Slashdot Mirror
10 Anti-Phishing Firefox Extensions
An anonymous reader writes "A list of 10 anti-phishing Firefox extensions was published at Security-Hacks: 'For most Internet users, defending against phishing attacks is a top priority. One popular way to combat phishing attacks is to maintain a list of known phishing sites and to check web sites against the list.'"
unfortunately it isnt, a lot of people ignore security measures designed to protect them from phishing. case in point, banks that used images/etc to show the authenticity of the website their customers use was largely ignored, few noticed it and similar studies show few have such security as one of their concerns. these extensions might have done good if people listened to them but the real fix for phishing is to educate people on ways to avoid going to the sites in the first place. typing in addresses instead of following links, paying attention to what comes after the tld and disabling javascript for starters.
Sigs are too short to say anything truly profound so read the above post instead.
Is my bloody brain and eye superfilter combo. With these, I don't need any stinking slow-me-down-even-further plugins.
ISO certified == THX certified
How much phishing can be prevented if people stop clicking on hyperlinks, and use copy-and-paste instead?
Virtual Betting on Facebook for non-geeks.
"For most Internet users, defending against phishing attacks is a top priority."
No, I disagree, I don't think it is a top priority for most users. Try pr0n.
Seriously though, it should be on the list... but let's be realistic.
Get a web developer
Or just upgrade to Firefox 2, which has the feature built in.
Now here's an interesting thought. How to prevent yourself from being a victim of phishing phraud (sic):
Step 1: Do all banking off-line
Step 2: Don't use your credit / debit card over the Internet
Step 3: Don't use Internet Step 4: ???
Step 5: Profit!
It's like abstinence but you can almost bear it.
I was hoping for a review of the extensions but only found a summary of what was available. More of the same information can be found by searching for 'phishing' extensions.
I think 'most' users would say "what the hell is phishing?" Only way to prevent phishing is to bring up a "Welcome to the internet, here are a few things you should know about before you go on: ... " splash screen when they open up their browser for the very first time.
Followed by another splash screen that says "If you ignored the previous information, you are now entering with the risk of doing something extremely stupid, would you like to bring up the Welcome screen again? [Yes] [Yes]"
"we've got trenchcoats and bad attitudes" - John Constantine, HellBlazer
Easy way to defeat the phishers, OpenDNS. Or you could actually look at the status bar to see what site you are clicking on...
Slashdot "libertarians": Small government for me, big government for those I disagree with. -1, I disagree with you
having read the article it seems that the problem is more about people believing bs emails etc. and about keeping a list of anti phishing sites to stop it. seems like an issue for setting up friends/family machines who are not tech savvy than an issue for most /. readers who i assume are the few who actually lookout for this kind of thing
I dunno. I think the feds can get to your computer even if it's offline. Better get out the jackhammer. Oh, um, hold on a sec. Some of my tinfoil is coming off.
Blacklists aren't really working any more. As with spam, where each spam message is now different, and as with viruses, where the smarter ones are different for each copy, the more advanced phishing sites now generate multiple sites, not just one site.
PhishTank is fooled by this. It assumes that a "phish site" is a unique URL. The phishing sites are now wise to that trick; many sites generate a new URL for each user, and some even generate a new domain. Current domains in PhishTank include "session-97701.nationalcity.com.userpro.io", "session-300962.nationalcity.com.userpro.io", "session-5489554.nationalcity.com.userpro.tw", "session-2721837.nationalcity.com.directories.io", etc. There are presumably many, many more that no user has reported yet. So the blacklist defense is failing.
It's thus too late for approaches based on manual detection. In the early days of spam, we all reported spam sites to SpamCop, which then blocked them. That stopped working years ago. The same has now happened for phishing sites.
The hard line approach is to implement something that prevents putting in credit card or bank information into forms unless the target page has a solid SSL certificate. (And not one those "Instant SSL - Domain Control Only Validated" cheapo certs that mean nothing, either.) It's getting harder to make even that work, with more and more Javascript processing going on in the browser. The browser may not be able to detect that the user is filling in a form.
We (SiteTruth), of course, are trying to promote the idea that you don't want to deal with a website unless the business behind the website can be clearly identified, so we do have a bias here. Nor do we have all the answers. But from the amount of activity in this area of security in the last month, it's becoming clear that some major tightening-up on business legitimacy on the web is needed.
"On the Internet, no one knows if you're a dog" just isn't good enough any more.
I can't wait for the top 10 'Top 10 Firefox Extension' list.
If you know which sites are 'bad', simply add them to the hosts file and loop them to the home address. No need for a plugin.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Did anyone else notice that all of the promoted extensions but the last one seem to be the work of commercial enterprises, and apparently tied in some way to their for-profit motives? Is it possible that the author or security-hacks.com got some perks or quid pro quo for the journalistic promotion of these extensions and the commercial entities behind them?
I'm often too skeptical for my own britches, but that also why I do in fact pay attention to my bank's "sitekey" and why I don't these products to avoid phishing attacks. All but the last one just seem to be trading one form of ignorance - of phishing - for another - of capitalism.
Most modern phising is done very professionally, and the pages totally mimic the real thing. I recently received a phising e-mail regarding PayPal accounts and out of curiosity I took a look at it. The result was shocking. The page I was directed to was an exact duplicate of the real PayPal system. The link I followed did not use scripting. It did belong to the wrong domain, but most normal users would not have noticed it. Copy-pasting the link would not have made any difference.
The "fix" against phising is a better authentication method.
For some reason, many banks and payment providers in the US only use username/password (one-factor) authentication. In Europe most banks use at least a 2-factor security system, where the logon information is combined with either a physical security token (RSA or similar), an encryption key file, a supplemental 6 digit PIN sent by SMS to the user, etc.
The whole approach attempting to eliminate phising by filtering webpages, making fancy browser plugings or stuff a lot of security-bloatware on the computers is essentially wrong. The only reason simple phising attacks work is because the authentication mechanism is way too simple.
Adding another factor of security to the systems is a trivial task in terms of programming and implementation. And it works - the European home banking systems are the proof of that.
Phising gets a lot more difficult when SMS messages, encryption keys or physical tokens are involved in the logon procedure. Since all these methods have been well explained and documented in books ranging back to the early 80's, I really don't understand why these simple methods are so largely ignored...
My security clearance is so high I have to kill myself if I remember I have it...
All of these anti-phishing tools are a waste of time. The real problem is educating users about safe computing practices.
People simply need to learn that you just don't click on a link in an unsolicited email supposedly from your bank, any more than you would deposit your paycheck into a newly opened bank branch in the nasty part of town, with shoddily painted signage and shifty-looking tellers.
98% of people can learn principles of safe computing. The remaining 2% are a lost cause. Instead of coddling people's ignorance, we should focus on education. Crooks are always going to be out there trying to take advantage of people. This problem is not going to go away or be solved by technological safeguards. It is counterproductive to devise and improve ways for people to continue ignorant, careless behaviour, "La la la, click on whatever links I see," download and run this, that and the next thing, rather than teaching them how to be careful about what code they run and where they type their password.
it's a blue bright blue Saturday hey hey
I don't know, phishing attempts seem pretty damn obvious to me.
This is the same style of 'security solution' as Anti-Virus software.
Phishing is really easy to prevent.
1. Don't submit information on non-encrypted pages
2. Check certificate to make sure it's for the company you want to send the information to.
Amazingly this is really simple, protects better than any 'anti-phishing' list and has been part of the default functionality of web browsers for many years.
...and that is all I have to say about that.
http://jessta.id.au
Yep, works greatly against IP numbers: http://your.bank.com@123.45.67.89 Where your.bank.com is your homebank, 123.45.67.89 is the phishing site.
Patents Drive Free Software as Hurricanes Drive Construction Industry
OpenDns + Netcraft + Common sense
I guess ZoneAlarm registered customers may be surprised in finding how their own original login page works.
Even if you're not a registered user, just follow the link above and enter fake credentials.
The game becomes spicier if you have auto-completion enabled for that form...
Have fun with those antiphishing toys ;)
Original proof of concept courtesy of Elio, original XSS courtesy of .mario.
There's a browser safer than Firefox, it is Firefox, with NoScript
For that matter, how about not clicking OR copy-and-pasting?
I mean, think about it. If it's your bank, you already know it's URL anyway, you probably even have it bookmarked. Why on Earth would anyone need to follow a link from some dodgy email to go log in to their bank? No, bloody seriously.
Let's try to think like the most clueless user for a moment, and actually believe that my bank wants me to log in to verify I still exist. Well, ok. I already have a bookmark to the bank, I'll go log in there.
Ah, but maybe they want me to enter some code or whatnot. Well, ok, then the bank will have a link somewhere in its menu for that. Banks existed for quite a while, debatably the first proto-bank were the knights Templar. At any rate, they existed long before emails and wouldn't make clicking on an email link their only option. What if someone forgot their email password, for example? If they want some extra data from me, then (A) they'll also send a snail mail letter, and (B) at any rate the form would be available from the normal site too.
Or how about picking up the phone and asking my bank if there is some problem?
Basically, yeah, I'm left scratching my head as to why _is_ an anti-phishing plugin needed at all. If you got someone educated enough about phishing that they'll actually go and download a plugin, then how about just educating them to not do their banking via email links? There, problem solved.
A polar bear is a cartesian bear after a coordinate transform.
"Where?"
While that other AC is not much help, what he meant to say was that the phrase is "Hear, hear!".
Regards,
your friendly neighbourhod AC.
If only there were an extension to block real phishing on the web
...
NJ Transit , PATH train schedules online
Phishing and other scams are easy to avoid if one simply use the brain to think with:
- Banks don't send out security warnings by email with a handy link in so you can 'confirm your details'.
- Banks never ask for all of your security details even when you are logging on to their actual site - they ask for part of them only.
- And of course, you should get a teeny bit suspicious when you receive tens of 'security warnings' or similar from banks in a day, especially when you don't have account there.
The top priority for anybody browsing the internet who has even a marginally normal outlook on life is to avoid adverts. After all, when you are on the internet you tend to know what you want; or I do, at least. If you want to buy something, you search for it - you don't tend to buy spontaneously, just because you an advert. I know people in advertising will hate me for saying this, but intrusive or obstructive advertising doesn't really work. It may work on tv, in newpapers and on posters, but it doesn't work on the internet - because it creates animosity.
As reported earlier on /. :2 6222
http://it.slashdot.org/article.pl?sid=07/05/31/12
There is a number of unsecure extensions to hijack FireFox. Presumably Googles code as well as other stuff.
I suggest everybody who thinks of installing such a anti-phishing toolbar should also check out the article above.
My brain features the Logic subroutine, which prevents me from falling for scams like phishing. This is a killer application; everyone should install it!
No wonder I thought 2.0 was slow...
All this anti-phishing crap will slow your browsing experience down. Just don't be a moron, and you're fine. If you're stupid enough to fall for it then...nah I can't say that. But nigga, plox.
"For most Internet users, defending against phishing attacks is a top priority."
I cannnot read past this bullshit red herring line.
Not a single user I know, even understands the word "phishing".
...will come up with a way that having ten different anti-phishing extensions is a good thing. Phishing attacks rely on the uneducated and careless users, which need protection from themselves. If you're qualified to go through these ten extensions and pick the one(s) which are useful, you almost certainly don't need one. So yeah, I guess somewhat interesting for those that manage other people's computers, but it won't do much good for the average Firefox-at-home user. They'll be much better off if the built-in, default phishing protection is improved.
Live today, because you never know what tomorrow brings
Very well said!
XSS-based phishing like reported in this other PERFECT PHISHING comment can evade any current antiphishing tool.
Pasting the link and/or looking at the host won't help either, as the landing site is the original, legit one. You would need to be a programmer analyzing the whole URL very deeply, even if that example has not been obfuscated for educational purpose, I guess.
It's detected and blocked by the NoScript Firefox extension, provided that it's opened from email or from an untrusted site, but that's another story (or just the same?)
The scary part is that if you've got automatic completion enabled for the login form, you don't even need to type anything, and your account is already stolen...
JavaScript is dangerous, and incompetent developers make it worse :(
aye, I be usin' my SpoofStick aaall the time when I'm online. Never whipped it out for no fishin' website, though. Weirdos.
Antiquis temporibus, nati tibi similes in rupibus ventosissimis exponebantur ad necem.
Why the hell do you need a Firefox extension to protect yourself from Phishing?
It's simple enough: NEVER, EVER respond to an e-mail purporting to be from a bank. If your bank really need to contact you, they will find a way. If there's really a problem with your account, you will have to visit a branch to sort it out anyway. You NEVER have to "confirm your details". Barring special circumstances, there are only two valid reasons for ever visiting a bank; paying in money through the HITW machine, and drawing out money through the HITW machine.
Also, prefer postal orders to cheques when paying for goods you have ordered. They can't be traced back any further than the post office where they were sold (which need not even be in your own town). You can pay for your postal order using a cheque, but cash is always best. Especially coins, which don't have serial numbers. Don't use very small denominations, though, as other customers behind you in the post office queue may remember being held up by someone fart-arsing about with coppers.
Je fume. Tu fumes. Nous fûmes!
im fed up of people going "use opendns" on every phishing thread even tho IE7 and FF2 do it out the box
if i wanted to fuck up my DNS settings i would install the spyware myself
open dns is nothing more than self help spyware, go read their privacy policy and read the bit about selling you and your data to anyone that wants it, why replace 1 problem (phishing) for another (adverts/user tracking,profiling)
you would have to be fucking mad to use OpenDNS, its not open (as in source or anything) and its not DNS
why break shit just to think that somehow you are safe and that the speed of light is somehow faster to their servers than your ISPs all to be profiled by some scumbag advertisers, have my errors redirected to another page filled with scumbag adverts, open dns is nothing more than a shitty advertising company hawking other peoples shit instead of coming up with a product that people actually want to pay for
you are played for suckers
Any serious fisher will:
Use a botnet to install a certificate as a ca on the machines,
update the hosts file so that their banks web site points to a new address.
Setup a website with the banks correct address as setup in the host file with a certificate signed by the CA they've installed on the host machine, that proxy's the real banks website.
Sit and collect all the login information required with what appears to be a valid url with a valid SSH certificate (that all important padlock in the corner).
profit
thank God the internet isn't a human right.
is for the best of them... oh wait not on the list... well, another sposorized list.
They left out McAfee SiteAdvisor. I'm surprised, b/c SiteAdvisor doesn't just detect phishing sites, but also sites that spam or provide spyware downloads.
<:
http://noscript.net/
Maybe this is obvious, but I haven't seen it mentioned much before.
:)
Whenever I get a phishing email, I go to the site and type in random data in all the appropriate fields and then press submit.
I figure it's pretty difficult for the phishers to distinguish that from real data entered by less well educated / unsuspecting internet users.
If a few thousand people (let alone the millions receiving these emails) acted similarly, it would make their job very difficult indeed
My bank uses ActiveX on its website, and so I use the IE engine when using my bank online. In IETab I have a web page filter like this: "https://online.mybank.net/*", which will activate the IE engine. So if I am lead to a web page, say https://online.mybamk.net/, Firefox will still use the FF engine without ActiveX support and not the IE engine, and then phishing web sites trying to mimic my bank can't use ActiveX against me, when I have this setup.
... Stuff that matters to the companies selling their products to said users and astroturfing this site.
Here are studies by MIT AI labs an CMU group why phising toolbars never work.
c urity-toolbar.pdf
groups.csail.mit.edu/uid/projects/phishing/chi-se
www.cylab.cmu.edu/files/cmucylab06018.pdf
Users prime motive is get their job done for which they will click "ok" on any popup or site which makes their job easy,Most of them will never try to to see what is the colour of my address bar,Is the form has a HTML injector or JS hijacker etc;)
Most of these toolbars work on the feedback based system i.e a phish outbreak occurs and some user reports and the ISP is reported and they are taken down . An average UP time of a Phish site is around 4-10 hrs i.e and average user visitors with real credentials is around 10-50 depending on the Up time.So that point is we are killing the effect not the Cause.
Use of Multifactor(User to site and vice versa) with Trasaction verification in place will help to curb phishing.
The article missed an important anti-phishing Firefox extension: The Netcraft toolbar which is free and has been a top performer in third-party comparisons of toolbar effectiveness.
RichM
Data Center Knowledge
Most of "top 10" list appears to be composed of reactive solutions, which rely on user reports. A proactive one automatically detects if a user is entering what appears to be a credit card or debit card number over an http or unsigned https connection - a common trait for most phishing sites.
Based on the article, Google Safe Browsing should either be at the top or bottom of the list, and not obscured by having a reactive entry in a more prominant position.
As a side note, these phishing sites want as much traffic as possible. We should give it to them - Lad Vampire handles the traffic, and the fake name generator gives the database entries.