Anti Phishing Tools And The Lull Of False Security

By | May 24, 2004

From Buzz Bruggeman, here’s another tool that may help fend off phishing attacks (here’s an earlier post on similar software): SpoofStick, a browser extension that sits in either IE or FireFox and tells you what website you’re really visiting.

It works like this: Many phishing scams conceal the real website in a link behind tricks such lots of prior gobbledegook preceded by a legitimate website. Others put in lots of white space so the real link falls off the edge of your screen. All rely on one weirdness in URLs: if there’s more than one website in the link, it’s the last one that counts. So when you see a link begining in ebay.com, you can’t be sure whether it’s really an eBay link until you get to the end of the link, and even legitimate links can sometimes be longer than the width of a screen. CoreStreet do a good job of explaining all this, and SpoofStick will tell you what site you’re really at.

Now, I’ve got nothing against CoreStreet offering these kind of tools; in fact I think it’s a good public service. But given the company is involved in ”massively scalable validation products for identity management and access control” I can’t help wondering whether there isn’t a better way to do this.

First off, with something like SpoofStick users would have to click on the link in their email program and visit the site in question before they know whether the email/website is genuine. Given many phishing emails now don’t bother trying to get the user to fill out a form but instead upload a keylogging trojan when they visit the scamming website, it’s going to be a bit late to find out whether the URL is legitimate or not. Better would be a tool that allow the user to copy the offending URL into a program which would then check its authenticity.

Secondly, what happens when the scammer uses a website name that sounds kosher? As mentioned in a previous posting, some scammers are smart enough to set up website names that may sound legitimate to some users (in that case updatesecuritycheck.com), so the approach adopted by SpoofStick is going to only help those who think that doesn’t sound like a legit site. To many it does.

Bottom line: SpoofStick and its ilk are good, but they don’t go far enough, and they may merely lull users into a false sense of security. It’s not that elegant, but I’d suggest concerned users go to something like Karen Kenworthy’s URL Discombobulator, freeware which will investigate any URL you paste into it and tell you what’s really behind it. Just remember to copy the link itself, not the text in front of it. Many scams will create what looks like a legitimate link but actually links to what, in a recent phish I received, the scammer charmingly admits is the ‘scampage’ (this is a real scam so I don’t advise clicking on it): https://www.paypal.com/fraudcheck/secure/bill.html?sl=070304=”/A”>