10 Anti-Phishing Firefox Extensions

An anonymous reader writes "A list of 10 anti-phishing Firefox extensions was published at Security-Hacks: 'For most Internet users, defending against phishing attacks is a top priority. One popular way to combat phishing attacks is to maintain a list of known phishing sites and to check web sites against the list.'"

if only

[wizardforce (1005805)]

For most Internet users, defending against phishing attacks is a top priority.

unfortunately it isnt, a lot of people ignore security measures designed to protect them from phishing. case in point, banks that used images/etc to show the authenticity of the website their customers use was largely ignored, few noticed it and similar studies show few have such security as one of their concerns. these extensions might have done good if people listened to them but the real fix for phishing is to educate people on ways to avoid going to the sites in the first place. typing in addresses instead of following links, paying attention to what comes after the tld and disabling javascript for starters.

Re:

[wizardforce (1005805)]

Showing an image seems to give a false sense of security to the end user. Would it not be better to teach people to take SSL certs seriously and to verify the cert matches the site the user thinks they should be accessing?

and that is why they also tested people's observational skills- researchers observed people's interaction on a set up computer that would direct people to a site that had some significant difference compared to the real site and few refused to continue doing business as usual... the bigg

Re:

[profplump (309017)]

It is highly susceptible to a MiM attack. However, in order to pull off a MiM attack you'd have to at least start the login process for lots of different people from the same system, which aids in detection. It doesn't do anything to help the first few users, but it can help the bank shut down the attacker directly.

Second, it completely stops passive attack like are common with eBay pishing sites -- you can't just simulate the login page, say "Bad Password" and the redirect to the real page, you have to cus

And the top #1...

[funkdancer (582069)]

Is my bloody brain and eye superfilter combo. With these, I don't need any stinking slow-me-down-even-further plugins.

Re:And the top #1...

[Ash Vince (602485)]

Here Here.

I have never seen a phising attempt that was convincing enough that I would actually think it was a website done by a bank. I have seen some that were close, but they always fell down visually somewhere. I also have never given my bank my email address so I would be very surprised if they sent me an email.

On another point I used to ring up my friends and put on a silly voice and see if the could figure out is was me. On one occasion my mates girlfriend answered the phone so I pretended to be from mastercard. To my suprise not only did she not realise who it was, I also managed to get her credit card number out of her. I owned up and told her who I was before she finished giving me the number but it made me realise how many people fall for this far too easily.

Phising is nothing new, its just that now its easier to trawl looking for daft people in a more automated fashion.

Clicking

[biocute (936687)]

How much phishing can be prevented if people stop clicking on hyperlinks, and use copy-and-paste instead?

Re:

[Perseid (660451)]

Nah. Most phishing attempts would show up in the status bar if you're looking for it. I think most people who would fall for simple phishing schemes wouldn't know the difference between dumbass.com and dumb.az.

Re:

[zygwin (1091281)]

You can actually drag the link to the address bar in Firefox.It's a real time saver.

Re:

[Anomolous Cowturd (190524)]

... or a blank spot on the tab panel for a new tab, or a tab itself to open in that tab... handy... but I like the feature of Galeon that lets you paste a link into the window with the middle button, can't figure out how to make firefox do this.

For that matter...

[Moraelin (679338)]

For that matter, how about not clicking OR copy-and-pasting?

I mean, think about it. If it's your bank, you already know it's URL anyway, you probably even have it bookmarked. Why on Earth would anyone need to follow a link from some dodgy email to go log in to their bank? No, bloody seriously.

Let's try to think like the most clueless user for a moment, and actually believe that my bank wants me to log in to verify I still exist. Well, ok. I already have a bookmark to the bank, I'll go log in there.

Ah, but m

Re:

[FST777 (913657)]

You have to realize that while a majority of people have an IQ of 100 and up, some don't. And some of those do use the internet.

The point is that there are people out there who are just to stupid to think about phishing. The problem is getting them to install an anti-phishing tool. In some case one can do that for them, which might be helpfull. There is where such a thing is needed.

priorities

[datapharmer (1099455)]

"For most Internet users, defending against phishing attacks is a top priority."

No, I disagree, I don't think it is a top priority for most users. Try pr0n.

Seriously though, it should be on the list... but let's be realistic.

Firefox 2

[SteveAyre (209812)]

Or just upgrade to Firefox 2, which has the feature built in. [mozilla.com]

Re:

[KiloByte (825081)]

Yes, and it protects you from spyware which would send all the URLs you visit to a "don't do no evil" company, too, right?

I know this can be disabled, but how many people even know how to change the defaults?

Re:

[by Anonymous Coward]

Because:

1. it's Free software.
2. it's extensible.
3. it's fully Google compatible.
4. It's widely available/supported.
5. it looks nice.

I don't need or want voice control, widgets, or built-in mail/irc clients. Plus, I find Opera's interface a little annoying.

Re:

[eln (21727)]

I'm going to be brutally honest here, and I may get nailed for it, but here it goes:

The primary reason I don't use Opera is because you goddamn zealots turn me off of it.

Seriously people, every single story we see about any sort of anything that even vaguely relates to web browsers, you can bank on several comments that basically just say "Use Opera!"

It used to be the same with Linux stories and Gentoo. These days, it's rapidly becoming Linux stories and Ubuntu. Opera zealotry, however, has shown remarkab

Re:Firefox 2

[dteichman2 (841599)]

Actually, FF3 uses less RAM than my FF2 install. So shove it.

Just a summary...

[dclozier (1002772)]

I was hoping for a review of the extensions but only found a summary of what was available. More of the same information can be found by searching [mozilla.org] for 'phishing' extensions.

Eh?

[Mystery00 (1100379)]

"For most Internet users, defending against phishing attacks is a top priority."

I think 'most' users would say "what the hell is phishing?" Only way to prevent phishing is to bring up a "Welcome to the internet, here are a few things you should know about before you go on: ... " splash screen when they open up their browser for the very first time.

...

Followed by another splash screen that says "If you ignored the previous information, you are now entering with the risk of doing something extremely stupid, would you like to bring up the Welcome screen again? [Yes] [Yes]"

Re:

[Hucko (998827)]

I think 'most' users would say "what the hell is phishing?" Only way to prevent phishing is to bring up a "Welcome to the internet, here are a few things you should know about before you go on: ... " splash screen when they open up their browser every time.

There, fixed it for you.

Or you can just use OpenDNS

[unassimilatible (225662)]

Easy way to defeat the phishers, OpenDNS [opendns.com]. Or you could actually look at the status bar to see what site you are clicking on...

Re:

[OverlordQ (264228)]

Why is OpenDNS smarter?

We fix typos in the URLs you enter whenever we can. For example, if you're using OpenDNS craigslist.og will lead directly to craigslist.org.

When you try to go to a website that won't load, instead of a browser error we show you OpenDNS Guide and help you get to where you want to go.

How about not breaking shit and returning a notfound?

Re:

[Ilgaz (86384)]

Why is OpenDNS smarter?

We fix typos in the URLs you enter whenever we can. For example, if you're using OpenDNS craigslist.og will lead directly to craigslist.org.

When you try to go to a website that won't load, instead of a browser error we show you OpenDNS Guide and help you get to where you want to go.

How about not breaking shit and returning a notfound?

The semi spyware/pyramid scheme/web 2.0 abuser/search engine abuser toolbar you advertise via referral on your signature could be a good starting point not to "break the shit".

Re:

[Ilgaz (86384)]

I use Opendns and I help Phishtank but OpenDNS itself is only a DNS service which only interests in hostname part, not the page. Using OpenDNS may help against complete evil hosts who serves nothing but phishing but you still need phishtank extension/support for page / url based phishes.

I think that is main reason why phishtank was started by openDNS.

As phishtank verifier I think the good old days of checking status bar, viewing browser address bar are soon over if not already. I have even seen couple of cr

Blacklists don't work any more.

[Animats (122034)]

Blacklists aren't really working any more. As with spam, where each spam message is now different, and as with viruses, where the smarter ones are different for each copy, the more advanced phishing sites now generate multiple sites, not just one site.

PhishTank is fooled by this. It assumes that a "phish site" is a unique URL. The phishing sites are now wise to that trick; many sites generate a new URL for each user, and some even generate a new domain. Current domains in PhishTank [phishtank.com] include "session-97701.nationalcity.com.userpro.io", "session-300962.nationalcity.com.userpro.io", "session-5489554.nationalcity.com.userpro.tw", "session-2721837.nationalcity.com.directories.io", etc. There are presumably many, many more that no user has reported yet. So the blacklist defense is failing.

It's thus too late for approaches based on manual detection. In the early days of spam, we all reported spam sites to SpamCop, which then blocked them. That stopped working years ago. The same has now happened for phishing sites.

The hard line approach is to implement something that prevents putting in credit card or bank information into forms unless the target page has a solid SSL certificate. (And not one those "Instant SSL - Domain Control Only Validated" cheapo certs that mean nothing, either.) It's getting harder to make even that work, with more and more Javascript processing going on in the browser. The browser may not be able to detect that the user is filling in a form.

We (SiteTruth [sitetruth.com]), of course, are trying to promote the idea that you don't want to deal with a website unless the business behind the website can be clearly identified, so we do have a bias here. Nor do we have all the answers. But from the amount of activity in this area of security in the last month, it's becoming clear that some major tightening-up on business legitimacy on the web is needed.

"On the Internet, no one knows if you're a dog" just isn't good enough any more.

Re:

[Animats (122034)]

It seems the blacklist would work perfectly if nationalcity.com.userpro.io, or just userpro.io was blocked.

Notice that they're using "userpro.tw" and "directories.io" as well. And "prouserbase.tw", "udll.tw", "usersetup.io", "kloot.hk", and more. That phish operation has a domain farm with hundreds of domains known, and probably many more that haven't been reported yet.

CastleCops identifies this as a botnet. [castlecops.com] One that buys domains with stolen credit card numbers.

Coming soon: metalists!

[aerthling (796790)]

I can't wait for the top 10 'Top 10 Firefox Extension' list.

Helpful article or payola scam?

[macraig (621737)]

Did anyone else notice that all of the promoted extensions but the last one seem to be the work of commercial enterprises, and apparently tied in some way to their for-profit motives? Is it possible that the author or security-hacks.com got some perks or quid pro quo for the journalistic promotion of these extensions and the commercial entities behind them?

I'm often too skeptical for my own britches, but that also why I do in fact pay attention to my bank's "sitekey" and why I don't these products to avoid phishing attacks. All but the last one just seem to be trading one form of ignorance - of phishing - for another - of capitalism.

The problem is the authentication mechanism!

[SplatMan_DK (1035528)]

Most modern phising is done very professionally, and the pages totally mimic the real thing. I recently received a phising e-mail regarding PayPal accounts and out of curiosity I took a look at it. The result was shocking. The page I was directed to was an exact duplicate of the real PayPal system. The link I followed did not use scripting. It did belong to the wrong domain, but most normal users would not have noticed it. Copy-pasting the link would not have made any difference.

The "fix" against phising is a better authentication method.

For some reason, many banks and payment providers in the US only use username/password (one-factor) authentication. In Europe most banks use at least a 2-factor security system, where the logon information is combined with either a physical security token (RSA or similar), an encryption key file, a supplemental 6 digit PIN sent by SMS to the user, etc.

The whole approach attempting to eliminate phising by filtering webpages, making fancy browser plugings or stuff a lot of security-bloatware on the computers is essentially wrong. The only reason simple phising attacks work is because the authentication mechanism is way too simple.

Adding another factor of security to the systems is a trivial task in terms of programming and implementation. And it works - the European home banking systems are the proof of that.

Phising gets a lot more difficult when SMS messages, encryption keys or physical tokens are involved in the logon procedure. Since all these methods have been well explained and documented in books ranging back to the early 80's, I really don't understand why these simple methods are so largely ignored...

Re:

[wizardforce (1005805)]

The "fix" against phising is a better authentication method.

no! the best authentication method in the world can not protect against this: http://it.slashdot.org/article.pl?sid=07/05/15/221 6235 [slashdot.org]

Re:

[moranar (632206)]

What about a Mozilla Firefox extension that provides you the ability to digitally sign HTTP requests, even those generated via AJAX calls [mozdev.org]?

Re:

[moranar (632206)]

Hey, you were the one to say "The "fix" against phising is a better authentication method." I didn't say it'd be ipso facto apt for mom and pop.

Besides, the explanation to developers on mozdev isn't necessarily the one I'd give to grandma, but I hoped it wouldn't be necessary to say this.

For any technical comments about enigform, you are more than welcome to address the comments on the site, not to a random slashdotter.

Re:

[moranar (632206)]

Since it's still at a very early phase of development, I'd say that there's plenty of time (or none at all, if we think of the original problem) to make it work, and then make it friendly. Though it's possible that, without being somewhat friendly, it will not work -as in be useful and used- at all.

Re:

[J0nne (924579)]

No, the 'fix' has been available in browsers since 1993, and it's called 'bookmarks'. Don't be so stupid to follow links to your bank/paypal/ebay from some random e-mail/website, just use the bookmark in your browser to go to the website instead.

As long as the phishers haven't hijacked your dns settings, this method is safe. And if someone managed to either compromise your hosts file/dns servers, you have other things to worry about...

Re:

[J0nne (924579)]

No, I'm suggesting that people use bookmarks to go to their bank's website instead of following links in e-mails, not to get rid of anchors altogether. Or do you send e-mails with links to banks to other people at work?

Pointless

[quokkapox (847798)]

All of these anti-phishing tools are a waste of time. The real problem is educating users about safe computing practices.

People simply need to learn that you just don't click on a link in an unsolicited email supposedly from your bank, any more than you would deposit your paycheck into a newly opened bank branch in the nasty part of town, with shoddily painted signage and shifty-looking tellers.

98% of people can learn principles of safe computing. The remaining 2% are a lost cause. Instead of coddling people's ignorance, we should focus on education. Crooks are always going to be out there trying to take advantage of people. This problem is not going to go away or be solved by technological safeguards. It is counterproductive to devise and improve ways for people to continue ignorant, careless behaviour, "La la la, click on whatever links I see," download and run this, that and the next thing, rather than teaching them how to be careful about what code they run and where they type their password.

Re:

[AaronLawrence (600990)]

Yes. It keeps occurring to me that perhaps the net SHOULD be represented as a dangerous, confusing place, because that way people might actually be cautious. Your bank account, credit card, passwords, and PC can be effectively stolen. Sorry Hollywood, you were right! (The Net)

grow a brain?

[SQLz (564901)]

I don't know, phishing attempts seem pretty damn obvious to me.

More pointless 'security solutions'

[Jessta (666101)]

This is the same style of 'security solution' as Anti-Virus software.

Phishing is really easy to prevent.
1. Don't submit information on non-encrypted pages
2. Check certificate to make sure it's for the company you want to send the information to.

Amazingly this is really simple, protects better than any 'anti-phishing' list and has been part of the default functionality of web browsers for many years.

The PERFECT PHISHING

[Giorgio Maone (913745)]

I guess ZoneAlarm registered customers may be surprised in finding how their own original login page [zonealarm.com] works.

Even if you're not a registered user, just follow the link above and enter fake credentials.

The game becomes spicier if you have auto-completion enabled for that form...

Have fun with those antiphishing toys ;)

Original proof of concept courtesy of Elio [wilderssecurity.com], original XSS courtesy of .mario [ckers.org].

If only

[bluegreenone (526698)]

If only there were an extension to block real phishing on the web [amyleblanc.com]
...
NJ Transit [nynj.net] , PATH train [nynj.net] schedules online

Nope

[jandersen (462034)]

Phishing and other scams are easy to avoid if one simply use the brain to think with:

- Banks don't send out security warnings by email with a handy link in so you can 'confirm your details'.
- Banks never ask for all of your security details even when you are logging on to their actual site - they ask for part of them only.
- And of course, you should get a teeny bit suspicious when you receive tens of 'security warnings' or similar from banks in a day, especially when you don't have account there.

The top pri

Logic, a killer feature of brain v1.0.

[greenlead (841089)]

My brain features the Logic subroutine, which prevents me from falling for scams like phishing. This is a killer application; everyone should install it!

red herrings taste bad

[SlashDread (38969)]

"For most Internet users, defending against phishing attacks is a top priority."

I cannnot read past this bullshit red herring line.

Not a single user I know, even understands the word "phishing".

I'm sure some Firefox proponents...

[Kjella (173770)]

...will come up with a way that having ten different anti-phishing extensions is a good thing. Phishing attacks rely on the uneducated and careless users, which need protection from themselves. If you're qualified to go through these ten extensions and pick the one(s) which are useful, you almost certainly don't need one. So yeah, I guess somewhat interesting for those that manage other people's computers, but it won't do much good for the average Firefox-at-home user. They'll be much better off if the built-in, default phishing protection is improved.

My favourite: SpoofStick

[Sapphon (214287)]

aye, I be usin' my SpoofStick aaall the time when I'm online. Never whipped it out for no fishin' website, though. Weirdos.

Why do you need a Firefox extension?

[ajs318 (655362)]

Why the hell do you need a Firefox extension to protect yourself from Phishing?

It's simple enough: NEVER, EVER respond to an e-mail purporting to be from a bank. If your bank really need to contact you, they will find a way. If there's really a problem with your account, you will have to visit a branch to sort it out anyway. You NEVER have to "confirm your details". Barring special circumstances, there are only two valid reasons for ever visiting a bank; paying in money through the HITW machine, and

Re:

[Perseid (660451)]

I dunno. I think the feds can get to your computer even if it's offline. Better get out the jackhammer. Oh, um, hold on a sec. Some of my tinfoil is coming off.

Re:

[someone1234 (830754)]

Yep, works greatly against IP numbers: http://123.45.67.89/ [123.45.67.89] Where your.bank.com is your homebank, 123.45.67.89 is the phishing site.

grr, wanted to say this

[someone1234 (830754)]

Yep, works greatly against IP numbers: http://your.bank.com@123.45.67.89 Where your.bank.com is your homebank, 123.45.67.89 is the phishing site.