Slashdot Mirror
10 Anti-Phishing Firefox Extensions
An anonymous reader writes "A list of 10 anti-phishing Firefox extensions was published at Security-Hacks: 'For most Internet users, defending against phishing attacks is a top priority. One popular way to combat phishing attacks is to maintain a list of known phishing sites and to check web sites against the list.'"
Blacklists aren't really working any more. As with spam, where each spam message is now different, and as with viruses, where the smarter ones are different for each copy, the more advanced phishing sites now generate multiple sites, not just one site.
PhishTank is fooled by this. It assumes that a "phish site" is a unique URL. The phishing sites are now wise to that trick; many sites generate a new URL for each user, and some even generate a new domain. Current domains in PhishTank include "session-97701.nationalcity.com.userpro.io", "session-300962.nationalcity.com.userpro.io", "session-5489554.nationalcity.com.userpro.tw", "session-2721837.nationalcity.com.directories.io", etc. There are presumably many, many more that no user has reported yet. So the blacklist defense is failing.
It's thus too late for approaches based on manual detection. In the early days of spam, we all reported spam sites to SpamCop, which then blocked them. That stopped working years ago. The same has now happened for phishing sites.
The hard line approach is to implement something that prevents putting in credit card or bank information into forms unless the target page has a solid SSL certificate. (And not one those "Instant SSL - Domain Control Only Validated" cheapo certs that mean nothing, either.) It's getting harder to make even that work, with more and more Javascript processing going on in the browser. The browser may not be able to detect that the user is filling in a form.
We (SiteTruth), of course, are trying to promote the idea that you don't want to deal with a website unless the business behind the website can be clearly identified, so we do have a bias here. Nor do we have all the answers. But from the amount of activity in this area of security in the last month, it's becoming clear that some major tightening-up on business legitimacy on the web is needed.
"On the Internet, no one knows if you're a dog" just isn't good enough any more.
Did anyone else notice that all of the promoted extensions but the last one seem to be the work of commercial enterprises, and apparently tied in some way to their for-profit motives? Is it possible that the author or security-hacks.com got some perks or quid pro quo for the journalistic promotion of these extensions and the commercial entities behind them?
I'm often too skeptical for my own britches, but that also why I do in fact pay attention to my bank's "sitekey" and why I don't these products to avoid phishing attacks. All but the last one just seem to be trading one form of ignorance - of phishing - for another - of capitalism.
Here Here.
I have never seen a phising attempt that was convincing enough that I would actually think it was a website done by a bank. I have seen some that were close, but they always fell down visually somewhere. I also have never given my bank my email address so I would be very surprised if they sent me an email.
On another point I used to ring up my friends and put on a silly voice and see if the could figure out is was me. On one occasion my mates girlfriend answered the phone so I pretended to be from mastercard. To my suprise not only did she not realise who it was, I also managed to get her credit card number out of her. I owned up and told her who I was before she finished giving me the number but it made me realise how many people fall for this far too easily.
Phising is nothing new, its just that now its easier to trawl looking for daft people in a more automated fashion.
I dont read
I don't need or want voice control, widgets, or built-in mail/irc clients. Plus, I find Opera's interface a little annoying.