Dealing with Phishing

Apu writes "SecurityFocus has published an interesting interview with Rachna Dhamija, co-author of the paper 'Why Phishing Works' and creator of Dynamic Security Skins (a plugin for Mozilla). She presented some very interesting results from her research efforts, for example 'simply showing a user's history information ("you've been to this website many times" or "you've never submitted this form before") can significantly increase a user's ability to detect a spoofed website and reduce their vulnerability to phishing attacks.' She also suggested to 'make it easy for users to personalize their interfaces. Look at how popular screensavers, ringtones, and application skins are — users clearly enjoy the ability to personalize their interfaces. We can take advantage of this fact to build spoof resistant interfaces.'"

it doesnt help when

[future+assassin]

legit companies send out emails like this and confuse customers. This is from Capital One I got yesterday. Didn't open it at first cause of the url and domain. > bfi0.com Turns out it legit and Capital one uses Bigfoot as their mail server.

Capital One(R)--what's in your wallet?(R)

Your Capital One statement is ready.

RE: Your account ending in 0000

Your current Capital One statement is now available for viewing online. Simply log in to Online Account Services and click the My Statement tab.

Log in now at http://capitalone.bfi0.com/

Is all your information reaching you?

To help ensure this time-sensitive message reaches your inbox each month, add the Capital One address that appears in the "From" line above to your electronic address book. This is especially important if you or your service provider use e-mail filters.

Use our web site as a resource for information and to access a variety of consumer lending products and special services. Add http://capitalone.bfi0.com/ to your bookmarks, so you can come back easily and often.

Thanks for using Capital One's Online Account Services.

Important Information from Capital One

This e-mail was sent to me@mydomains.com and contains information directly related to your account with us, other services to which you have subscribed, and/or any application you may have submitted.

The site may be unavailable during normal weekly maintenance or due to unforeseen circumstances.

Capital One and its service providers are committed to providing meaningful privacy protection for their customers. To protect your privacy, please do not send sensitive account information through e-mail. For information on our privacy policy or how to contact us, please visit our web site at http://capitalone.bfi0.com/

If you are not a Capital One customer and believe you received this message in error, please notify us by responding to this e-mail.

Re:it doesnt help when

[Tackhead]

> legit companies send out emails like this and confuse customers. This is from Capital One I got yesterday. Didn't open it at first cause of the url and domain. > bfi0.com Turns out it legit and Capital one uses Bigfoot as their mail server.

And this, kids, is why you should never outsource your email.

In some small way, I may have helped. Back in the dark ages, my broker did this -- outsourced some of their customer communications to the m0.net (Digital Impact) mainsleaze spamhaus. I wrote 'em a very sharply worded letter to the effect that if they couldn't run something as simple as a mail server, why should I have any faith that they were any more capable of running the web servers that handled my trading requests.

(And what is it with the meta-rule, which seems to be that any domain ending in 0.com or 0.net, is a mainsleaze spammer. m0.net, bfi0.com, and I'm sure there are more out there...)

The letter also included some of the other spew (honest-to-God spam, as opposed to ostensibly solicited customer communications from an organization with which I had an ongoing business relationship) I'd gotten through m0.net, and explained that as a result, I'd pre-emptively marked all mail originating from that domain as "spam", and that my broker was lucky that I periodically checked my filtered spam to see if any false positives had leaked through.

I wasn't the only customer to flame them, because a year or so later, I noticed that my broker was able to email me again, and that they were doing so from a mail server in a netblock owned by them, and with proper DNS registration.

Now that Capital One is in the process of digesting North Fork Bancorp, perhaps both COF and NFB executives could do with a little similar education. My broker got a polite snail-mail flame because it was 1999 and they had an excuse for not knowing any better. There's no excuse in 2006.

Drive-by-downloads

[Itninja]

So this may help one realized that they are not on the actual Paypal/Citibank/Ebay site, and they can leave before they enter their personal information. But many phishing sites have already done their damage by that time, via a drive-by-download; install all forms of malware and spyware in just a few seconds.

The more you think you know...

[Lord+of+Hyphens]

Good interview, bringing up sound points on the vulnerability of users to electronic attacks. Social Engineering (aka BSing the operator) has been around forever as a valuable tool in any attacker's arsenal.

The problem with a security-minded addon is, most appropriately, whether or not a user will bother to employ it. I can see multiple websites deploying the server side of DSS, but I can see all but a small niche of users not installing the client side, instead relying on their own (generally wrong) assumption that they don't need it. And how long until Microsoft implements its own (propietary, closed-source) 'solution'? How long until it's on and enabled by default on the majority browser? Even then, are we (the idiot users) going to pay attention to the glaring signposts or allow ourselves to be fooled?

Only time will tell, I think... and yet I still believe that Social Engineering (and Reverse Social Engineering) are going to be with us on the electronic environment forever.

GMail's filters failing?

[DAldredge]

Over the past 3 or so weeks I have noticed that the number of phishing emails coming to my slashdot email account that are not caught by the spam filter have increased about 300%.

Is google getting worse or are they getting better?

Bad analogy

[KerberosKing]

The thought that an average user will personalize their web interface like they personalize their celll phone doesn't fly with me. If that were true, we would see copies of Tweak UI on a lot more wintel boxes. Everyday people would be replacing the explorer shell with LightStep. I don't see that happening. About the most personalization I have seen is people putting up a picture of their girlfriend or baby up as desktop wallpaper. Geeks use custom tools, but most geeks are savvy enough about phishing to not fall for it.

Obvious, simple anti-phishing solution?

[Jester99]

Maybe somebody could explain to me why this wouldn't work. It's trivially simple to implement.

When you create an account on a web site (your bank, ebay, paypal, your broker, whatever), you provide them with a username, password, and a whole bunch of information... why not have a field for "reverse-authentication string"?

Then every email they send to you, they include that string in the subject line.

e.g., if my reverse-auth string was "turkey", the email subject would say "Important message for user Jester99 from CapitalOne -- auth: turkey"

Then I know it's not a phish, because for phishers to have that word, they'd already have CapitalOne's database and I'd already be screwed. (And the odds of them accurately guessing your string are rather small, if you pick anything reasonably ambiguous and not "password") All you have to do is simply not click links that don't have the proper auth word in the subject.