/brokerage/etc. web site myself (fire up browser and type in homepage URL), log in and find out if there is anything going on. Most such websites have a way to look at everything and take any needed action right away after you type in a user/pass.

*sigh* and on that note there is a sucker born every minute I suppose.

Will this reach the intended users?

[broothal]

People who are likely to fall for the usual phishing techniques are, unfortunately, not likely to install any tools to prevent phising. Odds are, that they never knew it existed before they fell for it.

Email Phishing

[TheOtherAgentM]

From what you and I probably see, yes. Phishing begins with an email, because we probably don't browse shady sites regularly. I don't know what the average user sees in their regular browsing. I can't even figure out where people get all the spyware from in the first place. As far as phishing emails, I know I get one email regularly that looks like a CitiBank email, but it is a .jpg file embedded. The URL has citi in it, but if you look closer, it's obviously not the right sight. I'd report it, but Citi Bank's online reporting sucks.

I have a fairly good anti-phishing tool

[JosKarith]

It's called a healthy dose of cynicism.
If somebody I have financial dealings with contacts me out of the blue to check my password/account number/mother's maiden name etc. I contact them back - not using the linkback on that e-mail but using the contact details from the documentation I got when I signed up. And I ask them if it's a scam or not.
And I don't reply until the bank/whatever has got back to me.

Here's my Anti-Phishing tool

[Chanc_Gorkon]

My Anti Phishing tool is my brain. I mean sometimes these phishing e-mails are nto even spoof so that they appear to come from the company that they are spoofing. Sometimes the website has graphics for the company they are trying to appear as and the URL is in CHINA! First off, No company shuld EVER ask you to click on a link and enter personal information for things. No mortgage company I know of will actually advertise in a spam and if they do, then your alert flag should go up. If you just use common sense, you should be more then able to determine if a web page or e-mail is a phishing attempt. Unfortunately, your grandma or your mom may not. I think that companies liek AOL need to add more training wheels to their service so to speak and help them with determining if something is legit or not. Would I ever load such software? No I would not because I don't need it....but my mom might.

Re:Huh

[beh]

There is, of course, another issue as well - if you eliminate 98% of the phish scams - that'll probably also mean that people will start paying less attention to the problem at hand and might hence become less careful about those phish scams that DO make it into their inbox.

This might be in a way comparable to the rates of HIV/AIDS spread during the late 80s/early 90s when there was LOTS of media attention to the issue, and people would actually think about what they were doing. Now, a couple of years after the height of media attention to it, the problems are rising again (simply because people no longer think about the issue).

In the same way, I would guess people might fall more easily for phish scams, once the become more rare again.

Re:Technological solution to a social problem

[MindStalker]

Hu? No, the general consensus was you can't legislate these problems away, ie spam, phishing etc.
User education is the most important, but technical solutions have to be used. Thats like saying you shouldn't bother with having a virus scanner, because people should all be taught to avoid viruses.

Re:Wrong Solution

[MindStalker]

In the US or UK maybe, but many of these sites are located in parts of the world where you can get anonymous internet access.

Re:Glasses

[Rosco P. Coltrane]

Glasses would be a good anti-phishing tool... Seems almost 95% of the sites I come across just replace a . with a - somewhere

A normal-sized brain behind the glasses would work very well too. I mean, for example, the Microsoft-looking emails that require you to give a password, or a CC number or something: who the hell with a normal intelligence would fall for that one?

Most scams look exactly like that: scams. They're so easy to spot with a vaguely critical eye that it's not funny. The problem is, who will educate a public that doesn't understand much about computers in the first place?

Re:Glasses

[wan-fu]

While I agree that helping people understand computers is partly the issue here, there's an even bigger issue and that's educating the public in general to be more aware of scams. Remember, though the internet is a haven for scammers, there are plenty of them out there sending direct mailings or using infomercials. People still fall for those and not just the tricks on the net.

I think a big part of it is people are simply more lazy these days. As a result, they are more willing to believe in a get-rich quick scheme or an identification check for a bank or sweepstakes or whatever (especially the old who are more trusting). But who knows, maybe it's not that, it could very well be that people are just stupid and gullible by nature (which many /.'ers seem to think given the number of times I've seen references to "sheeple" and the like).

Re:should be a firefox plugin

[jdkane]

I should have added "free" extension, not restricted by licensing and/or money in general.

A better start

[portwojc]

Web Caller-ID is not a cure-all for the phishing problem

How about actually going after the people doing the scams as a solution. Also the providers who don't shut them down.

I must have missed that part in the article. This is going to be just like the spam problem. It's a problem that the end user needs to deal with and not something to be corrected at the source. Well not until at least it gets to epidemic proportions.

Re:Email Phishing

[Anonymous Coward]

> There's just a slight flaw in that logic...

No there isn't.

You receive an email supposedly from Citibank, telling you not to trust emails from Citibank.

If it's a fake email, it means you can't trust emails claiming to be from Citibank anymore, because someone's faking them.

If it's legit, it's telling you not to trust emails from Citibank, so you'd better not.

So, for this particular message, it doesn't matter whether it's fake or for real - you still know not to trust any more emails.

So how do the real Citibank communicate with you? By waiting till you next log into your internet bankning account (for minor stuff), or sending you a physical letter, or phoning you (for important stuff - which shouldn't be going by email anyway).

Re:Wrong Solution

[PsiPsiStar]

Or

b. Send out a massive phishing e-mail and scold anyone who falls for it.

Re:Wrong Solution (need PK crypto)

[j1m+5n0w]

The proper solution to phishing scams is 1) Educate everyone not to give out confidential information to anyone. 2) Track the phishing sites and publically hang the owner. These things are not difficult to track by the very nature of the scam.

Don't forget

3) Use public key cryptography to verify the authenticity of sites you do business with.

-jim

Re:Educate

[psin psycle]

Education will only help so long. What happens when someone writes a worm/virus that replaces the /etc/hosts file with one hacked up to send people to phishing sites instead of banking sites? Not only could the phishing websites capture account data, they could also forward the user on to the correct site so they don't even notice a problem. Who's going to check their /etc/hosts file to make sure this isn't happening!

Here's a good way...

[veritron]

Phishing scams have no way to determine whether the password you enter is correct or incorrect.

If you enter in an incorrect password/username combo and the site redirects you to the real site's password and login prompt or does something other than telling you your username/password combo is incorrect, then you're definitely dealing with a phishing scam.

Of course, you can be clever and have the scam always return "wrong username/password." If the scam's set up to do that, the only way to tell that it's a scam is to enter... your correct password and username. Clever, eh?

So if your password "doesn't work" for an indefinite period, and then suddenly starts working again when you actually go to the site that requires your name/password via google, do yourself a favor and change your damn password.

How is this better than SSL?

[BilSabab]

Let's make a couple of risky assumptions

1) That as an educated user I only submit sensitive information over an SSL encrypted connection using an SSL certificate signed by a third party.

2) That I check that the certificate corresponds to the site I'm visiting.

This should prevent me from submitting any information to a phishing scam provided that I'm using a browser which correctly implements the SSL/TLS exchange.

So why would a hosting company or a user bother with Web caller ID? A properly configured browser and SSL should prevent phishing attacks. Correct?

--- Friends don't let friends sig

Re:Email Phishing

[Ra5pu7in]

They can't do much about it upfront. However, as soon as it involves withdrawals from customer's accounts it moves over into fraud ... which they can do something about (via usual legal means). Neither Citibank, nor any of the others (I've seen BofA, Wells Fargo, and others) are going to acknowledge all the emails they get reporting these scams. Instead, the data is accumulated and those that report they lost money this way will be prioritized because these can be used for prosecution.

Personally, I'm waiting for the point where we can have a Darwin's Award for the idiots who answer those emails ... y'know the point when one of them loses every last dime in a scam and commits suicide, dies from a badly produced batch of V@l1um or V1agr@, or tries to gain or lose inches and has an accident with the means thereto. When this garbage produces 0 results, no matter how many millions are sent out, it will self-destruct.

Re:Huh

[operagost]

What you have just said has absolutely no basis in fact. They have been teaching the use of contraception in American schools for at least 20 years now. Not having sex at all is always mentioned as obviously being the only 100% effective method, but what part of that is NOT true? Are we all too pessimistic to think that any human being anywhere has self control or the capacity to think for himself?

Re:How is this better than SSL?

[athakur999]

Would a certificate authority refuse to issue a certificate to a website called "services-paypal.com"? If not, then just checking for an SSL icon wouldn't do much. If people are fooled by "services-paypal.com" in the address bar, they'll probably be fooled by it again in the SSL information dialog box.

Re:Huh

[Glog]

Which moon do you live on? Think about spam for a second - it's been around for years and it almost doubles every year. It's become like the most-reviled thing on the internet. And there are STILL people who buy things through spammed ads.

I don't believe the general populace will get the danger of phishing even if you aired 2 minute warnings every hour on the hour for a month during prime time TV.

There's always going to be some sucker who falls for a phishing scam. They've become too sophisticated for the average user to detect anyway.

Re:My rule is usually fairly simple

[Awptimus Prime]

No kidding, Email should go back to being a text only messaging system. Strip out all the html, urls, and binary attachments and watch the world become a better place.

Then again, I work in the security sector so all these flaws bring home the bacon. It is still frustrating to watch such broken systems dominate the world.

Unfortunatly...

[Phil John]

...a large proportion of people using the internet don't even know what SSL means (or is), let alone what to check for. They just look for a padlock and think they're safe (many don't even do this).

Users normally glaze over when they hear about certificate signing and how to check site authenticity and it's not like it's particularly hard (or expensive) to get an SSL cert these days, the last one I purchased only performed the bare minimum of checks (that I had an invoice for the server I was using to "prove" my identity, hardly what I call a method of high integrity).

This kind of tech is just what the hordes of clueless AOL/internet users need, something to stop them hurting themselves on the internet, they are just like children that need looking after around the knife drawer.

Re:How is this better than SSL?

[julesh]

SSL doesn't help against lookalike domain names. Of course, anyone with eyes and abrain ought to be able to spot that, but most people need something a little more blatant.

Now make it useable

[soroka]

Very well done, bigberk! It is a realistic example. But still it is an example. Actually banks almost never send such emails, so when you get a message from a bank asking to spread your guts on their site it is almost surely a phishing exercise.

However I recently found myself in the middle of a transaction in cold sweat realising that it could have been phishing! ( I did my first SSL related project in 2000, and I still believe there is smth behind the glasses :)

Ok, imagine receiving a message from MIT press advertising a discount on a book you wanted to buy. Should I tell that I did not whois the senders IP but when credit card authorisation failed I freaked out. Fortunatly, this was a genuine email and a genuine error this time, but what if it were not!

Another scenario: You google for a thing and in the second page of results you find a very good price. Will you check the certificates of the http over SSL site and whois the IPs?

Actually in all email programs from the very early years to the latest Outlook there is a facility to see the whole header of the message. It should not be too difficult to incorporate the whois requests in a similar way. So that when the user receives an email with a link that she wants to follow, she can get a report similar to the one that bigberk found manualy.

It is not a bit more difficult to do the same thing with google: Just add a link to a script that generates a whois report.

One problem I see is that if this feature will become popular, the present whois service capacity may not be sufficient: as far as I know there is a single server to cover the whole of Asia-Pacific domains.

At Least inform the public about this

[charliekowalchuk]

I've bought some large items on ebay, but the best place to find scammers is when your buying expensive laptops. I've seen a lot of phishing for ebay. I saw a recent report, in which perdicted that for every legit technology buisness, there are two scam ones.

The most important thing, Citibank and Ebay and the others is to inform their current and future customers about problems such as this. The worst thing they can do is not talk about it, pretend the problem will go away, or it is an isolated inncedent. (I'm telling ya, if Firefighters took the same approach at doing their job...)

I like to think that some of my attention I brought to ebay, has paved some of the way, as they seem to be taking a stand to this kind of scam. For instance, now you can forward phishy looking emails to spoof@ebay.com.

Now if you surf the web, hundreds of hits come up when discussing phish and spoof emails regarding Ebay and the like, but just 8 months ago, I found only one hit (and it was actually claiming this to be a real email, not a fake), regarding a fake authentic ebay email, encoraging me that it was alright to pay Western Union with this one particular seller, because he has special circumstances, and ebay will give buyer protection, up to 80% of the sell price. And Ebay themselves gave NO reference to any kind of knowledge or other cases that this kind of stuff was going on and one should be catious.

I hate to mention it, but it is rumored that alot of this stuff, being so well organized with their i's dotted and T's crossed is because some/most of these scams is being ran by various mafia.

Re:Email Phishing

[jlechem]

I too used to work for eBay and in that very department and know this smoke shack you speak of. The phishing problem there was terrible but they were getting better. And not only was there phishing but a big problem was assholes that would embed torjan viruses in their auction listings that would install keystroke loggers, etc on peoples machines. But that is another post and whole other thread.

I know how the toolbar program worked. It worked on scanning the HTML source and based on various factors would tell the user via the toolbar if it thought the site was a spoof site. It wouldn't work in outlook email but I caught a lot of sites that users would see in their web email. If it thought the site was a spoof the user could report it to whole security , visit the site, or just leave. If they reported the site it would get put into a black list. This black list contained a huge list of reported sites. This black list was reviewed by reps on a daily basis. Sites that were spoof/phishing were permanently added to the black list of bad sites. Non spoof sites were added to a white list of good sites.

As far as prosecuting eBay did work with the FBI and secret service but they can only do things if the host country gives a shit. Since most of this stuff happens in Romania, Russia, India and is being run by pro mafia dudes there's nothing they can do. Just be smart and don't fall for the scam. Never give out personal info via email.