Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Better Anti-Phishing Toolbar?

Posted by Cliff on from the browsing-where-you-are-supposed-to-be dept.

Saqib Ali asks: "There have been recent discussions on Security Focus mailing lists about several Anti Phishing Toolbars available for Firefox. Do Slashdot readers have any recommendations on which Anti Phishing toolbar to use, or on how to improve upon the existing ones?"

33 comments

  1. Obligatory by lbmouse · · Score: 1, Interesting

    Netcraft confirms it.

    Seriously, it is a pretty good bar. I just wish its appearance/position was a little more customizable.

    1. Re:Obligatory by pjotrb123 · · Score: 1

      Although the Netcraft toolbar does the job, it slowed my browsing experience so much as to be unusable. Sometimes it made me wait for a minute before giving the green (or red) signal. Or sometimes there simply was no reply at all from their servers. I found that I'm smart enough to decide on my own if a Phishing attempt is being made, so far with a 100% score. And my brain works a whole lot faster than the Netcraft servers.

      Don't know about others.

      --
      I liked my next sig a lot better
  2. how about... by Anonymous Coward · · Score: 1, Informative

    using your brain! watch out for strange urls, bad grammar, missing/bad certificates, etc...

    1. Re:how about... by rajats · · Score: 1

      Many times it is not necessary that looking at URLs could give you an idea. Sometimes, websites use URL redirection parameters while authenticating clients eg: www.goodsite.com/login?urlredir=http%3A%2F%2Fwww%2 Esomeothersite%2Ecom%2F An attacker could exploit this kind of a website authentication mechanism to send someone an obfuscated URL in the urlredir parameter that would redirect the user to a site which looks exactly like www.goodsite.com and says "invalid credentials" ... it's very difficult for users not to fall prey to this kind of a situation because, let's face it, most people do not look at the URL for every request. The website creators themselves have to become knowledgeable about how to avoid such attacks.

  3. Never tried them. by Threni · · Score: 5, Informative

    > Do Slashdot readers have any recommendations on which Anti Phishing toolbar to
    > use, or on how to improve upon the existing ones?"

    If you're smart enough to install this kind of solution then you're not going to fall for the phishing attempts in the first place. Email from paypal/ebay/your bank that doesn't start with your name? Delete it. Get a plausible looking email asking you to click on a link and log in? Type the URL manually anyway (I use a local homepage which just contains a bunch of links to those accounts, Slashdot etc). Have an account somewhere that doesn't address you by your full name in emails? Close the account and use another bank.

    By the same token, this stuff is obvious to everyone reading Slashdot. Right?

    1. Re:Never tried them. by Saeed+al-Sahaf · · Score: 1

      Better yet, don't bank or do scetchy money transactions over the Internet. Few people actually have to.

      --
      "Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
    2. Re:Never tried them. by Threni · · Score: 1

      > Better yet, don't bank or do scetchy money transactions over the Internet. Few
      > people actually have to.

      I use Cahoot's online bank in the UK (5+% savings account, ~4% current account) - seems safe to me. Should I be scared? Why? Where's the risk? Not phishing, so is SSL insecure?

    3. Re:Never tried them. by XO · · Score: 2, Interesting

      yeah, exactly how does an "Anti Phishing" toolbar work? Only thing I can think of is a built-in blacklist. Just use Opera, and it will flat out tell you if the site you are looking at is the site that it claims to be.

      --
      "Champagne for my real friends - and real pain for my sham friends!" http://ericblade.postalboard.com/
    4. Re:Never tried them. by secolactico · · Score: 1

      Email from paypal/ebay/your bank that doesn't start with your name? Delete it. Get a plausible looking email asking you to click on a link and log in? Type the URL manually anyway (I use a local homepage which just contains a bunch of links to those accounts, Slashdot etc)

      Or, if possible, use the phone. If you get an unexpected e-mail from your financial institution, call them. Don't use any link or phone # in the e-mail. You should have a couple of customer service numbers with you for any bank or credit card company you use.

      If you get an e-mail from a bank you've never done business with, it's a scam. If you get an e-mail from e-bay/paypal, it's most likely a scam (if you do business with them, read their e-mail communications guidelines to help identify legitimate mails from scams).

      And if somebody offers you untold millions to help transfer money, it's a scam. And if it wasn't, it might be a form of money-laundering that's illegal in more jurisdictions that you care to count.

      A healthy dose of mistrust goes a long way towards protecting you from phishers and scammers.

      --
      No sig
    5. Re:Never tried them. by ppz003 · · Score: 1

      Everyone reading Slashdot? Maybe. But for those of us who try to protect our family and friends, these tools can be invaluable. I also like to teach people how to use the no-script extension.

  4. Or use GMail by brunes69 · · Score: 1

    I find GMail catches 100% of all phishing attempts directed at me, resulting in it sterilizing all the links, and moving them to the Spam bucket. Even if it is "unsure" about an email, it will put a huge warning at the top and semi-sterilize the links.

    It doesn't catch 100% of my spam, but it does well over 99% I would say. And none of the ones that get through are anything resembling phishing.

    1. Re:Or use GMail by Threni · · Score: 1

      > Or use GMail

      I do both (using HTTPS to access gmail, not the lame http it offers you - you have to edit that yourself - or use a plugin).

    2. Re:Or use GMail by MillionthMonkey · · Score: 1

      A friend of mine got on GMail's shitlist somehow last year, even though she was emailing me from a GMail account herself- which she had gotten from my invite. Every single email from her had the big yellow box warning: "This email may not be from whom it claims to be." Which struck me as funny, since it was essentially tagging email being sent from one GMail account to another. I think she complained to Google and after a few days it went away.

  5. anti phishing already installed in IE7 by mdman · · Score: 2, Interesting

    IE7 has anti phishing features installed in it already..

    1. Re:anti phishing already installed in IE7 by spacefight · · Score: 1

      IE7 ist not available to the broad public. Why do some people point to a not-yet released product?

    2. Re:anti phishing already installed in IE7 by J0nne · · Score: 1

      IE7 is a bitch to install on non-english systems (it involves switching files while you're installing it, and within the time the setup progress bar is running), it's beta software (MS beta, not open source it's-stable-but-we're-afraid-of-releasing-a-final- beta).

      Besides, I don't think a lot of people feel comfortable to send every url they visit to a company that just bought the backend technology from Claria/Gator (or any company, for that matter), but that's something most phishing toolbars do, if I understand it correctly.

  6. I don't know... by Saeed+al-Sahaf · · Score: 1

    I like to drink coffee. Sometimes I wonder about the relationship between coffee and high blood pressure. Is there one? Have studies been done? Can I get a cup of drip?

    --
    "Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
    1. Re:I don't know... by Threni · · Score: 1

      I could go without coffee I guess, but that concept is about as interesting to me as going without online transactions due to an ill-informed assessment of the risks.

  7. Phishing? whazzat? by redelm · · Score: 3, Interesting
    My email reader does not render HTML. When I encounter pure HTML email, I just delete it. Or bounce it back to spoof@... as eBay and PayPal have requested.

    In the unusual case (once per week) that I actually _want_ to look at a website mentioned in email, I cut'n'paste.

    HTML email is abomination. Autoload images is evil.

  8. Just mouse over by brontus3927 · · Score: 1
    really simple solution that I tell my non-technically inclined relatives. Check the link. Move the mouse over the link and see what it says in the status bar. If it says the internet address is something with a bunch of numbers after the http:/// then it's not a legitamite site.

    There are going to be a VERY small number of sites that this isn't true, but these kinds of sites are unlikely to be anything that most people are going to be ever needing to use.

    --
    Free MacMini
    1. Re:Just mouse over by eurleif · · Score: 1

      Most phishing emails I've seen do something along the lines of , so that's not a reliable solution if your email client has JavaScript enabled.

    2. Re:Just mouse over by brontus3927 · · Score: 1

      I guess the other half of it then it to turn off javascript in the email client, like Thunnderbird does by default

      --
      Free MacMini
    3. Re:Just mouse over by WebCrapper · · Score: 1

      I agree - if you're smart enough to look for the signs, you don't need the bar.

      I humor these idiots once in awhile, if I'm sitting at the computer and watch a message come in (and I'm really bored). I'll hit their site, give false info and submit it.

      One of the funniest things I've seen is one site that used an java popup image to put it over the default location of the IE toolbar. So when I cliked the link, part of my Firefox tabs where covered up (I'm in webdev, so I can't disable javascript). Laughed my butt off over that one.

      Luckily my wife is still pissed off at paypal for screwing her over on a fraud issue and she refuses to visit their website for anything. Won't even touch eBay anymore - its great!

  9. Google solution. by ScaryFroMan · · Score: 3, Informative

    "Google Safe Browsing" seems to work pretty well.

    --
    In Soviet Russia, backwards is everything.
    1. Re:Google solution. by spacefight · · Score: 1

      Yeah right, very nice and you are transmitting every page URL you visit too Google for a checkup. Same goes with the Google Toolbar (page rank check). If you can live with this, go for it!

    2. Re:Google solution. by flubbergust · · Score: 1

      Why can only Americans download it? Are they more likely to fall for phishing scams than the rest of the world?
      I got to admit that I didnt look around that much there so I havent found an answer yet.

  10. Sticker by MrNougat · · Score: 1

    Put a sticker above the screen on every monitor that reads:

    "No one will ever ask for personal information via email. If anyone does, do not give it."

    --
    Web 2.0 == Giant Blogspam Circle Jerk
    1. Re:Sticker by Detritus · · Score: 1
      "No one will ever ask for personal information via email. If anyone does, do not give it."

      Written by someone who has never worked in a large corporation or bureaucracy.

      --
      Mea navis aericumbens anguillis abundat
    2. Re:Sticker by MrNougat · · Score: 2, Insightful

      I've worked for a company with 1000 employees in 72 locations in the US. Financial services company. If that's not bureaucratic, I don't know what is.

      I think, generally speaking, much time is spent trying to prevent social engineering attacks with technological methods. Phishing is not an attack against a technological resource; it's an attack against a person using technology. The weakness being exploited is in the person, not in the computer system. Trying to protect a computer system from phishing is like trying to protect a bank teller from being robbed. It's not the bank teller being robbed, it's the money in the bank. Sure, the bank teller is a conduit through which robbery can occur, and by that logic, protecting the bank teller will reduce the risk of robbery. But a better way is to protect the money by putting it in a vault. I don't know of any banks that don't have vaults.

      Reducing people's weakness to phishing by telling them - over and over, or with a sticker - that no legitimate company will request personal information via email is like putting the bank's money in a vault.

      --
      Web 2.0 == Giant Blogspam Circle Jerk
    3. Re:Sticker by Detritus · · Score: 1

      You make some good points. My experience has been that corporations love email and prefer it to physical paper. These days you can apply for, or renew, a security clearance via email. They email you a program, an electronic form, and you fill it out and email the data file back to them. How are you going to convince them?

      --
      Mea navis aericumbens anguillis abundat
    4. Re:Sticker by MrNougat · · Score: 1

      Okay so how about modifying my sticker to read:

      No one will ever ask for personal information via email unless you have solicited the request yourself. If anyone asks unsolicited, do not give it.

      I know, I know. This means we're going to have to make another sticker with the definitions of "solicited" and "unsolicited" on it. And with LCD monitors all the rage, there's hardly room around the edge of the screen for two stickers and a Post-It with your username and password.

      I agree that email is a great form of communication, and that it is often used to transmit personal information from one place to another. The only time that's valid is when I (the end user) initiate the exchange.

      Back to technology, I think the limitations of SMTP make it easier for phishing, etc., to work. There's currently no way to easily verify the identity of the sender. Easily, I say, because I know there are S/MIME certs, but how many end users even understand those? Either some new email protocol needs to be developed which demands that the sender is verified, or something like SenderID needs to be glommed onto SMTP. That would stem the tide of all sorts of ill-begotten emails, not just phishing.

      --
      Web 2.0 == Giant Blogspam Circle Jerk
  11. Call Me a TROLL: Who needs a tool bar? by chivo243 · · Score: 1

    If you are dumb enough to help Person X from country X based on an e-mail.... send me your money, and tell me before I hire you. If you get sucked into something about your bank/credit card via the internet, too bad for not asking a stooge at the institution. If people can't follow these simple steps:
    1. If you don't know them you don't owe them. HIT DELETE
    2. Your financial Institutes will never ask you via e-mail for any info. Call the institution and tell them what you have received.
    3. If in doubt, ALWAYS sleep on the decision.
    I leave you with these thoughts, would you give anybody a blank signed check? (remember those) Or would you give your your PIN or Password to anybody?
    And on the lighter side, cordless drills, orbital sanders and the various saws would love a tool bar! I know I can use a drink at then end of the day... :-}>

    --
    Sig Hansen?
  12. Celebrity Greeter at the Tool Bar? by chivo243 · · Score: 1

    None other than Tim Taylor!

    --
    Sig Hansen?