Welcome to WebmasterWorld Guest from 126.96.36.199
Forum Moderators: incrediBILL
Internet Explorer 7 includes a "Phishing Filter":
In the case of Microsoft, data is transmitted to their servers via a secure connection which includes every URL you visit, however according to the IE7 privacy statement [microsoft.com] query strings are not transmitted, so for example your specific Google or MSN searches will not be sent. The URLs submitted in real time are compared to a database held by Microsoft, which returns information to the browser regarding the URL.
Phishing Filter is designed to warn you if the website you are visiting might be impersonating a trusted website. Phishing Filter does this by first checking the address of the website you are visiting against a list of website addresses stored on your computer that have been reported to Microsoft as legitimate ("legitimate list"). (...) addresses not on the legitimate list will be sent to Microsoft and checked against a frequently updated list of websites that have been reported to Microsoft as phishing, suspicious, or legitimate websites. (...) the address of the website you are visiting will be sent to Microsoft, together with some standard information from your computer such as IP address, browser type, and Phishing Filter version number. To help protect your privacy, the address information sent to Microsoft is encrypted using SSL and limited to the domain and path of the website. Other information that may be associated with the address, such as search terms, data you entered in forms, or cookies, will not be sent.
Firefox 2.0 takes a different route, called "Safe Browsing". The biggest difference is that data is not sent to Mozilla or any other source, but each URL you visit is checked against a local list which is downloaded periodically from Mozilla.
When Phishing Protection is used in default mode, no information about the sites you visit is sent to Mozilla or anti-phishing partners. Rather, sites are checked against a local list that is downloaded to your computer and updated on a regular basis.
Firefox's solution certainly appears to avoid any privacy problems as the data remains on the end-user's machine. But the lack of a real-time lookup reduces the potential effectiveness faced with a rapidly-evolving threat.
Finally, Opera. Opera 9 does not include phishing protection, but such measures are expected in Opera 9.1 onwards. From OperaWatch [operawatch.com]:
Operaís Fraud Protection will work differently than Firefox and Internet Explorerís (IE) anti-phishing protection. In Opera, when you type a URL in the address bar, while the page is being requested from the web server, Opera will simultaneously access Operaís database to check the legitimacy of the site you want to visit.
If the site is determined to be a fraud, Opera will instead display a warning and block you from visiting the site. Youíll still have the option to bypass the warning.
So, in your opinion is anti-phishing protection (using any method) really a useful tool, or is it just part of a marketing exercise where each browser must keep up with the others? Do you think anti-phishing will work? Are you concerned about the "phone home" aspects of real-time URL lookups sent to Microsoft or Opera?
[edited by: encyclo at 1:44 am (utc) on Nov. 6, 2006]
The firefox method seems limited by the size of the local file - if there are ten-million phishing sites it just won't work.
Unfortunatelly, I think all three (although I think Opera's is just a variant of Microsoft's) solutions are non-workable.
As stated before, phishing sites are deployed, spammed out, and taken down in less then a few hours.
Any database will be woefully out of date, within minutes after downloading.
Databases at Microsoft, Opera, or any other third party might catch up faster, but the probability is very high that majority of such phishing sites would be missed.
[edited by: Tapolyai at 3:11 am (utc) on Nov. 6, 2006]
Also, it is possible (if you go drilling down through the options) to set Firefox to do a live lookup to Google (or other anti-phishing list supplier). This of course does reduce your privacy, so itís not enabled by default.
It is optimal?
Nah, but is it needed?
These technologies aren't aimed at computer savvy people, it's aimed at the average joe on the net that doesn't have a clue what's happening and losing a little privacy opposed to being defrauded is a small price to pay to rid ourselves of the damn phishers.
Of course I'm not running either anti-phish, but I look at the URL's and obviously don't click on emails telling me to update my accounts, but does granny know to do this?
I'm glad to see some protection in place for the masses, about time.
Once enabled the data is stored forever some place.
The best protection against phishing lies with user caution. Browsers which suggest they protect against phishing may induce rash behaviour among users, resulting in more danger.
As for privacy, I haven't a problem with it. I can not imagine that anyone is really interested in the surfing habits of an unknown 41 year old man in England. Even if the staff at some company could identify me, from among the billions of other people's data they collect, why should they care? Why should I care? Unless I intend to commit acts of great illegality.
A real time list is only real time as soon as it is updated.
If a new phishing site appears the real time list will only alert users if Micro$oft know about it! In theory 10 million new phishing sites could appear but IE7 users won't be protected until all 10 million are added to the list.
I somehow get the feeling that making a browser 'phishing safe' is just spin to a) gather info by stealth, b) fool users into using a product they think they need.
This is quite similar to all those 'anti bacterial' cleaning products. Pure FUD marketing.
If a new phishing site appears the real time list will only alert users if Micro$oft know about it!
Not everyone will be protected initially but it's a numbers game.
So what it's the first 10K people that encounter it are wide open if the next 10M people are protected?
You can't stop everything but you can limit the collateral damage somewhat.
So sad that spammers and phishers are so far ahead of the curve than the developers.
When a flaw in a Microsoft package is announced Redmond issue a press release saying something like "We will release a patch a week next tuesday"
If they are that quick to respond to reported vulnerabilities how quick are they to respond to phishing?
There are far too many delays in the system for IE and FF but I'll take issue here with IE for it's phoning home method.
A new phishing site is created 22:50 GMT.
How long until someone is phished?
How long until that person realises they have been phished?
What do they do about it? Hmm, where's the 1-800 number for Phish Alert?
When Microsoft are informed do they immediately list a site or do they have to have their legal team check it out incase the site is not actually a phishing site and they don't want to get sued?
How many people have visited the rogue site from when it was created to when the site was first listed? It could be days, or weeks even.
This has to be the worst feature / case of mis-selling a product ever!
you THINK the site you are visiting is OK, but actually it is a brand new 'phishing site' not yet tagged as such. Makes things even more confusing for granny.
FF and IE users will be so confident that their PC is 'phishing safe' that they will drop their guard, respond to any bank, auction, or online pay site and enter their details.
The only true way of defeating phising is an idea suggested by Robert X. Cringely.
Everytime you get a phishing email click the link and enter a totally fictious username, password, account no. etc.
If thousands of people did that, then the phishers would have thousands of fake account details which would give them access denied when they logged onto the real site.
Whilst that relies on good samaritans to create a false account info a better solution would be to do this:
An anti phishing site uses a script which connects via anonymous proxies (just like the spammers do) and generates random username, password and account numbers and posts them on the phishing site.
This will flood the phishers with thousands of false info which they would not realise.
It would make far more sense if Microsoft, Mozilla, or G. did something like this.
Is there are point just because it's phishing vs. a virus?
I don't think so.
People are protected AFTER the fact in both cases.
[edited by: incrediBILL at 6:02 am (utc) on Nov. 7, 2006]
A virus tends to cause a lot of trouble and spreads like wildfire. A phishing site tends to get closed down pretty quickly
Phishing emails spread like wildfire too and I've seen Phish sites up days before someone kills 'em, it all depends on who/when/where it happens as a weekend is a killer time for phishing from a corporate server.
a bit off the topic. Sometimes I received very tricky phishing emails. I would like to report them, but where should I report them?
The antiphishing workgroup does a good job at it to my knowledge:
1. Create a new mail to email@example.com.
2. Drag and drop the phishing email from your inbox onto this new email message
* In Netscape drop it on the 'attachment' area
3. Do not use "forward" if you can help it, as this approach loses information and requires more manual processing. The exception is when you use the Web interface to outlook: in that case forward is the only solution.
I hope the antiphising workgroup is authorative enough to allow a URL.
- do NOT click, type the address of your bank/service provides/ ebay/ paypal, whatnot yourself in the address bar.
The best anti-phishing method for a service provider:
- do not send emails to customers with URL in them that require them to log in
- tell customers you will never send URLs that need them to log in.
- use only one domainname, even when external marketing companies are involved.
- if important data is to be protected; use real 2 factor authentication preferably including an off-line device.
I also doubt that the MS database is updated more frequently on their side more often than every half hour. Of course I could just have a look at their source code and see. Oh wait, no I can't see how they do what they claim they do.
It really doesn't matter whether the intentions are good or not, I can't see what MS does with the information they collect, who they share it with or what they'll do in the future. Same goes for Google and Opera. All Mozilla can see is that I download the file. That sounds like it's in my best interests.
Of course, "in my best interests" doesn't imply the service will work well, just that I'm not going to spend my time and effort updating somebody else's marketing info on me.
Wow, so cynical already and the day's just started...
They aren't better than nothing they are worse than nothing. As has been stated, they provide granny with false expectations that it does something. It's a totally different animal than antivirus and I don't know why you aren't getting that point.
The phishing sites get shut down pretty quickly because ebay/paypal etc go after them. So a long term solution isn't needed on a browser. To make granny safe requires either a real-time solution or awareness. This non-solution makes her less alert and feel more secure.
If it takes a week to get into the database, in most cases the site has been shut down. It may help 5 grannies not to get phished and give 10,000 grannies false hope to take down her guard and catch 2,000 of the 10,000 who might otherwise have been alert/too scared to provide login details from an email.
Not knowing what MS does, it's really hard to criticize IMO but technically speaking, from all the phishing sites I've ever seen, and I've seen a LOT of them just for curiosity, I think I could easily develop code to profile the page so a mega company like MS could sure put enough resources than I can deploy to make such a thing REASONABLY safe.
I do similar site profiling when I link check my directory and have profiles that cover hundreds of domain parks and I can pretty accurately identify a domain park page I've never seen even, and some are pretty tricky trying not to be identified, so I'm sure pretty sure automated anti-phishing could do the same.
OK, let's look at what it would take to provide real-time anti-phishing.
MS could easily pull the referenced page in real time and evaluate the content automatically to see if it looks like a phishing page, about 1-2 second turnaround in most cases.
You could check the text for many keywords like paypal, citibank, BofA, compare the graphics against logos for those companies, yada yada. check URLs in the page for just IPs or subdomains which is common and report back whether it looks safe or not.
What's the main clue it's a phish page?
Phish pages typically have all links out to the real site, which isn't the current domain, and a single form that either submits to the current domain or a 3rd party domain. Seems like just evaluating the page to see if it has all external links except the form post itself would be a real tip we have a suspicious page on it's own.
It's not rocket science to built something that could easily profile what appears to be phishing, and worse case, pop it up on a screen for a human in a control room to quickly glance at when something meets the criteria and they review it ASAP. After a quick hand review, everyone else that encounters the page is protected.
In my scenario of how I would implement this technically, you might have ZERO people get to the page if it's automatically checked in real-time, or a handful of people tricked while waiting on someone to hand check a suspicious page.
So, based on my experience building similar page profiling code, I see it possible to be at least 98% accurate just with automated page profiling alone and improving over time.
I am concerned by Opera's proposed solution. It seems as if they are simply jumping on the bandwagon rather than adding an anti-phishing feature due to any particular demand. Let's face it, Opera users don't tend to include the granny contingent. The suggestion that they would send real-time information in the clear (unencrypted) is not reassuring. It is a reaction to IE7s encrypted connection (where you can't be sure what is being transmitted), but is no better a solution.
The IE7 "whitelist" seems flawed in practice as well, and in any case there is a significant weakness in all the current implementations - the inability to handle the increasing problem of DNS poisoning. MS can decide to whitelist "google.com" or "msn.com" to reduce connections to the anti-phishing servers, but this opens up a hole with false positives if the phisher uses DNS poisoning or spyware-installed hosts file modifications to switch calls to a whitelisted site to the attacker's server.
It isn't a zero-gain issue for end-users - anti-phishing technology can help in limited circumstances to reduce the effectiveness of simple phishing scams. However, the implementations are under-developed, incomplete, badly thought-out and ineffective against anything but the simplest of threats. There's a long way to go before getting to the sort of on-page analysis suggested by IncrediBILL in the above post.