Slashdot Mirror
Anti-Phishing Tools
mikeage writes "PCWorld has an article about an anti-phishing tool available that tries to detect fake websites." This is about Web Caller-ID already in use by eBay's custom user toolbar. The article also talks a bit about the incredible increase in phishing scams.
Also, I would like to see a program that would pre-scan a URL and if it appears to be a fake Paypal or Visa site to put the actual domain, and display a warning to alert newbie users.
Boxing Equipment Reviews
Glasses would be a good anti-phishing tool... Seems almost 95% of the sites I come across just replace a . with a - somewhere. If people could see it more clearly......... :D
Does That Web Site Look Phishy?
WholeSecurity's new software claims to identify fraudulent sites.
Paul Roberts, IDG News Service
Monday, August 16, 2004
A new software tool from WholeSecurity can spot fraudulent Web sites used in online cons known as "phishing" scams, according to a statement from the company.
Advertisement
The new product, called Web Caller-ID, can detect Web pages dressed up to look like legitimate e-commerce sites. WholeSecurity is marketing the technology to banks, credit card companies, and online retailers as a way to prevent unwitting customers from accessing false sites, to reduce fraud, and increase confidence in online commerce, the company says.
Phishing scams are online crimes that use unsolicited commercial, or "spam," e-mail to direct Internet users to Web sites controlled by thieves, but are designed to look like legitimate e-commerce sites. Users are asked to provide sensitive information such as a password, Social Security number, bank account, or credit card number, often under the guise of updating account information.
Already in Use
A version of Web Caller-ID is already being used by EBay in a feature called Account Guard, part of an EBay Web browser toolbar that users of the online auction site can download for free. The feature detects suspicious behavior, such as Web URLs that disguise the true Internet address of the site the user is visiting.
Companies can license a Web browser plug-in from WholeSecurity, which can then be distributed to customers directly or as part of a Web browser toolbar. Alternatively, companies can sign up for an e-mail processing service from WholeSecurity that harvests information on phishing scams from spam e-mail or customer complaint e-mail sent to the company, WholeSecurity says.
A Web browser-based management console lets administrators view suspected phisher sites, file complaints against spoof Web sites, or fine-tune the Web Caller-ID technology to adapt to their company's Web site.
On the Rise
Reports of phishing attacks have skyrocketed in recent months, according to the Anti-Phishing Working Group (APWG), a joint industry-law enforcement group.
There were 1422 new, unique attacks reported to the APWG in June, a 19 percent increase over the previous month. Since the beginning of 2004, reports of the attacks have grown by 52 percent a month on average, the group says.
A survey of 5000 adult Internet users by research firm Gartner released in April found that the number of phishing attacks spiked in the last year and that around 3 percent of those surveyed reported giving up personal financial or personal information after being drawn into a phishing scam. The results suggest that as many as 30 million adults have experienced a phishing attack and that 1.78 million adults could have fallen victim to the scams, Gartner says.
Taking the First Step
Web Caller-ID is not a cure-all for the phishing problem, but is a good first step to provide comprehensive protection from the scams, says Howard Schmidt, former White House cybersecurity advisor and the current chief information security officer at EBay.
"These are some of the things we need to do moving forward--getting technology built into the Web browsers themselves to do these things," he says.
However, better user education and stronger security from online retailers, banks, and financial institutions is also needed to protect technically unsophisticated consumers from complex online cons like phishing attacks, Schmidt says.
"You can't put somebody in a car and tell them to drive, but not tell them what the brake and gas pedal are for," he says.
Spoofstick is a plugin for FireFox or Internet Explorer that can help identify 'phishy' sites while surfing.
It does take a little more real estate out of the browser's window, but it's a pretty useful tool when teaching people about the dangers of clicking links blindly.
"For every right, an equal responsibility..."
...I wasn't supposed to give s1ashdot my credit card number to read this story?
Sheesh, evil *and* a jerk. -- Jade
The proper solution to phishing scams is
1) Educate everyone not to give out confidential information to anyone.
2) Track the phishing sites and publically hang the owner. These things are not difficult to track by the very nature of the scam.
Just don't click on any links via email to anything unless you solicited it (such as an email verification to a mailing list you're subscribing to). When I'm in doubt, all I do is type in the URL to the bank/brokerage/etc. web site myself (fire up browser and type in homepage URL), log in and find out if there is anything going on. Most such websites have a way to look at everything and take any needed action right away after you type in a user/pass.
*sigh* and on that note there is a sucker born every minute I suppose.
...in bed
What we need is a way to automatically reply to these phishing scams with bogus information. I'd like to be able to order everything sent in a spam message too with bogus information. Beat them at their own game!
People who are likely to fall for the usual phishing techniques are, unfortunately, not likely to install any tools to prevent phising. Odds are, that they never knew it existed before they fell for it.
From what you and I probably see, yes. Phishing begins with an email, because we probably don't browse shady sites regularly. I don't know what the average user sees in their regular browsing. I can't even figure out where people get all the spyware from in the first place. As far as phishing emails, I know I get one email regularly that looks like a CitiBank email, but it is a .jpg file embedded. The URL has citi in it, but if you look closer, it's obviously not the right sight. I'd report it, but Citi Bank's online reporting sucks.
My Anti Phishing tool is my brain. I mean sometimes these phishing e-mails are nto even spoof so that they appear to come from the company that they are spoofing. Sometimes the website has graphics for the company they are trying to appear as and the URL is in CHINA! First off, No company shuld EVER ask you to click on a link and enter personal information for things. No mortgage company I know of will actually advertise in a spam and if they do, then your alert flag should go up. If you just use common sense, you should be more then able to determine if a web page or e-mail is a phishing attempt. Unfortunately, your grandma or your mom may not. I think that companies liek AOL need to add more training wheels to their service so to speak and help them with determining if something is legit or not. Would I ever load such software? No I would not because I don't need it....but my mom might.
Gorkman
Hu? No, the general consensus was you can't legislate these problems away, ie spam, phishing etc.
User education is the most important, but technical solutions have to be used. Thats like saying you shouldn't bother with having a virus scanner, because people should all be taught to avoid viruses.
Here is more information, the SANS Internet Storm Center has seen much activity (and growing) of this shit.
--------
My theory is that unlike the script-kiddies of the old days, 99% of all phishing is work of organized crime. I believe that they recruit users at ISP's in places where internet (or any for that matter) law is not enforced (like Kosovo), they provide people simple step-by-step instructions on what to do, give them lists of fake card numbers and pay them based on the number of accounts hacked (e.g. $1 for every 50 good passwords). The actual cleaning out of the accounts probably happens elsewhere and at a much higher level because you need a much more elaborate system for it (off-shore bank accounts, etc). At least if I was doing it, this is how I would set it up. The users appear to be not very smart - we often see weird typos, names spelled in all caps and other dead giveaways - why would ANNE FISHER from Ohio signup for a year of virtual hosting and register a domain XABCDFERNG.COM for 10 years?
We see that they are getting more elaborate in their attempts to sign up for an account. They try to use proxies or zombies now (because most same companies will flat out refuse any attempts to sign up from Indonesia, Romania, etc.).
A funny side note - we got a copy of a credit card statement from one of the unfortunate cardmembers whose card's been stolen as part of the "chargeback" report, and among various hosting accounts they signed up for, there was an $20 contribution to moveon.org - go figure!
Right now the best way to fight off phishers is to attempt to speak to the customer in person, it has worked 100% for us so far. But since this phishing thing is probably big money for some mafia boss, I think the motivation is there for them to get more technologically advanced, and I wouldn't be surprised if we start seeing fake VoIP phone numbers provided where the criminals would answer the phone in English and pretend to be cardmembers.
Another very unfortunate side-ffect of this is that it's the merchants who east the cost of it. For every instance of fraud, we get the funds withheld and transferred back to the cardmember (don't be fooled by those reports of "poor" cc companies bearing the cost of fraud!) AND we get slapped with an $25-$50 penalty by the CC processing company AND our rates go up. So it's almost in their interest that cards get stolen, it simply means more revenue for them. Now our services are "virtual", but for those who actually ship something physical (like a shirt), they get to eat the cost of that as well.
Phish Net
Some folks here may find it usefull.
This nifty quiz can help you assess your phishing detection abilities. Recommended.
"There are already a million monkeys on a million typewriters, and Usenet is NOTHING like Shakespeare." - Blair Houghton
I've noticed that neither Firefox nor new versions of IE let you do the www.cnn.com@http://myattackersite.com phishing vulnerability; Firefox warns you (as long as myattackersite.com doesn't request authentication), IE just doesn't let you do it as far as I've seen (but this is hearsay; I haven't used IE in years).
And on their websites they should say on top: "REMEMBER: WE *NEVER* SEND YOU EMAIL ABOUT ANYTHING."
If you want to know something, you just visit eBay or your bank account.
Best Buy can have you arrested
The first step is obviously to check the headers of an email you receive. Just see who sent you the damn thing (from Received headers). Was it actually an IP belonging to .paypal.com? This is easy to check using 'whois'. If the whois lookup shows the IP delivering you the email is from the company you expect (VISA, Paypal, Ebay) then it's fine.
OK, how about an example. Take this US Bank phishing scam, here are the Received headers:
The first Received hop is my ISP. The second Received hop is the only important one; it describes the connecting host. Note that the host here pretended to be usbank.com but that name is a sender-supplied ID; it's worthless. What you're looking for is the IP address between square brackets, which can not be forged. Now just check 211.209.208.87 using whois
See, easy. This email came from Korea, not US Bank. It's a scam!