Anti-Phishing Tools

mikeage writes "PCWorld has an article about an anti-phishing tool available that tries to detect fake websites." This is about Web Caller-ID already in use by eBay's custom user toolbar. The article also talks a bit about the incredible increase in phishing scams.

Huh

[Lord+Grey]

Unless I missed something, neither the article nor the summary provides a link to the product. Here is what I found: Web Caller-ID. That link contains this paragraph:

Web Caller-ID's detection engine includes hundreds of routines that examine the elements of a web site, ranging from the site's content and links to its page history, and then determine if they are indicative of a spoof. For example, the URL of a particular site might be analyzed for phishing characteristics, such as the inclusion of an IP address at the beginning of the URL, or the source code might be analyzed for calls to a different web site. In production environments, Web Caller-ID consistently detects more than 98% of previously unknown spoof sites using behavioral technology.

This product sounds interesting at first blush, but don't most phishing scams begin with an email? Web sites that support phishing aren't going to have as many of these charactistics as the email that lured the victims there to begin with. I have to wonder just how well this really works, despite the, "consistently detects more than 98% of previously unknown spoof sites" quote.

Re:Huh

[beh]

There is, of course, another issue as well - if you eliminate 98% of the phish scams - that'll probably also mean that people will start paying less attention to the problem at hand and might hence become less careful about those phish scams that DO make it into their inbox.

This might be in a way comparable to the rates of HIV/AIDS spread during the late 80s/early 90s when there was LOTS of media attention to the issue, and people would actually think about what they were doing. Now, a couple of years after the height of media attention to it, the problems are rising again (simply because people no longer think about the issue).

In the same way, I would guess people might fall more easily for phish scams, once the become more rare again.

Educate

[Klar]

However, better user education and stronger security from online retailers, banks, and financial institutions is also needed to protect technically unsophisticated consumers from complex online cons like phishing attacks, Schmidt says.

I have to say that I agree. These tools are great for newbie computer users. But I really think educating people on how to read a URL and not have to rely on a tool like this. If they don't understand the URL, using a 'caller id' program may not always be affective at preventing scams.

Also, I would like to see a program that would pre-scan a URL and if it appears to be a fake Paypal or Visa site to put the actual domain, and display a warning to alert newbie users.

Re:Educate

[psin+psycle]

Education will only help so long. What happens when someone writes a worm/virus that replaces the /etc/hosts file with one hacked up to send people to phishing sites instead of banking sites? Not only could the phishing websites capture account data, they could also forward the user on to the correct site so they don't even notice a problem. Who's going to check their /etc/hosts file to make sure this isn't happening!

Glasses

[jobeus]

Glasses would be a good anti-phishing tool... Seems almost 95% of the sites I come across just replace a . with a - somewhere. If people could see it more clearly......... :D

Re:Glasses

[Rosco+P.+Coltrane]

Glasses would be a good anti-phishing tool... Seems almost 95% of the sites I come across just replace a . with a - somewhere

A normal-sized brain behind the glasses would work very well too. I mean, for example, the Microsoft-looking emails that require you to give a password, or a CC number or something: who the hell with a normal intelligence would fall for that one?

Most scams look exactly like that: scams. They're so easy to spot with a vaguely critical eye that it's not funny. The problem is, who will educate a public that doesn't understand much about computers in the first place?

Re:Glasses

[wan-fu]

While I agree that helping people understand computers is partly the issue here, there's an even bigger issue and that's educating the public in general to be more aware of scams. Remember, though the internet is a haven for scammers, there are plenty of them out there sending direct mailings or using infomercials. People still fall for those and not just the tricks on the net.

I think a big part of it is people are simply more lazy these days. As a result, they are more willing to believe in a get-rich quick scheme or an identification check for a bank or sweepstakes or whatever (especially the old who are more trusting). But who knows, maybe it's not that, it could very well be that people are just stupid and gullible by nature (which many /.'ers seem to think given the number of times I've seen references to "sheeple" and the like).

Technological solution to a social problem

[wheany]

I thought the general consensus was that technological solutions to a social problems don't work.

Re:Technological solution to a social problem

[MindStalker]

Hu? No, the general consensus was you can't legislate these problems away, ie spam, phishing etc.
User education is the most important, but technical solutions have to be used. Thats like saying you shouldn't bother with having a virus scanner, because people should all be taught to avoid viruses.

Wrong Solution

The proper solution to phishing scams is
1) Educate everyone not to give out confidential information to anyone.
2) Track the phishing sites and publically hang the owner. These things are not difficult to track by the very nature of the scam.

My rule is usually fairly simple

[tekiegreg]

Just don't click on any links via email to anything unless you solicited it (such as an email verification to a mailing list you're subscribing to). When I'm in doubt, all I do is type in the URL to the bank/brokerage/etc. web site myself (fire up browser and type in homepage URL), log in and find out if there is anything going on. Most such websites have a way to look at everything and take any needed action right away after you type in a user/pass.

*sigh* and on that note there is a sucker born every minute I suppose.

Re:My rule is usually fairly simple

[Awptimus+Prime]

No kidding, Email should go back to being a text only messaging system. Strip out all the html, urls, and binary attachments and watch the world become a better place.

Then again, I work in the security sector so all these flaws bring home the bacon. It is still frustrating to watch such broken systems dominate the world.

Will this reach the intended users?

[broothal]

People who are likely to fall for the usual phishing techniques are, unfortunately, not likely to install any tools to prevent phising. Odds are, that they never knew it existed before they fell for it.

Email Phishing

[TheOtherAgentM]

From what you and I probably see, yes. Phishing begins with an email, because we probably don't browse shady sites regularly. I don't know what the average user sees in their regular browsing. I can't even figure out where people get all the spyware from in the first place. As far as phishing emails, I know I get one email regularly that looks like a CitiBank email, but it is a .jpg file embedded. The URL has citi in it, but if you look closer, it's obviously not the right sight. I'd report it, but Citi Bank's online reporting sucks.

Re:Email Phishing

> There's just a slight flaw in that logic...

No there isn't.

You receive an email supposedly from Citibank, telling you not to trust emails from Citibank.

If it's a fake email, it means you can't trust emails claiming to be from Citibank anymore, because someone's faking them.

If it's legit, it's telling you not to trust emails from Citibank, so you'd better not.

So, for this particular message, it doesn't matter whether it's fake or for real - you still know not to trust any more emails.

So how do the real Citibank communicate with you? By waiting till you next log into your internet bankning account (for minor stuff), or sending you a physical letter, or phoning you (for important stuff - which shouldn't be going by email anyway).

Re:Email Phishing

[Ra5pu7in]

They can't do much about it upfront. However, as soon as it involves withdrawals from customer's accounts it moves over into fraud ... which they can do something about (via usual legal means). Neither Citibank, nor any of the others (I've seen BofA, Wells Fargo, and others) are going to acknowledge all the emails they get reporting these scams. Instead, the data is accumulated and those that report they lost money this way will be prioritized because these can be used for prosecution.

Personally, I'm waiting for the point where we can have a Darwin's Award for the idiots who answer those emails ... y'know the point when one of them loses every last dime in a scam and commits suicide, dies from a badly produced batch of V@l1um or V1agr@, or tries to gain or lose inches and has an accident with the means thereto. When this garbage produces 0 results, no matter how many millions are sent out, it will self-destruct.

I have a fairly good anti-phishing tool

[JosKarith]

It's called a healthy dose of cynicism.
If somebody I have financial dealings with contacts me out of the blue to check my password/account number/mother's maiden name etc. I contact them back - not using the linkback on that e-mail but using the contact details from the documentation I got when I signed up. And I ask them if it's a scam or not.
And I don't reply until the bank/whatever has got back to me.

Here's my Anti-Phishing tool

[Chanc_Gorkon]

My Anti Phishing tool is my brain. I mean sometimes these phishing e-mails are nto even spoof so that they appear to come from the company that they are spoofing. Sometimes the website has graphics for the company they are trying to appear as and the URL is in CHINA! First off, No company shuld EVER ask you to click on a link and enter personal information for things. No mortgage company I know of will actually advertise in a spam and if they do, then your alert flag should go up. If you just use common sense, you should be more then able to determine if a web page or e-mail is a phishing attempt. Unfortunately, your grandma or your mom may not. I think that companies liek AOL need to add more training wheels to their service so to speak and help them with determining if something is legit or not. Would I ever load such software? No I would not because I don't need it....but my mom might.

A better start

[portwojc]

Web Caller-ID is not a cure-all for the phishing problem

How about actually going after the people doing the scams as a solution. Also the providers who don't shut them down.

I must have missed that part in the article. This is going to be just like the spam problem. It's a problem that the end user needs to deal with and not something to be corrected at the source. Well not until at least it gets to epidemic proportions.

Re:Wrong Solution (need PK crypto)

[j1m+5n0w]

The proper solution to phishing scams is 1) Educate everyone not to give out confidential information to anyone. 2) Track the phishing sites and publically hang the owner. These things are not difficult to track by the very nature of the scam.

Don't forget

3) Use public key cryptography to verify the authenticity of sites you do business with.

-jim

How is this better than SSL?

[BilSabab]

Let's make a couple of risky assumptions

1) That as an educated user I only submit sensitive information over an SSL encrypted connection using an SSL certificate signed by a third party.

2) That I check that the certificate corresponds to the site I'm visiting.

This should prevent me from submitting any information to a phishing scam provided that I'm using a browser which correctly implements the SSL/TLS exchange.

So why would a hosting company or a user bother with Web caller ID? A properly configured browser and SSL should prevent phishing attacks. Correct?

--- Friends don't let friends sig

At Least inform the public about this

[charliekowalchuk]

I've bought some large items on ebay, but the best place to find scammers is when your buying expensive laptops. I've seen a lot of phishing for ebay. I saw a recent report, in which perdicted that for every legit technology buisness, there are two scam ones.

The most important thing, Citibank and Ebay and the others is to inform their current and future customers about problems such as this. The worst thing they can do is not talk about it, pretend the problem will go away, or it is an isolated inncedent. (I'm telling ya, if Firefighters took the same approach at doing their job...)

I like to think that some of my attention I brought to ebay, has paved some of the way, as they seem to be taking a stand to this kind of scam. For instance, now you can forward phishy looking emails to spoof@ebay.com.

Now if you surf the web, hundreds of hits come up when discussing phish and spoof emails regarding Ebay and the like, but just 8 months ago, I found only one hit (and it was actually claiming this to be a real email, not a fake), regarding a fake authentic ebay email, encoraging me that it was alright to pay Western Union with this one particular seller, because he has special circumstances, and ebay will give buyer protection, up to 80% of the sell price. And Ebay themselves gave NO reference to any kind of knowledge or other cases that this kind of stuff was going on and one should be catious.

I hate to mention it, but it is rumored that alot of this stuff, being so well organized with their i's dotted and T's crossed is because some/most of these scams is being ran by various mafia.