10 Anti-Phishing Firefox Extensions

An anonymous reader writes "A list of 10 anti-phishing Firefox extensions was published at Security-Hacks: 'For most Internet users, defending against phishing attacks is a top priority. One popular way to combat phishing attacks is to maintain a list of known phishing sites and to check web sites against the list.'"

if only

[wizardforce]

For most Internet users, defending against phishing attacks is a top priority.

unfortunately it isnt, a lot of people ignore security measures designed to protect them from phishing. case in point, banks that used images/etc to show the authenticity of the website their customers use was largely ignored, few noticed it and similar studies show few have such security as one of their concerns. these extensions might have done good if people listened to them but the real fix for phishing is to educate people on ways to avoid going to the sites in the first place. typing in addresses instead of following links, paying attention to what comes after the tld and disabling javascript for starters.

Re:if only

[profplump]

It is highly susceptible to a MiM attack. However, in order to pull off a MiM attack you'd have to at least start the login process for lots of different people from the same system, which aids in detection. It doesn't do anything to help the first few users, but it can help the bank shut down the attacker directly.

Second, it completely stops passive attack like are common with eBay pishing sites -- you can't just simulate the login page, say "Bad Password" and the redirect to the real page, you have to customize the attack page for each target. Assuming they pay attention at least.

I don't see how SSL certificates solve this either, because I can get a certificate for www.yourbank.com.pishing.ru that your browser will tell you is perfectly valid. Having you bank sing your client certificate so you can both validate without releaving private information would work, but most people wouldn't know how to install let alone generate a client certificate, banks wouldn't know how to distribute them properly, and even if you solved those problems you'd only be able to log in from systems where your private key was installed.

A list of one-time passwords supplied to each user on a wallet card would provide a good deal more security without any additional technology, keyfobs, or even much user training -- the server shows a word from column A, you enter the corresponding word from column B. Combined with a policy that allows only one active session per account by killing old sessions when a new one authenticates you would A) completely prevent a replay attacks B) deter a phisher from logging in as you and forcing you to burn a second OTP, because your new session would blow away their old session. They'd literally have to be sitting there waiting (or have scripted) all of the post-login actions and execute them before you were able to log in again and blow away their session.

And the top #1...

[funkdancer]

Is my bloody brain and eye superfilter combo. With these, I don't need any stinking slow-me-down-even-further plugins.

Re:And the top #1...

[Ash+Vince]

Here Here.

I have never seen a phising attempt that was convincing enough that I would actually think it was a website done by a bank. I have seen some that were close, but they always fell down visually somewhere. I also have never given my bank my email address so I would be very surprised if they sent me an email.

On another point I used to ring up my friends and put on a silly voice and see if the could figure out is was me. On one occasion my mates girlfriend answered the phone so I pretended to be from mastercard. To my suprise not only did she not realise who it was, I also managed to get her credit card number out of her. I owned up and told her who I was before she finished giving me the number but it made me realise how many people fall for this far too easily.

Phising is nothing new, its just that now its easier to trawl looking for daft people in a more automated fashion.

Clicking

[biocute]

How much phishing can be prevented if people stop clicking on hyperlinks, and use copy-and-paste instead?

Re:Clicking

[zygwin]

You can actually drag the link to the address bar in Firefox.It's a real time saver.

priorities

[datapharmer]

"For most Internet users, defending against phishing attacks is a top priority."

No, I disagree, I don't think it is a top priority for most users. Try pr0n.

Seriously though, it should be on the list... but let's be realistic.

Firefox 2

[SteveAyre]

Or just upgrade to Firefox 2, which has the feature built in.

Re:Firefox 2

Because:

1. it's Free software.
2. it's extensible.
3. it's fully Google compatible.
4. It's widely available/supported.
5. it looks nice.

I don't need or want voice control, widgets, or built-in mail/irc clients. Plus, I find Opera's interface a little annoying.

Re:Firefox 2

[eln]

I'm going to be brutally honest here, and I may get nailed for it, but here it goes:

The primary reason I don't use Opera is because you goddamn zealots turn me off of it.

Seriously people, every single story we see about any sort of anything that even vaguely relates to web browsers, you can bank on several comments that basically just say "Use Opera!"

It used to be the same with Linux stories and Gentoo. These days, it's rapidly becoming Linux stories and Ubuntu. Opera zealotry, however, has shown remarkable staying power.

I do not like seeing the same parroted shit about how your browser is so superior to every other browser. Yes, Opera has nice features, and yes Opera was the first to offer tabbed browsing. I get it, really I do. However, this endless stream of posts parroting the same crap about Opera in EVERY SINGLE STORY even tangentially related to web browsers is a huge turn off. Okay, so Opera has awesome mouse gesture support. Guess what? I don't give a tin shit about mouse gestures. Load times? Firefox takes an average of about 2 seconds on a non-loaded machines to start up, I don't care if your load times are any faster. Better granular control over every aspect of stylesheets? I don't care! I want to browse the web, not customize every webpage I see.

I get that your browser is nice. I don't need to hear about it every time any other browser is mentioned. Give it a fucking rest already.

Re:Firefox 2

[dteichman2]

Actually, FF3 uses less RAM than my FF2 install. So shove it.

Re:Firefox 2

[RulerOf]

The same zealotry actually keeps me off of Firefox.

I used to use Opera, way back in the day, and one of my favorite features was the mouse gesture support... of course, that was before 5 button mice became popular. I stopped using it because it didn't render several web sites properly. (Although after later learning of CSS "hacks" that are required for proper IE6 rendering, it's ironic to realize that Opera likely did render those pages correctly.)

Firefox had tabs. That made it nicer than IE6. Firefox has an initial load time significantly higher than IE6. That made it worse than IE6.

IE7 came out, and in my eyes, Firefox lost its edge. IE now has my beloved tabs. IE7 also uses ClearType, which I think most websites look better with.

When it comes down to it, you should use the web browser that you prefer, and it's not my job to give a damn which one you use. I use IE7. It loads faster and looks cleaner and better than any other browser available for Windows. But try arguing that stance with another computer geek... You'll probably get moans about security woes. Geeks are the ones smart enough not to browse as an admin and also not to install every ActiveX control and "Magical Desktop Enhancer with 50 IE Toolbars" app that they run across on a daily basis. If that's the case, why the hell start the argument in the first place?

Re:Firefox 2

[SethraLavode]

The Opera zealots are as vocal as they are because they equally (if not more) sick of the attitude of the Firefox ideologues.

They're tired of hearing people proclaim how Firefox is the greatest thing EVAR, when most of the highly-touted "new" features were part of Opera's default install for ages. They're sick of hearing people complain about how Opera used to cost money or used to have advertising and that asking for money to support a company is a bad thing, when the desktop version is free. They get annoyed at how FF users proclaim that Firefox is "truly" free, when that freedom actually only really matters to maybe 5% of the userbase. Most of all, though, Opera users get annoyed because any minor revision to Firefox or random extensions makes the main page at Slashdot by default, while equally (if not more) capable browsers get major news overlooked.

Firefox zealotry is the norm here. Supporters of other browsers have to be vocal, or else they would get little to no exposure.

Just a summary...

[dclozier]

I was hoping for a review of the extensions but only found a summary of what was available. More of the same information can be found by searching for 'phishing' extensions.

Eh?

[Mystery00]

"For most Internet users, defending against phishing attacks is a top priority."

I think 'most' users would say "what the hell is phishing?" Only way to prevent phishing is to bring up a "Welcome to the internet, here are a few things you should know about before you go on: ... " splash screen when they open up their browser for the very first time.

...

Followed by another splash screen that says "If you ignored the previous information, you are now entering with the risk of doing something extremely stupid, would you like to bring up the Welcome screen again? [Yes] [Yes]"

Re:Eh?

[Hucko]

I think 'most' users would say "what the hell is phishing?" Only way to prevent phishing is to bring up a "Welcome to the internet, here are a few things you should know about before you go on: ... " splash screen when they open up their browser every time.

There, fixed it for you.

Or you can just use OpenDNS

[unassimilatible]

Easy way to defeat the phishers, OpenDNS. Or you could actually look at the status bar to see what site you are clicking on...

Re:FF antiphishing howto

[Perseid]

I dunno. I think the feds can get to your computer even if it's offline. Better get out the jackhammer. Oh, um, hold on a sec. Some of my tinfoil is coming off.

Blacklists don't work any more.

[Animats]

Blacklists aren't really working any more. As with spam, where each spam message is now different, and as with viruses, where the smarter ones are different for each copy, the more advanced phishing sites now generate multiple sites, not just one site.

PhishTank is fooled by this. It assumes that a "phish site" is a unique URL. The phishing sites are now wise to that trick; many sites generate a new URL for each user, and some even generate a new domain. Current domains in PhishTank include "session-97701.nationalcity.com.userpro.io", "session-300962.nationalcity.com.userpro.io", "session-5489554.nationalcity.com.userpro.tw", "session-2721837.nationalcity.com.directories.io", etc. There are presumably many, many more that no user has reported yet. So the blacklist defense is failing.

It's thus too late for approaches based on manual detection. In the early days of spam, we all reported spam sites to SpamCop, which then blocked them. That stopped working years ago. The same has now happened for phishing sites.

The hard line approach is to implement something that prevents putting in credit card or bank information into forms unless the target page has a solid SSL certificate. (And not one those "Instant SSL - Domain Control Only Validated" cheapo certs that mean nothing, either.) It's getting harder to make even that work, with more and more Javascript processing going on in the browser. The browser may not be able to detect that the user is filling in a form.

We (SiteTruth), of course, are trying to promote the idea that you don't want to deal with a website unless the business behind the website can be clearly identified, so we do have a bias here. Nor do we have all the answers. But from the amount of activity in this area of security in the last month, it's becoming clear that some major tightening-up on business legitimacy on the web is needed.

"On the Internet, no one knows if you're a dog" just isn't good enough any more.

Re:Blacklists don't work any more.

[Animats]

It seems the blacklist would work perfectly if nationalcity.com.userpro.io, or just userpro.io was blocked.

Notice that they're using "userpro.tw" and "directories.io" as well. And "prouserbase.tw", "udll.tw", "usersetup.io", "kloot.hk", and more. That phish operation has a domain farm with hundreds of domains known, and probably many more that haven't been reported yet.

CastleCops identifies this as a botnet. One that buys domains with stolen credit card numbers.

Coming soon: metalists!

[aerthling]

I can't wait for the top 10 'Top 10 Firefox Extension' list.

Helpful article or payola scam?

[macraig]

Did anyone else notice that all of the promoted extensions but the last one seem to be the work of commercial enterprises, and apparently tied in some way to their for-profit motives? Is it possible that the author or security-hacks.com got some perks or quid pro quo for the journalistic promotion of these extensions and the commercial entities behind them?

I'm often too skeptical for my own britches, but that also why I do in fact pay attention to my bank's "sitekey" and why I don't these products to avoid phishing attacks. All but the last one just seem to be trading one form of ignorance - of phishing - for another - of capitalism.

The problem is the authentication mechanism!

[SplatMan_DK]

Most modern phising is done very professionally, and the pages totally mimic the real thing. I recently received a phising e-mail regarding PayPal accounts and out of curiosity I took a look at it. The result was shocking. The page I was directed to was an exact duplicate of the real PayPal system. The link I followed did not use scripting. It did belong to the wrong domain, but most normal users would not have noticed it. Copy-pasting the link would not have made any difference.

The "fix" against phising is a better authentication method.

For some reason, many banks and payment providers in the US only use username/password (one-factor) authentication. In Europe most banks use at least a 2-factor security system, where the logon information is combined with either a physical security token (RSA or similar), an encryption key file, a supplemental 6 digit PIN sent by SMS to the user, etc.

The whole approach attempting to eliminate phising by filtering webpages, making fancy browser plugings or stuff a lot of security-bloatware on the computers is essentially wrong. The only reason simple phising attacks work is because the authentication mechanism is way too simple.

Adding another factor of security to the systems is a trivial task in terms of programming and implementation. And it works - the European home banking systems are the proof of that.

Phising gets a lot more difficult when SMS messages, encryption keys or physical tokens are involved in the logon procedure. Since all these methods have been well explained and documented in books ranging back to the early 80's, I really don't understand why these simple methods are so largely ignored...

Pointless

[quokkapox]

All of these anti-phishing tools are a waste of time. The real problem is educating users about safe computing practices.

People simply need to learn that you just don't click on a link in an unsolicited email supposedly from your bank, any more than you would deposit your paycheck into a newly opened bank branch in the nasty part of town, with shoddily painted signage and shifty-looking tellers.

98% of people can learn principles of safe computing. The remaining 2% are a lost cause. Instead of coddling people's ignorance, we should focus on education. Crooks are always going to be out there trying to take advantage of people. This problem is not going to go away or be solved by technological safeguards. It is counterproductive to devise and improve ways for people to continue ignorant, careless behaviour, "La la la, click on whatever links I see," download and run this, that and the next thing, rather than teaching them how to be careful about what code they run and where they type their password.

grow a brain?

[SQLz]

I don't know, phishing attempts seem pretty damn obvious to me.

The PERFECT PHISHING

[Giorgio+Maone]

I guess ZoneAlarm registered customers may be surprised in finding how their own original login page works.

Even if you're not a registered user, just follow the link above and enter fake credentials.

The game becomes spicier if you have auto-completion enabled for that form...

Have fun with those antiphishing toys ;)

Original proof of concept courtesy of Elio, original XSS courtesy of .mario.

Logic, a killer feature of brain v1.0.

[greenlead]

My brain features the Logic subroutine, which prevents me from falling for scams like phishing. This is a killer application; everyone should install it!

Re:Logic, a killer feature of brain v1.0.

[zolaar]

When I opened up my Grandma's brain to install the update ( ::cough,cough:: whoa, dusty!!! ), everything seemed to go alright... at first... things just started going downhill not too long after I got the thumbscrews back in...

Yeah. Frequent, unexpected shutdowns/crashes. Memory leaking all over the place. Some peripherals seem to be completely unaddressable, others seem to have had their drivers corrupted as they work in spasms. Half the time she's completely unresponsive, maybe some I/O call is failing and causing a block, who knows...

Oh, well. She's an old system, no docs or anything, and her service warranty expired looooong ago. I think I've narrowed it down to being an issue where the filesystem got mucked up, but considering her age it could literally be anything...

Just to be sure, I should drive her up to that big-box store uptown to see what it'd take to get her all patched up and running again (they'll overcharge, though, hrmf..). OOH, wait! I heard they have some service where you ring them up and a couple technicians in funny little techie uniforms cruise over in their special little techie van and pick it up for you! Bonus! Where's that number...

red herrings taste bad

[SlashDread]

"For most Internet users, defending against phishing attacks is a top priority."

I cannnot read past this bullshit red herring line.

Not a single user I know, even understands the word "phishing".

I'm sure some Firefox proponents...

[Kjella]

...will come up with a way that having ten different anti-phishing extensions is a good thing. Phishing attacks rely on the uneducated and careless users, which need protection from themselves. If you're qualified to go through these ten extensions and pick the one(s) which are useful, you almost certainly don't need one. So yeah, I guess somewhat interesting for those that manage other people's computers, but it won't do much good for the average Firefox-at-home user. They'll be much better off if the built-in, default phishing protection is improved.