Tag Archives: Anti-phishing software

The Demise of the Anti-phishing Toolbar?

Must confess I missed this when it first kicked in, but could it be the nail in the ‘anti-phishing toolbar’ coffin? EarthLink lands a win, according to ZDNet, after being sued by a bank incorrectly flagged as a phishing website:

EarthLink had warned its customers who installed a free “ScamBlocker” toolbar–and visited AssociatedBank.com–that the Web site was “potentially fraudulent” and said that they should “not continue to this potentially risky site.”

The warning was wrong. Associated Bank, headquartered in Green Bay, Wis., with more than 300 locations in the Midwest, operated a legitimate Web site.

EarthLink got off the hook because they bought their list of dodgy websites from a third party. But who? The articles I’ve read don’t mention who it was. And how could the third party have judged a bank to be a phishing website?

I’ve not been a fan of most of these toolbars because I don’t think they do a good job of warning the user of dodgy websites. as my tests a few months back indicated. But to be honest it didn’t occur to me that these toolbars would create false positives. Bizarre.

Anti-Phishing Passwords

An obvious but effective technique against phishing, here: altering each password so it’s tied to the domain name of the site. Then, if you’re trying to sign in to a phishing fake site, the password won’t match and won’t work. Here’s the story from InformationWeek – Stanford Computer Scientists Unveil New Anti-Phishing Software :

A pair of Stanford University computer science professors unveiled today a new password scheme designed to thwart phishing at bank and other sites where a user’s identity and money are at risk. Dubbed PwdHash, the technique involves hashing the user’s password with the domain name of the site in a way that ensures that the target site is the real one, and not a site designed by phishers to capture user information.

Here’s the site itself.

The Toolbar That Works

Netcraft is now offering a Firefox version of its excellent anti-phishing Toolbar.

The toolbar runs on any operating system supported by Firefox and displays the hosting location, country, longevity, popularity, and an abstracted risk rating for each site visited.

Additionally, the toolbar blocks access to phishing sites reported by other members of the Netcraft Toolbar community and validated by Netcraft, mobilizing the community into a giant neighborhood watch scheme which empowers the most alert and experienced members to protect the vulnerable against fraud and phishing attacks. Well over 7,000 phishing sites have been detected and blocked by people using the Netcraft Toolbar since the system started at the turn of the year.

These were the only guys to spot some phishing scams I tested recently. So it’s well worth installing if you use Firefox or IE.

The Phishing War Escalates

The guys at Netcraft, a British security consultancy that has done a good job of tracking, exploring and warning about phishing, say they’ve come across the first case of cross site scripting being used in the wild for phishing purposes. This isn’t as arcane as it sounds, since it allows phishers to make their lure appear to even the wariest eye to be from a legitimate source — your bank.

Usually the weak link in a phishing email is the link itself. However much they disguise it phishers can’t get away from the fact that they are trying to lure the victim to a site that is not the bank or other institution they’re pretending it is. Cross site scripting lets them do so.

This is done by phishers exploiting a vulnerability to ‘inject’ their own code into the legitimate website. It’s this code that the link will appear to go to in the phishing email — and so will begin with a legitimate bank URL — www.citibank.com, or whatever. The URL will then, without the victim’s knowledge, load some JavaScript from somewhere else to redirect the user to another site. This is what some fraudsters have done with a SunTrust bank phish, which Netcraft says was sent in large numbers in recent days. Netcraft says SunTrust has so far failed to reply to their emails:

Careless application errors and inadequate testing are believed to be an industry wide problem for internet banking, and even though it would seem to the man in the street appalling that someone could run a fraud from a bank’s own site, SunTrust competitors are unlikely to be strongly critical through fear of similar problems with their own facilities.

If true (and I’ve no reason to doubt it; Netcraft know what they’re doing) this is a pretty sad state of affairs. I have two main concerns: Firstly that banks still don’t seem to understand what they’re dealing with, and don’t respect security companies enough to keep up a dialogue with them so these problems are nipped quickly in the bud, and secondly, I suspect these kind of attacks render most ‘anti-phishing tool’s useless. This is not only annoying, but dangerous.

Something I’ve noticed in recent months is a shift on the part of anti-virus manufacturers to push out software that will protect the user from phishing attacks. This is just bad marketing, and foolish. Nothing can protect the individual from phishing attacks than their own wariness and savvy. To suggest tools can will just give people a false sense of security. Examples like this SunTrust case prove the point, which I’ve banged on about for nearly a year now, that phishing is a war of escalating technology and that pushing out some feeble toolbar and suggesting it will protect the user from all such attacks is irresponsible, and thoroughly underestimates the scale of the problem and the kind of adversary we face.