Dealing with Phishing

Apu writes "SecurityFocus has published an interesting interview with Rachna Dhamija, co-author of the paper 'Why Phishing Works' and creator of Dynamic Security Skins (a plugin for Mozilla). She presented some very interesting results from her research efforts, for example 'simply showing a user's history information ("you've been to this website many times" or "you've never submitted this form before") can significantly increase a user's ability to detect a spoofed website and reduce their vulnerability to phishing attacks.' She also suggested to 'make it easy for users to personalize their interfaces. Look at how popular screensavers, ringtones, and application skins are — users clearly enjoy the ability to personalize their interfaces. We can take advantage of this fact to build spoof resistant interfaces.'"

PDF, Not Plugin Link

[christopherfinke]

Readers should note that the "Dynamic Security Skins" link goes to a PDF, not a plugin (as I expected).

Re:PDF, Not Plugin Link

[aymanh]

This is why I use the TargetAlert Firefox extension, it adds icons next to links indicating the files or effects they lead to.

Re:PDF, Not Plugin Link

[aymanh]

By the way, I've just noticed that the version available at Mozilla Add-Ons isn't compatible with Firefox 1.5, however, the one available at the author's homepage is, sorry for that.

Unpredictable

[neonprimetime]

The only thing an attacker can't simulate is an interface he can't predict.

This will be the key when designing sites in the future.

Re:Unpredictable

[Penguinisto]

...coming soon! a ubersecure site that uses Arcnet for its internal network and a small IPX/SPX DMZ! Then every odd week, we switch it all to AppleTalk internally and Banyan VINES in the DMZ - they'll never see it coming!

(Of course, no one will ever be able to get anything done, but the geek factor would be impressive if you could actually make a 'musical protocols' plan work...)

/P

it doesnt help when

[future+assassin]

legit companies send out emails like this and confuse customers. This is from Capital One I got yesterday. Didn't open it at first cause of the url and domain. > bfi0.com Turns out it legit and Capital one uses Bigfoot as their mail server.

Capital One(R)--what's in your wallet?(R)

Your Capital One statement is ready.

RE: Your account ending in 0000

Your current Capital One statement is now available for viewing online. Simply log in to Online Account Services and click the My Statement tab.

Log in now at http://capitalone.bfi0.com/

Is all your information reaching you?

To help ensure this time-sensitive message reaches your inbox each month, add the Capital One address that appears in the "From" line above to your electronic address book. This is especially important if you or your service provider use e-mail filters.

Use our web site as a resource for information and to access a variety of consumer lending products and special services. Add http://capitalone.bfi0.com/ to your bookmarks, so you can come back easily and often.

Thanks for using Capital One's Online Account Services.

Important Information from Capital One

This e-mail was sent to me@mydomains.com and contains information directly related to your account with us, other services to which you have subscribed, and/or any application you may have submitted.

The site may be unavailable during normal weekly maintenance or due to unforeseen circumstances.

Capital One and its service providers are committed to providing meaningful privacy protection for their customers. To protect your privacy, please do not send sensitive account information through e-mail. For information on our privacy policy or how to contact us, please visit our web site at http://capitalone.bfi0.com/

If you are not a Capital One customer and believe you received this message in error, please notify us by responding to this e-mail.

Re:it doesnt help when

[Tackhead]

> legit companies send out emails like this and confuse customers. This is from Capital One I got yesterday. Didn't open it at first cause of the url and domain. > bfi0.com Turns out it legit and Capital one uses Bigfoot as their mail server.

And this, kids, is why you should never outsource your email.

In some small way, I may have helped. Back in the dark ages, my broker did this -- outsourced some of their customer communications to the m0.net (Digital Impact) mainsleaze spamhaus. I wrote 'em a very sharply worded letter to the effect that if they couldn't run something as simple as a mail server, why should I have any faith that they were any more capable of running the web servers that handled my trading requests.

(And what is it with the meta-rule, which seems to be that any domain ending in 0.com or 0.net, is a mainsleaze spammer. m0.net, bfi0.com, and I'm sure there are more out there...)

The letter also included some of the other spew (honest-to-God spam, as opposed to ostensibly solicited customer communications from an organization with which I had an ongoing business relationship) I'd gotten through m0.net, and explained that as a result, I'd pre-emptively marked all mail originating from that domain as "spam", and that my broker was lucky that I periodically checked my filtered spam to see if any false positives had leaked through.

I wasn't the only customer to flame them, because a year or so later, I noticed that my broker was able to email me again, and that they were doing so from a mail server in a netblock owned by them, and with proper DNS registration.

Now that Capital One is in the process of digesting North Fork Bancorp, perhaps both COF and NFB executives could do with a little similar education. My broker got a polite snail-mail flame because it was 1999 and they had an excuse for not knowing any better. There's no excuse in 2006.

Re:Security Skin

[DrSkwid]

Certain colors have common associations in society, such as red with warning or green with go. Use these color associations to illustrate your point, but proceed with caution, because these associations can differ depending on the nationality of the audience.

http://office.microsoft.com/en-us/assistance/HA010 120721033.aspx

Mozilla, take note:

[The+MAZZTer]

for example 'simply showing a user's history information ("you've been to this website many times" or "you've never submitted this form before") can significantly increase a user's ability to detect a spoofed website and reduce their vulnerability to phishing attacks.

Hey, this is a really really good idea. Microsoft, Opera Team, and Mozilla should take note!

The more you think you know...

[Lord+of+Hyphens]

Good interview, bringing up sound points on the vulnerability of users to electronic attacks. Social Engineering (aka BSing the operator) has been around forever as a valuable tool in any attacker's arsenal.

The problem with a security-minded addon is, most appropriately, whether or not a user will bother to employ it. I can see multiple websites deploying the server side of DSS, but I can see all but a small niche of users not installing the client side, instead relying on their own (generally wrong) assumption that they don't need it. And how long until Microsoft implements its own (propietary, closed-source) 'solution'? How long until it's on and enabled by default on the majority browser? Even then, are we (the idiot users) going to pay attention to the glaring signposts or allow ourselves to be fooled?

Only time will tell, I think... and yet I still believe that Social Engineering (and Reverse Social Engineering) are going to be with us on the electronic environment forever.

GMail's filters failing?

[DAldredge]

Over the past 3 or so weeks I have noticed that the number of phishing emails coming to my slashdot email account that are not caught by the spam filter have increased about 300%.

Is google getting worse or are they getting better?

Not really going to work

[Jimmy+King]

While this may sound like a good idea at first, why would it work? The majority of people who would know about such a feature, especially if it's a third party downloadable plugin, and then make use of it, are not generally going to be the type of people to be fooled by phishing attempts and unable to recognize the basic things tested for in this study. On top of that, given most people's understanding of computers and the internet and web, I feel pretty safe saying that if your average person was using such a tool and then loaded a phishing site, their thought would not be "oh, this must be a phishing site" it would be "oh, my skin didn't load for some reason." and then probably continue on.

The problem is not a lack of tools out there. The problem is a lack of understanding. We've got millions of people who don't understand the basics of computers on a public, anonymous, worldwide network who are essentially network/server administrators, as far their home pc is concerned. To make it worse, most people not only don't understand, but don't want to understand.

Personalization will only help so much

[scolby]

Phishers will still be able to fool those who are susceptible to email phishing attacks. In the example where a user chooses his or her personal image as a security feature, all a phisher has to do is send out spam requesting that the user either change his image or upload a new one, with a link to the site that will snag that information. Then it's a simple matter of sending out another email prompting the user to log in, with a link to a page displaying that stolen image.

In the end, it's more important to educate users than it is to circumvent their stupidity with technology - there's always a way around things.

What bothers me is...

[azav]

Why we are not aggressively tracking down and prosecuting mass repeat spammers and phishers.

If we are, why are we not hearing about it?

I mean, spam and phishing is the blight of the internet. It is aggravating, costly and time consuming. I do not need a mortgage, cialis, a fake rolex, a "pleasure ring" or bogus stock tips. All this spam and phishing is fraud and through use of zombies of hijacked connections, theft or trespassing.

Should we write our congressmen? Become rich and hire the mob to find these people and break some knees?

??

Re:Where to draw the line on user ignorance?

[Red+Flayer]

Are people so content with blind usability of their devices?

Why yes, yes they are.

To most users out there, their devices are just blackbox tools. As long as the output is what's expected, they could care less what the updates are doing, or what their device is doing. Note that this is very much what software/hardware companies aim for -- "it just works."

That's how you separate the geeks from the boys (not with a crowbar, as has been joked) -- who wants to know what's going on there (and is willing to spend the time to find out), and who is content just playing their game.

Re:Where to draw the line on user ignorance?

[spun]

That's how you separate the geeks from the boys (not with a crowbar, as has been joked)

Greeks. You're thinking Greeks and boys.

Ancient Greeks that is, you know Sparta and catamites and all that. Your average modern Greek is a fairly religious fellow who frowns on that sort of thing (at least in public, unless there are no women left in the bar at closing time.)

The More You Know(tm)

Re:Where to draw the line on user ignorance?

[dr_dank]

For example, I'm creating the front-end for an application and one of the requests was that we build in such things as making sure "male connectors" on parts don't get matched up with other "male connectors"

Not that theres anything wrong with that...

Obvious, simple anti-phishing solution?

[Jester99]

Maybe somebody could explain to me why this wouldn't work. It's trivially simple to implement.

When you create an account on a web site (your bank, ebay, paypal, your broker, whatever), you provide them with a username, password, and a whole bunch of information... why not have a field for "reverse-authentication string"?

Then every email they send to you, they include that string in the subject line.

e.g., if my reverse-auth string was "turkey", the email subject would say "Important message for user Jester99 from CapitalOne -- auth: turkey"

Then I know it's not a phish, because for phishers to have that word, they'd already have CapitalOne's database and I'd already be screwed. (And the odds of them accurately guessing your string are rather small, if you pick anything reasonably ambiguous and not "password") All you have to do is simply not click links that don't have the proper auth word in the subject.

Here's what she meant

[Moraelin]

Lots of people here seem to assume that somehow the skins are for the web site, or overriding CSS elements, or whatever, which is just not the case. What she was talking about with those skins is: fake UI. Nothing more, nothing less.

E.g., let's say that you got your old mom to use Mozilla, so she has _both_ the coloured URL box _and_ the padlock on the status bar as indication that she's indeed at a secure site. I'll assume you've also educated her to carefully read the URL up there.

So noone can fool her now, right? I mean, right? Well, wrong. One attack method they used in that study was fake UI.

So let's say your mom now lands at some www.phishers-r-us.ru site pretending to be her bank. The site doesn't even use SSL or anything. How can that site spoof all those checks both up there in the browser's toolbar and down there on the status bar? Simple. Fake them.

So the site gives you a javascripted popup, requesting a window without those interface elements. But fakes them as .gif images in the page itself. The page is, say, a frame set with three horizontal frames: one at the top, with a faked toolbar and URL bar (with the correct URL of the bank in that .gif, and correctly colour coded as if it were Mozilla saying it's HTTPS), the login page in the middle, and a faked status bar at the bottom (complete with the padlock icon telling you it's secure.)

_That_ is the problem. Fake UI fools most users.

So the researcher's idea is basically, "I know, so let's encourage each user to skin their own UI." So let's say your mom has set her Mozilla UI to be brushed blue-hued metal, the colour for HTTPS URLs to be green, and the padlock icon to be replaced by a thumbs up icon. The fake UI site can't know that. So when they show her a page with the UI in the default colours and icons instead of hers, hopefully your mom will know that it's faked UI. It doesn't look like her other browser windows.

Now personally I think the idea isn't that great anyway, since (A) it requires users to actually do that, and I'll bet most will just click on the default theme and be done with it, and (B) because it's working around what I consider a fucking stupid mis-feature. IMHO there's no need to allow browser windows without an URL bar and without a status bar in the first place. In an age where those are the main (and often only) things that can warn you against such attacks, allowing a site to disable them is just stupid. So just disable the option to hide the UI and, voila, suddenly noone can fake that UI any more. It's that simple.

A simple solution

[GeorgeVW]

Enter a junk password at the 'login' page. If it lets you in, it's a phishing site trying to harvest your information.