WebApp Sec mailing list archives
RE: Phishing
From: Pete Simpson <pete.simpson () clearswift com>
Date: Thu, 13 May 2004 19:13:11 +0100
Earthlink have been receiving up to 40,000 calls per day from concerned customers. In response they have developed and made freely available, to anyone, a browser toolbar (ScamBlocker) that will alert when a user clicks on an email link to one of the known fraudulent web sites. Just like antivirus signatures, the strategy is reactive and relies on EarthLink updating its list of fraudulent sites. Potentially, this may lull users into a false sense of security. Widespread adoption of the tool may enhance the effectiveness of this approach, with user feedback aiding timely reporting of new phish scam sites. ScamBlocker can be downloaded at: http://www.earthlink.net/earthlinktoolbar/download SpoofGuard from a team at Stanford University, works the same way, via "a traffic light in your browser toolbar that turns from green to yellow to red as you navigate to a spoof site. If you try to enter sensitive information into a form from a spoof site, SpoofGuard will save your data and warn you. SpoofGuard warnings occur when alarm indicators reach a level that depends on parameters that are set by the user. SpoofGuard does more sophisticated checks, against previous sites you may have visited, as inspecting the link visited for signs of tricks used by known phishing attacks. SpoofGuard can be found at: http://crypto.stanford.edu/SpoofGuard http://crypto.stanford.edu/SpoofGuard Both ScamBlocker and SpoofGuard are free, but only work with Internet Explorer. PassMark is a much more effective defence. The bank or other financial service provider, provides the user with the ability to select an image, unique to the user, that will be displayed whenever he visits the genuine web site. This is a shared secret between the bank and the user and is not amenable to spoofing. Thats why the phishers are now capturing screenshots when you go to the real bank... http://spamwatch.codefish.net.au/modules.php?op=modload&name=News&file=artic le&sid=101 And the excellent anti-phishing analysis work done voluntarily at Code Fish has led to them coming under heavy hacking attack. http://news.netcraft.com/archives/2004/05/11/antiphishing_site_targeted_by_h ack_attacks.html However, the con artists (in league with skilled hackers) responsible for the phishing phenomenon are consumate social engineers and will attempt to catch the gullible few with an appropriate workaround. For example, one Friday the user may receive a plausible email purporting to come from the bank, warning that the PassMark database has been corrupted and requesting the user to login (to a fake site) and select a new PassMark. Several variations on this theme, as well as the screenshots, will undoubtedly evolve to trick the unwary. Another interesting approach is that pioneered by Dartmouth in 2002. This uses coloured margins to the Mozilla browsers to indicate whether the window can be trusted. http://www.cs.dartmouth.edu/~pkilab/demos/countermeasures/ On the question of trust, do we trust TrustToolbar? Who claim to identify spoof sites. "Avoid being caught in a Phishing NET" Comodo offers the industries widest portfolio of free to use solutions to combat the rising tide of Spoofed Web sites and Internet Phishing attacks. http://www.trusttoolbar.com/ Yet according to some it is classed as spyware... rgds Pete Simpson ThreatLab Manager Clearswift Ltd --------------------------------------------------------------------------------------------------------------- Clearswift monitors, controls and protects all its messaging traffic in compliance with its corporate email policy using Clearswift products. Find out more about Clearswift, its solutions and services at www.clearswift.com. *********************************************************************************** This communication is confidential and may contain privileged information intended solely for the named addressee(s). It may not be used or disclosed except for the purpose for which it has been sent. If you are not the intended recipient, you must not copy, distribute or take any action in reliance on it. Unless expressly stated, opinions in this message are those of the individual sender and not of Clearswift. If you have received this communication in error, please notify Clearswift by emailing support () clearswift com quoting the sender and delete the message and any attached documents. Clearswift accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the Clearswift domain. This footnote confirms that this email message has been swept by MIMEsweeper for Content Security threats, including computer viruses.
Current thread:
- RE: Phishing, (continued)
- RE: Phishing Rohrer, Mark E (May 12)
- RE: Phishing Griffiths, Ian (May 12)
- Re: Phishing Rogan Dawes (May 13)
- RE: Phishing Adam Lydick (May 14)
- Re: Phishing E.Kellinis (May 15)
- RE: Phishing Griffiths, Ian (May 13)
- RE: Phishing Griffiths, Ian (May 13)
- RE: Phishing Michael Silk (May 13)
- Re: Phishing Amit Sharma (May 13)
- Re: Phishing Amit Sharma (May 13)
- RE: Phishing Pete Simpson (May 13)
- RE: Phishing Griffiths, Ian (May 14)
- RE: Phishing Adam Lydick (May 15)
- RE: Phishing Damon McMahon (May 15)