Anti-Phishing Tools 233
mikeage writes "PCWorld has an article about an anti-phishing tool available that tries to detect fake websites." This is about Web Caller-ID already in use by eBay's custom user toolbar. The article also talks a bit about the incredible increase in phishing scams.
Huh (Score:5, Insightful)
Email Phishing (Score:5, Insightful)
Re:Email Phishing (Score:3, Funny)
I got it too, though thunderbird marked it as spam and my anti-phishing tool in firefox told me "you are at 31337.h4x0rz.cn" or wherever. I'm not sure what good it would do to report it to citi since there's nothing they can do about it except maybe send out emails to everyone in the world telling them not to believe emails claiming to be from them.
Re:Email Phishing (Score:5, Funny)
There's just a slight flaw in that logic...
Re:Email Phishing (Score:3, Insightful)
No there isn't.
You receive an email supposedly from Citibank, telling you not to trust emails from Citibank.
If it's a fake email, it means you can't trust emails claiming to be from Citibank anymore, because someone's faking them.
If it's legit, it's telling you not to trust emails from Citibank, so you'd better not.
So, for this particular message, it doesn't matter whether it's fake or for real - you still know not to trust any more emails.
So how do the
Re:Email Phishing (Score:5, Informative)
Who knows what they do with that information. Maybe nothing. Still, it's worth reporting, if only to show that the community is against these frauds.
Re:Email Phishing (Score:2, Interesting)
Re:Email Phishing (Score:3, Informative)
Re:Email Phishing (Score:5, Interesting)
I used to work at eBay and the phishing problem was terrible (though I didn't deal with it directly, that wasn't my department). When users would find out, they'd demand to know why eBay didn't do something about it. The people who worked on that floor would stand around in the smoking shed and bitch, "What do they want us to do, buy some guns and go to Romania and raid the guy's house wearing little eBay uniforms?"
Re:Email Phishing (Score:2)
It leads me to think of the dystopia that is Shadowrun's game world, where corporations have their own standing armies.
Re:Email Phishing (Score:5, Insightful)
Personally, I'm waiting for the point where we can have a Darwin's Award for the idiots who answer those emails
Re:Email Phishing (Score:2, Interesting)
You know? That would be absolutely delightful. Hell, I'm sure there would be legions of geeks willing to ensure that the information entered into their systems wasn't "Murder", but "Tickling with fluffy bunnies" instead.
I've always wondered just what law enforcement would do if someone started to serially hunt spammers, and I keep coming to the conclusion that all you need to keep the trail cold is leave a note saying "This man sent your daughter emails about zoo porn"
Re:Email Phishing (Score:2, Interesting)
"What do they want us to do, buy some guns and go to Romania and raid the guy's house wearing little eBay uniforms?"
How about persuading the government to put pressure on the foreign country's government until they sort the problem out? If the MPAA can get "DVD Jon" arrested all the way over in Norway, surely eBay can get some spammers arrested?
Re:Email Phishing (Score:3, Interesting)
That's not all that far from the real world. Goverment is corporations; corporations is government.
At Least inform the public about this (Score:3, Insightful)
The most important thing, Citibank and Ebay and the others is to inform their current and future customers about problems such as this. The worst thing they can do is not talk about it, pretend the problem will go away, or it is an isolated innceden
Re:Email Phishing (Score:3, Insightful)
I know how the toolbar program worked. It worked on scanning the HTML source and based on various factors wo
Re:Email Phishing (Score:2)
Re:Huh (Score:2)
I'm skeptical about the 98% thing as well.
Re:Huh (Score:5, Insightful)
This might be in a way comparable to the rates of HIV/AIDS spread during the late 80s/early 90s when there was LOTS of media attention to the issue, and people would actually think about what they were doing. Now, a couple of years after the height of media attention to it, the problems are rising again (simply because people no longer think about the issue).
In the same way, I would guess people might fall more easily for phish scams, once the become more rare again.
Re:Huh (Score:2, Insightful)
I don't believe the general populace will get the danger of phishing even if you aired 2 minute warnings every hour on the hour for a month during prime time TV.
There's always going to be some sucker who falls for a phishing scam. They've become too sophisticated for the
Re:Huh (Score:3, Interesting)
Educate (Score:5, Insightful)
Also, I would like to see a program that would pre-scan a URL and if it appears to be a fake Paypal or Visa site to put the actual domain, and display a warning to alert newbie users.
Re:Educate (Score:2)
Re:Educate (Score:2, Informative)
This would fool 98% of semi-experienced users.
Re:Educate (Score:2, Interesting)
One other problem companies have is changing their website's appearance. For example, CapitalOne recently changed their homepage and I was actually too nervous to log in for a few days.
Also, a poor quality website can make people suspicious. A friend of mine asked me to inspect his cable company's website to see if it were real or not because it was so poorly designed. I told him since it was so poorly designed to not trust it's security, either, and not bother doing the online bill pay.
Re:Educate (Score:4, Informative)
Re:Educate (Score:4, Insightful)
Glasses (Score:4, Insightful)
Re:Glasses (Score:5, Insightful)
A normal-sized brain behind the glasses would work very well too. I mean, for example, the Microsoft-looking emails that require you to give a password, or a CC number or something: who the hell with a normal intelligence would fall for that one?
Most scams look exactly like that: scams. They're so easy to spot with a vaguely critical eye that it's not funny. The problem is, who will educate a public that doesn't understand much about computers in the first place?
Re:Glasses (Score:4, Insightful)
While I agree that helping people understand computers is partly the issue here, there's an even bigger issue and that's educating the public in general to be more aware of scams. Remember, though the internet is a haven for scammers, there are plenty of them out there sending direct mailings or using infomercials. People still fall for those and not just the tricks on the net.
I think a big part of it is people are simply more lazy these days. As a result, they are more willing to believe in a get-rich quick scheme or an identification check for a bank or sweepstakes or whatever (especially the old who are more trusting). But who knows, maybe it's not that, it could very well be that people are just stupid and gullible by nature (which many /.'ers seem to think given the number of times I've seen references to "sheeple" and the like).
Already sluggish... (Score:5, Informative)
WholeSecurity's new software claims to identify fraudulent sites.
Paul Roberts, IDG News Service
Monday, August 16, 2004
A new software tool from WholeSecurity can spot fraudulent Web sites used in online cons known as "phishing" scams, according to a statement from the company.
Advertisement
The new product, called Web Caller-ID, can detect Web pages dressed up to look like legitimate e-commerce sites. WholeSecurity is marketing the technology to banks, credit card companies, and online retailers as a way to prevent unwitting customers from accessing false sites, to reduce fraud, and increase confidence in online commerce, the company says.
Phishing scams are online crimes that use unsolicited commercial, or "spam," e-mail to direct Internet users to Web sites controlled by thieves, but are designed to look like legitimate e-commerce sites. Users are asked to provide sensitive information such as a password, Social Security number, bank account, or credit card number, often under the guise of updating account information.
Already in Use
A version of Web Caller-ID is already being used by EBay in a feature called Account Guard, part of an EBay Web browser toolbar that users of the online auction site can download for free. The feature detects suspicious behavior, such as Web URLs that disguise the true Internet address of the site the user is visiting.
Companies can license a Web browser plug-in from WholeSecurity, which can then be distributed to customers directly or as part of a Web browser toolbar. Alternatively, companies can sign up for an e-mail processing service from WholeSecurity that harvests information on phishing scams from spam e-mail or customer complaint e-mail sent to the company, WholeSecurity says.
A Web browser-based management console lets administrators view suspected phisher sites, file complaints against spoof Web sites, or fine-tune the Web Caller-ID technology to adapt to their company's Web site.
On the Rise
Reports of phishing attacks have skyrocketed in recent months, according to the Anti-Phishing Working Group (APWG), a joint industry-law enforcement group.
There were 1422 new, unique attacks reported to the APWG in June, a 19 percent increase over the previous month. Since the beginning of 2004, reports of the attacks have grown by 52 percent a month on average, the group says.
A survey of 5000 adult Internet users by research firm Gartner released in April found that the number of phishing attacks spiked in the last year and that around 3 percent of those surveyed reported giving up personal financial or personal information after being drawn into a phishing scam. The results suggest that as many as 30 million adults have experienced a phishing attack and that 1.78 million adults could have fallen victim to the scams, Gartner says.
Taking the First Step
Web Caller-ID is not a cure-all for the phishing problem, but is a good first step to provide comprehensive protection from the scams, says Howard Schmidt, former White House cybersecurity advisor and the current chief information security officer at EBay.
"These are some of the things we need to do moving forward--getting technology built into the Web browsers themselves to do these things," he says.
However, better user education and stronger security from online retailers, banks, and financial institutions is also needed to protect technically unsophisticated consumers from complex online cons like phishing attacks, Schmidt says.
"You can't put somebody in a car and tell them to drive, but not tell them what the brake and gas pedal are for," he says.
Re:Already sluggish... (Score:3, Funny)
John.
Re:Already sluggish... (Score:2, Funny)
Here you go, just go here http://www.advertysement.com/ [advertysement.com] and enter your credit card details, we will gladly show you the missing content.
Technological solution to a social problem (Score:4, Insightful)
Re:Technological solution to a social problem (Score:5, Insightful)
User education is the most important, but technical solutions have to be used. Thats like saying you shouldn't bother with having a virus scanner, because people should all be taught to avoid viruses.
Re:Technological solution to a social problem (Score:2, Funny)
Deodorant
A razor
A comb
Air-freshener
A sign that says, "No camping allowed."
Oh, wait - that's my anti-Phish-FAN tool-kit.
(Before ya get your mellow all harshed, I AM a Phish fan, to a degree. ;-) )
Anti-phishing toolbar for FireFox (Score:5, Informative)
Spoofstick [corestreet.com] is a plugin for FireFox or Internet Explorer that can help identify 'phishy' sites while surfing.
It does take a little more real estate out of the browser's window, but it's a pretty useful tool when teaching people about the dangers of clicking links blindly.
Re:Anti-phishing toolbar for FireFox (Score:2, Interesting)
Re:Anti-phishing toolbar for FireFox (Score:2, Interesting)
But...
ping images.apple.com
PING a932.g.akamai.net (38.115.177.150) 56(84) bytes of data.
64 bytes from 38.115.177.150: icmp_seq=1 ttl=57 time=30.6 ms
Re:Anti-phishing toolbar for FireFox (Score:2)
The problem comes when apple.com loads images from images-apple.com or something that's a separate domain, rather than simply a sub-domain.
You mean... (Score:5, Funny)
...I wasn't supposed to give s1ashdot my credit card number to read this story?
Wrong Solution (Score:4, Insightful)
1) Educate everyone not to give out confidential information to anyone.
2) Track the phishing sites and publically hang the owner. These things are not difficult to track by the very nature of the scam.
Re:Wrong Solution (Score:2, Insightful)
Re:Wrong Solution (Score:2)
Re:Wrong Solution (Score:2)
Re:Wrong Solution (Score:2)
Re:Wrong Solution (Score:3, Insightful)
b. Send out a massive phishing e-mail and scold anyone who falls for it.
Re:Wrong Solution (need PK crypto) (Score:4, Insightful)
Don't forget
3) Use public key cryptography to verify the authenticity of sites you do business with.
-jim
My rule is usually fairly simple (Score:5, Insightful)
*sigh* and on that note there is a sucker born every minute I suppose.
Re:My rule is usually fairly simple (Score:4, Insightful)
Then again, I work in the security sector so all these flaws bring home the bacon. It is still frustrating to watch such broken systems dominate the world.
phishing automated reply (Score:4, Funny)
Re: (Score:3, Funny)
Re:phishing automated reply (Score:2)
Re:phishing automated reply (Score:5, Interesting)
Will this reach the intended users? (Score:5, Insightful)
fake anti-phish (Score:2)
Novice users hear about phishing, will think any old anti-phish tool will do.
phishers of men (Score:3, Interesting)
Re:phishers of men (Score:3, Informative)
Re:phishers of men (Score:2, Informative)
I wouldn't go there even with 10 bouncer friends, but then again, I wouldn't fall for a Nigeria letter either.
I have a fairly good anti-phishing tool (Score:4, Insightful)
If somebody I have financial dealings with contacts me out of the blue to check my password/account number/mother's maiden name etc. I contact them back - not using the linkback on that e-mail but using the contact details from the documentation I got when I signed up. And I ask them if it's a scam or not.
And I don't reply until the bank/whatever has got back to me.
Here's my Anti-Phishing tool (Score:5, Insightful)
Hmmm (Score:2, Funny)
My Anti Phishing tool is my brain. I mean sometimes these phishing e-mails are nto even spoof so that they appear to come from the company that they are spoofing. Sometimes the website has graphics for the company they are trying to appear as and the URL is in CHINA! First off, No company shuld EVER ask you to click on a link and enter personal information for things. No mortgage company I know of will actually advertise in a spam and if they do, then your alert flag should go up. If you just use common se
AntiPhishiing.org (Score:5, Informative)
--------
so the cure to prevent phishing (Score:2, Interesting)
is to install a spyware toolbar ?
i have enough trouble persuading users NOT to install crappy toolbars and plugins as it is without people reccomending that they do,
MS ActiveX and to a lesser extent Mozilla's XPInstall xpi features coupled with uninformed users are the main reason spyware/malware exists and is so easy to exploit, can you explain the difference to a (l)user between a good plugin/toolbar and a bad one ?
security should be built into the browser
Phishing is a big problem for hosting companies (Score:5, Interesting)
My theory is that unlike the script-kiddies of the old days, 99% of all phishing is work of organized crime. I believe that they recruit users at ISP's in places where internet (or any for that matter) law is not enforced (like Kosovo), they provide people simple step-by-step instructions on what to do, give them lists of fake card numbers and pay them based on the number of accounts hacked (e.g. $1 for every 50 good passwords). The actual cleaning out of the accounts probably happens elsewhere and at a much higher level because you need a much more elaborate system for it (off-shore bank accounts, etc). At least if I was doing it, this is how I would set it up. The users appear to be not very smart - we often see weird typos, names spelled in all caps and other dead giveaways - why would ANNE FISHER from Ohio signup for a year of virtual hosting and register a domain XABCDFERNG.COM for 10 years?
We see that they are getting more elaborate in their attempts to sign up for an account. They try to use proxies or zombies now (because most same companies will flat out refuse any attempts to sign up from Indonesia, Romania, etc.).
A funny side note - we got a copy of a credit card statement from one of the unfortunate cardmembers whose card's been stolen as part of the "chargeback" report, and among various hosting accounts they signed up for, there was an $20 contribution to moveon.org - go figure!
Right now the best way to fight off phishers is to attempt to speak to the customer in person, it has worked 100% for us so far. But since this phishing thing is probably big money for some mafia boss, I think the motivation is there for them to get more technologically advanced, and I wouldn't be surprised if we start seeing fake VoIP phone numbers provided where the criminals would answer the phone in English and pretend to be cardmembers.
Another very unfortunate side-ffect of this is that it's the merchants who east the cost of it. For every instance of fraud, we get the funds withheld and transferred back to the cardmember (don't be fooled by those reports of "poor" cc companies bearing the cost of fraud!) AND we get slapped with an $25-$50 penalty by the CC processing company AND our rates go up. So it's almost in their interest that cards get stolen, it simply means more revenue for them. Now our services are "virtual", but for those who actually ship something physical (like a shirt), they get to eat the cost of that as well.
Re:Phishing is a big problem for hosting companies (Score:2)
This is very true, not only of Phishing but also of eBay scams and the like. Most of the "Work At Home for $$$$" style of adds are buying and selling items for the Russian mafia.
Re:Phishing is a big problem for hosting companies (Score:3, Interesting)
I hate to say "they should pass a law", but they SHOULD pass a law that pushes the cost of CC fraud back onto banks and the
Re:Phishing is a big problem for hosting companies (Score:3, Interesting)
Every phishing scam I've seen get through my spam filters gave itself away, because the e-mails are all written by people who are either not fluent in English or who are too illiterate to get a job as a junior secretary in any English-speaking country.
The biggest threat would be if any of these guys ever hires a native English speaker who can write, and thinks a bit about what a real e-mail from a big corporation might look like.
Backwards (Score:2, Interesting)
I think this statement is completely backwards. You can give someone the tools; ie. tell them what the gas and brake are for, but under no circumstances can you make them use them (properly) or understand the full consequences of not using them this is especially true for users who are not technically inclined.
Kaput? (Score:2, Informative)
List of IPs used by phishers (Score:5, Informative)
Some folks here may find it usefull.
I just looked at the list (Score:3, Informative)
Cool phishing detection quiz (Score:5, Informative)
This [mailfrontier.com] nifty quiz can help you assess your phishing detection abilities. Recommended.
Re:Cool phishing detection quiz (Score:2)
Is there something I can be doing better?
Re:Cool phishing detection quiz (Score:2)
I got suckered by the earthlink one. The address looked valid, although, if I got this, I would never use the link.
My rule is to navigate to my providers website myself, log on, and see if there was anything that needed updating.
Re:Cool phishing detection quiz (Score:3, Informative)
No one who wants your business is going to waggle their finger and scold you a
Re: (Score:2)
should be a firefox plugin (Score:3, Interesting)
Re:should be a firefox plugin (Score:3, Insightful)
Re:should be a firefox plugin (Score:3, Interesting)
A little simple but it tells you exactly what site you're on.
They also have one for IE.
Firefox/IE (Score:5, Interesting)
Re:Firefox/IE (Score:2)
SPF for Websites (Score:2)
needs to happen (Score:2)
Bottom line is, all of our parents/kids/friends need to know; don't give info out online unless YOU initiated the contact.
CB#__8&*(#@
A better start (Score:3, Insightful)
How about actually going after the people doing the scams as a solution. Also the providers who don't shut them down.
I must have missed that part in the article. This is going to be just like the spam problem. It's a problem that the end user needs to deal with and not something to be corrected at the source. Well not until at least it gets to epidemic proportions.
Anti-Phishing Tool (Score:4, Funny)
Had a bit of a scare, recently (Score:3, Interesting)
It kept on coming, however, and I decided to go to earthlink myself ( e.g., not clicking the link ) and see what the deal was.
Turned out, it was legit. Amazing.
The trouble here, really, is how do we handle legitimate email from banks, ISPs, etc?
What banks *should* do! (Score:5, Interesting)
And on their websites they should say on top: "REMEMBER: WE *NEVER* SEND YOU EMAIL ABOUT ANYTHING."
If you want to know something, you just visit eBay or your bank account.
Re:What banks *should* do! (Score:2)
What a shame that it's come to this. Once upon a time, we were all clamoring for all correspondence to be moved to email--and for good reason, too.
sigh
b&
Simple idea. (Score:4, Interesting)
When you mouseover a link, a LARGE JavaScript thingy pops up saying "This link is to: SOMEWHERE IN NIGERIA" or "This link is to: CITIBANK'S site"
Here's a good way... (Score:3, Insightful)
If you enter in an incorrect password/username combo and the site redirects you to the real site's password and login prompt or does something other than telling you your username/password combo is incorrect, then you're definitely dealing with a phishing scam.
Of course, you can be clever and have the scam always return "wrong username/password." If the scam's set up to do that, the only way to tell that it's a scam is to enter... your correct password and username. Clever, eh?
So if your password "doesn't work" for an indefinite period, and then suddenly starts working again when you actually go to the site that requires your name/password via google, do yourself a favor and change your damn password.
Re:Here's a good way... (Score:3, Informative)
You're wrong. The phisher's site can immediately attempt logging into the legit site with the stolen credentials, then return an appropriate response to your browser. To you, at worst, it would look like typical net lag. This is so trivial to do that some phishers must already be doing this.
In fact, they could just proxy your connection to the original site. This way, you would actually be using the legimat
How is this better than SSL? (Score:3, Insightful)
1) That as an educated user I only submit sensitive information over an SSL encrypted connection using an SSL certificate signed by a third party.
2) That I check that the certificate corresponds to the site I'm visiting.
This should prevent me from submitting any information to a phishing scam provided that I'm using a browser which correctly implements the SSL/TLS exchange.
So why would a hosting company or a user bother with Web caller ID? A properly configured browser and SSL should prevent phishing attacks. Correct?
--- Friends don't let friends sig
Re:How is this better than SSL? (Score:3, Insightful)
Unfortunatly... (Score:3, Insightful)
Users normally glaze over when they hear about certificate signing and how to check site authenticity and it's not like it's particularly hard (or expensive) to get an SSL cert these days, the last one I purchased only performed the bare minimum of checks (that I had an invoice for the server I was using to "p
Re:How is this better than SSL? (Score:3, Insightful)
phishing (Score:4, Interesting)
IMHO the only thing missing from KMail is the ability to turn on and off off HTML rendering and image loading on a folder-by-folder basis (so I can view known "ham" e-mail in the format it was sent; but my brain already renders HTML so well that <em>this looks a bit slanty</em>).
First step (Score:5, Informative)
The first step is obviously to check the headers of an email you receive. Just see who sent you the damn thing (from Received headers). Was it actually an IP belonging to .paypal.com? This is easy to check using 'whois'. If the whois lookup shows the IP delivering you the email is from the company you expect (VISA, Paypal, Ebay) then it's fine.
OK, how about an example. Take this US Bank phishing scam, here are the Received headers:
The first Received hop is my ISP. The second Received hop is the only important one; it describes the connecting host. Note that the host here pretended to be usbank.com but that name is a sender-supplied ID; it's worthless. What you're looking for is the IP address between square brackets, which can not be forged. Now just check 211.209.208.87 using whois
See, easy. This email came from Korea, not US Bank. It's a scam!
Re:Nice try, indeed. (Score:3, Funny)
0
%
Stop trying to infect me with your spyware! I'm wise to your tricks!
Re:Another poor metaphor.... (Score:3, Funny)