10 Anti-Phishing Firefox Extensions 129
An anonymous reader writes "A list of 10 anti-phishing Firefox extensions was published at Security-Hacks: 'For most Internet users, defending against phishing attacks is a top priority. One popular way to combat phishing attacks is to maintain a list of known phishing sites and to check web sites against the list.'"
if only (Score:5, Insightful)
unfortunately it isnt, a lot of people ignore security measures designed to protect them from phishing. case in point, banks that used images/etc to show the authenticity of the website their customers use was largely ignored, few noticed it and similar studies show few have such security as one of their concerns. these extensions might have done good if people listened to them but the real fix for phishing is to educate people on ways to avoid going to the sites in the first place. typing in addresses instead of following links, paying attention to what comes after the tld and disabling javascript for starters.
Re: (Score:1)
I never have understood how showing me a picture is supposed to prove a web site's authenticity. This seems highly susceptible to man-in-the-middle attacks since the attacker can use the information from you to retrieve the images from the bank's site to display to you.
Showing an image seems to give a false sense of security to the end user. Would it not be better to teach people
Re: (Score:2)
and that is why they also tested people's observational skills- researchers observed people's interaction on a set up computer that would direct people to a site that had some significant difference compared to the real site and few refused to continue doing business as usual... the bigg
Re: (Score:3, Insightful)
Second, it completely stops passive attack like are common with eBay pishing sites -- you can't just simulate the login page, say "Bad Password" and the redirect to the real page, you have to cus
Re: (Score:2)
And the top #1... (Score:5, Insightful)
Re:And the top #1... (Score:5, Interesting)
I have never seen a phising attempt that was convincing enough that I would actually think it was a website done by a bank. I have seen some that were close, but they always fell down visually somewhere. I also have never given my bank my email address so I would be very surprised if they sent me an email.
On another point I used to ring up my friends and put on a silly voice and see if the could figure out is was me. On one occasion my mates girlfriend answered the phone so I pretended to be from mastercard. To my suprise not only did she not realise who it was, I also managed to get her credit card number out of her. I owned up and told her who I was before she finished giving me the number but it made me realise how many people fall for this far too easily.
Phising is nothing new, its just that now its easier to trawl looking for daft people in a more automated fashion.
Re: (Score:2)
Yeah, I'm t
Re: (Score:1)
Re: (Score:2)
To get at my hosts file you need me to run your dodgy code as root. Since I am a fairly paranoid individual this is unlikely to happen. I have not used a web browser from the root account ever. The only thing I use my root account for is mounting disk images from the command line and using portage.
My router does not cache DNS requests as far as I am aware.
This discounts both of your atac
Re: (Score:2)
As for DNS, I thought the topic was the typical phishing website a
Re: (Score:2)
I did post a reply detailing my bank and some of the other details you asked for along with my reasoning as to why your attack will not work.
http://slashdot.org/comments.pl?sid=236921&cid=193 50757 [slashdot.org]
Please take the time to read it and let me know what you think.
Clicking (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2, Insightful)
Re: (Score:2)
Re: (Score:2)
For that matter... (Score:2)
I mean, think about it. If it's your bank, you already know it's URL anyway, you probably even have it bookmarked. Why on Earth would anyone need to follow a link from some dodgy email to go log in to their bank? No, bloody seriously.
Let's try to think like the most clueless user for a moment, and actually believe that my bank wants me to log in to verify I still exist. Well, ok. I already have a bookmark to the bank, I'll go log in there.
Ah, but m
Re: (Score:1)
You are thinking about it (which of course is a good thing).
Many users do not think about it - at least the ones that fall for the scams are more likely thinking like this:
"Oh, my bank needs to verify my identity. Oh, convenient, there's a link here, then in one go I can open the Internet and go there.".
That of course is much easier than opening the browser, digging through your bookmarks (and plenty of users don't keep bookmarks - my wife for example always types in yahoo.com and hotmail.com to check he
Re: (Score:2)
The point is that there are people out there who are just to stupid to think about phishing. The problem is getting them to install an anti-phishing tool. In some case one can do that for them, which might be helpfull. There is where such a thing is needed.
Re: (Score:2)
Approximately 3.10832701%. If people cared to see what they copy, they'd also care to look at the address bar of what they clicked. But they don't.
Another question, since this seems to be the trend: How much phishing can be prevented if we forbid both links and copy/paste, and remove any ability to type a string and get a site. Instead the bank will give their clients little floppies with hardcoded short
priorities (Score:2, Insightful)
No, I disagree, I don't think it is a top priority for most users. Try pr0n.
Seriously though, it should be on the list... but let's be realistic.
Firefox 2 (Score:4, Informative)
Re: (Score:1)
Re:Firefox 2 (Score:4, Informative)
Re: (Score:1, Flamebait)
Because it's prerelease, but they ensured everyone that by release time we'll have the same experience as with FF2.
Re: (Score:2)
I know this can be disabled, but how many people even know how to change the defaults?
Re: (Score:1)
http://www.mozilla.com/en-US/firefox/phishing-pro
Re: (Score:2)
In particular, I've been looking at "online pharmacy" sites that are obviously fake (e.g. have you submit credit card information over http rather than https) - which is a common trend for 99% of these fake pharmacy sites that I've been to.
Re: (Score:2, Interesting)
I don't need or want voice control, widgets, or built-in mail/irc clients. Plus, I find Opera's interface a little annoying.
Re: (Score:2, Insightful)
The primary reason I don't use Opera is because you goddamn zealots turn me off of it.
Seriously people, every single story we see about any sort of anything that even vaguely relates to web browsers, you can bank on several comments that basically just say "Use Opera!"
It used to be the same with Linux stories and Gentoo. These days, it's rapidly becoming Linux stories and Ubuntu. Opera zealotry, however, has shown remarkab
Re: (Score:1)
----ducks**
Re: (Score:2, Insightful)
I used to use Opera, way back in the day, and one of my favorite features was the mouse gesture support... of course, that was before 5 button mice became popular. I stopped using it because it didn't render several web sites properly. (Although after later learning of CSS "hacks" that are required for proper IE6 rendering, it's ironic to realize that Opera likely did render those pages correctly.)
Firefox had tabs. That made it nicer than IE6. Fir
Re: (Score:2, Insightful)
The Opera zealots are as vocal as they are because they equally (if not more) sick of the attitude of the Firefox ideologues.
They're tired of hearing people proclaim how Firefox is the greatest thing EVAR, when most of the highly-touted "new" features were part of Opera's default install for ages. They're sick of hearing people complain about how Opera used to cost money or used to have advertising and that asking for money to support a company is a bad thing, when the desktop version is free. They ge
Re: (Score:2)
You've done a nice job of trying to rationalize fanboyism. The truth is, fanboyism of any product, whether it be Opera or Firefox, is harmful to the product. Firefox, being the second most used browser with usage rising all the time, doesn't seem to be hurt by the fanboyism. Opera, being the fifth most used browser and usage below 1% according to NetApplications [hitslink.com], can't afford to be hurt by fanboyism.
Your point about Firefox being covered on Slashdot more than other browsers is misguided. Firefox is covere
Just a summary... (Score:2, Informative)
Eh? (Score:3, Insightful)
I think 'most' users would say "what the hell is phishing?" Only way to prevent phishing is to bring up a "Welcome to the internet, here are a few things you should know about before you go on: ... " splash screen when they open up their browser for the very first time.
Followed by another splash screen that says "If you ignored the previous information, you are now entering with the risk of doing something extremely stupid, would you like to bring up the Welcome screen again? [Yes] [Yes]"
Re: (Score:2, Insightful)
Or you can just use OpenDNS (Score:3, Informative)
Re: (Score:2)
We fix typos in the URLs you enter whenever we can. For example, if you're using OpenDNS craigslist.og will lead directly to craigslist.org.
When you try to go to a website that won't load, instead of a browser error we show you OpenDNS Guide and help you get to where you want to go.
How about not breaking shit and returning a notfound?
Re: (Score:2)
Why is OpenDNS smarter?
We fix typos in the URLs you enter whenever we can. For example, if you're using OpenDNS craigslist.og will lead directly to craigslist.org.
When you try to go to a website that won't load, instead of a browser error we show you OpenDNS Guide and help you get to where you want to go.
How about not breaking shit and returning a notfound?
The semi spyware/pyramid scheme/web 2.0 abuser/search engine abuser toolbar you advertise via referral on your signature could be a good starting point not to "break the shit".
Re: (Score:2)
I think that is main reason why phishtank was started by openDNS.
As phishtank verifier I think the good old days of checking status bar, viewing browser address bar are soon over if not already. I have even seen couple of cr
who is this for ? (Score:1)
Blacklists don't work any more. (Score:5, Interesting)
Blacklists aren't really working any more. As with spam, where each spam message is now different, and as with viruses, where the smarter ones are different for each copy, the more advanced phishing sites now generate multiple sites, not just one site.
PhishTank is fooled by this. It assumes that a "phish site" is a unique URL. The phishing sites are now wise to that trick; many sites generate a new URL for each user, and some even generate a new domain. Current domains in PhishTank [phishtank.com] include "session-97701.nationalcity.com.userpro.io", "session-300962.nationalcity.com.userpro.io", "session-5489554.nationalcity.com.userpro.tw", "session-2721837.nationalcity.com.directories.io", etc. There are presumably many, many more that no user has reported yet. So the blacklist defense is failing.
It's thus too late for approaches based on manual detection. In the early days of spam, we all reported spam sites to SpamCop, which then blocked them. That stopped working years ago. The same has now happened for phishing sites.
The hard line approach is to implement something that prevents putting in credit card or bank information into forms unless the target page has a solid SSL certificate. (And not one those "Instant SSL - Domain Control Only Validated" cheapo certs that mean nothing, either.) It's getting harder to make even that work, with more and more Javascript processing going on in the browser. The browser may not be able to detect that the user is filling in a form.
We (SiteTruth [sitetruth.com]), of course, are trying to promote the idea that you don't want to deal with a website unless the business behind the website can be clearly identified, so we do have a bias here. Nor do we have all the answers. But from the amount of activity in this area of security in the last month, it's becoming clear that some major tightening-up on business legitimacy on the web is needed.
"On the Internet, no one knows if you're a dog" just isn't good enough any more.
Re: (Score:1)
you're using Yahoo as a host but they aren't a verifiable website? Methinks you shouldn't be doing business with them.
Re: (Score:1)
Re: (Score:3, Interesting)
It seems the blacklist would work perfectly if nationalcity.com.userpro.io, or just userpro.io was blocked.
Notice that they're using "userpro.tw" and "directories.io" as well. And "prouserbase.tw", "udll.tw", "usersetup.io", "kloot.hk", and more. That phish operation has a domain farm with hundreds of domains known, and probably many more that haven't been reported yet.
CastleCops identifies this as a botnet. [castlecops.com] One that buys domains with stolen credit card numbers.
Re: (Score:2)
Sitetruth's rating of Sitetruth says: "Site ownership not clearly verified, or some issues exist with the business."
You claim to be applying California law, which says that a business must clearly identify itself and give its address to customers. Yet your silly little rating tool give
Re: (Score:2)
SiteTruth rates SiteTruth itself as "Site ownership identified but not verified." (a yellow question mark), which is correct - there's a valid name and address on the web site, but no third party verification of business identity. That's a neutral rating by our standards. The red circle with a bar through it is a bad rating. To get a good rating, a green checkmark, some third party has to verify business identity. A valid BBBonline seal (and yes, we check) or an SSL cert with a name and address will do
Coming soon: metalists! (Score:5, Funny)
Known sites? (Score:1)
Re: (Score:2)
grr, wanted to say this (Score:2)
Re: (Score:2)
You can generate valid-but-fake credit card numbers using the checksum algorithm used to verify the numbers. Names and addresses can be generated from a randomish list, just like the names spammers use. Use their own tools to attack them.
Helpful article or payola scam? (Score:5, Interesting)
I'm often too skeptical for my own britches, but that also why I do in fact pay attention to my bank's "sitekey" and why I don't these products to avoid phishing attacks. All but the last one just seem to be trading one form of ignorance - of phishing - for another - of capitalism.
The problem is the authentication mechanism! (Score:3, Informative)
The "fix" against phising is a better authentication method.
For some reason, many banks and payment providers in the US only use username/password (one-factor) authentication. In Europe most banks use at least a 2-factor security system, where the logon information is combined with either a physical security token (RSA or similar), an encryption key file, a supplemental 6 digit PIN sent by SMS to the user, etc.
The whole approach attempting to eliminate phising by filtering webpages, making fancy browser plugings or stuff a lot of security-bloatware on the computers is essentially wrong. The only reason simple phising attacks work is because the authentication mechanism is way too simple.
Adding another factor of security to the systems is a trivial task in terms of programming and implementation. And it works - the European home banking systems are the proof of that.
Phising gets a lot more difficult when SMS messages, encryption keys or physical tokens are involved in the logon procedure. Since all these methods have been well explained and documented in books ranging back to the early 80's, I really don't understand why these simple methods are so largely ignored...
Re: (Score:2)
no! the best authentication method in the world can not protect against this: http://it.slashdot.org/article.pl?sid=07/05/15/22
Re: (Score:1)
We lock up people who pose a danger to themselves and others, this should be no different. Might want to cut them off from the breeding pool while we're at it too.
Re: (Score:2)
What about a Mozilla Firefox extension that provides you the ability to digitally sign HTTP requests, even those generated via AJAX calls [mozdev.org]?
Re: (Score:1)
Besides - why sign *all* the traffic when all that is really needed is to digitally sign (and encrypt) the two parties involved in the transaction?
Re: (Score:2)
Besides, the explanation to developers on mozdev isn't necessarily the one I'd give to grandma, but I hoped it wouldn't be necessary to say this.
For any technical comments about enigform, you are more than welcome to address the comments on the site, not to a random slashdotter.
Re: (Score:1)
Re: (Score:2)
Since it's still at a very early phase of development, I'd say that there's plenty of time (or none at all, if we think of the original problem) to make it work, and then make it friendly. Though it's possible that, without being somewhat friendly, it will not work -as in be useful and used- at all.
Re: (Score:2)
As long as the phishers haven't hijacked your dns settings, this method is safe. And if someone managed to either compromise your hosts file/dns servers, you have other things to worry about...
Re: (Score:1)
I would't call that a "fix". I would call it a "work-around" with a heavy negative inpact on usability.
Our company and our customers send tons of HTML formatted mails with anchor-tags. Allmost all of them are individual links to specialized content targeted each reciever. It would be devestating for the end-users if we were to abandon these specialized anchor-tags.
Re: (Score:2)
Re: (Score:1)
But we do link to pages connected to peoples userprofiles, and which require a valid logon. Like Slashdot we offer the option to use a "never ending logon" without expiration (using a cookie).
There are many benefits in such personalized links, and the banks could use them without danger if only the authentication method was secure.
Re: (Score:1)
SEB, my Swedish bank, sent me a hardtoken - a little calculator like gizmo. The bank sends you two 4 digit numbers, then you enter your 4 digit pin to log into
Re: (Score:1)
http://www.vasco.com/ [vasco.com]
It seems your bank was seriously tricked by some MS puppet company.
Re: (Score:1)
Read the comment more carefully. My bank has a hardtoken. It doesn't completely protect against MIM attacks if someone can act as a proxy between me and the bank for a while - they can wait until I make a transfer and hijack all my money. But it is OS independent.
If you want to protect against MIM attacks where the attacker acts as proxy, I think you need something much beefier. Given that you need to get the client to pass things to a USB d
Re: (Score:1)
The whole point of the multi-factor authentication is to establish a secure identification of two parties and encrypt the communication between them.
I am pretty sure the communication between you and your bank is encrypted when you have established a connection using your token.
Re: (Score:1)
Consider. I go to the website to pay a bill. Someone sits between me and the bank - they could install some malware that sets them up as a proxy. I enter 100SEK and the phone company's bank account in the the MIM site. The MIM site intercepts this and puts 1000SEK and their account into the bank site. The bank then sends them the two numbers which are either random or linked to the fraudulent transaction. They send them to me. I sign them and enter them int
Re: (Score:1)
Re: (Score:1)
The bank knows the ID of the token in question, and the keys it should return. The MIM/proxy does not. If the end user establishes a secure connection to the bank, the proxy in the middle will still not be able to use the encrypted data exchanged between the two points.
The proxy can only effectively make an attack if the user accepts an unsecured connection. If not, the MIM/proxy is not in possession of the keys needed to lure information out of the encrypted traffic.
Re: (Score:1)
http://digg.com/linux_unix/SEED_How_South_Korea_s_ Encryption_Standard_is_Holding_the_Nation_Back [digg.com]
In Korea, you have certificate issued by your bank. When you shop online, instead of typing in your credit card number and billing address/CCV as you do in the US, you give you credit card number, certificate (protected by passphrase) and usually some kind of challence/response system like a printed security card with number
Pointless (Score:5, Insightful)
All of these anti-phishing tools are a waste of time. The real problem is educating users about safe computing practices.
People simply need to learn that you just don't click on a link in an unsolicited email supposedly from your bank, any more than you would deposit your paycheck into a newly opened bank branch in the nasty part of town, with shoddily painted signage and shifty-looking tellers.
98% of people can learn principles of safe computing. The remaining 2% are a lost cause. Instead of coddling people's ignorance, we should focus on education. Crooks are always going to be out there trying to take advantage of people. This problem is not going to go away or be solved by technological safeguards. It is counterproductive to devise and improve ways for people to continue ignorant, careless behaviour, "La la la, click on whatever links I see," download and run this, that and the next thing, rather than teaching them how to be careful about what code they run and where they type their password.
Re: (Score:2)
Re: (Score:2)
grow a brain? (Score:3, Insightful)
Re: (Score:2)
So, even when I was *expecting* something from the spoofed site, at that exact time, *and* expect
More pointless 'security solutions' (Score:2)
Phishing is really easy to prevent.
1. Don't submit information on non-encrypted pages
2. Check certificate to make sure it's for the company you want to send the information to.
Amazingly this is really simple, protects better than any 'anti-phishing' list and has been part of the default functionality of web browsers for many years.
Best anti-phishing soln. (Score:1)
The PERFECT PHISHING (Score:2, Informative)
I guess ZoneAlarm registered customers may be surprised in finding how their own original login page [zonealarm.com] works.
Even if you're not a registered user, just follow the link above and enter fake credentials.
The game becomes spicier if you have auto-completion enabled for that form...
Have fun with those antiphishing toys ;)
Original proof of concept courtesy of Elio [wilderssecurity.com], original XSS courtesy of .mario [ckers.org].
If only (Score:2)
NJ Transit [nynj.net] , PATH train [nynj.net] schedules online
Nope (Score:2)
- Banks don't send out security warnings by email with a handy link in so you can 'confirm your details'.
- Banks never ask for all of your security details even when you are logging on to their actual site - they ask for part of them only.
- And of course, you should get a teeny bit suspicious when you receive tens of 'security warnings' or similar from banks in a day, especially when you don't have account there.
The top pri
Hijacking Firefox Via Insecure Add-Ons (Score:1)
http://it.slashdot.org/article.pl?sid=07/05/31/12
There is a number of unsecure extensions to hijack FireFox. Presumably Googles code as well as other stuff.
I suggest everybody who thinks of installing such a anti-phishing toolbar should also check out the article above.
Logic, a killer feature of brain v1.0. (Score:3, Funny)
My brain features the Logic subroutine, which prevents me from falling for scams like phishing. This is a killer application; everyone should install it!
Re: (Score:2, Insightful)
Yeah. Frequent, unexpected shutdowns/crashes. Memory leaking all over the place. Some peripherals seem to be completely unaddressable, others seem to have had their drivers corrupted as they work in spasms. Half the time she's completely unresponsive, maybe some I/O call is failin
red herrings taste bad (Score:3, Insightful)
I cannnot read past this bullshit red herring line.
Not a single user I know, even understands the word "phishing".
I'm sure some Firefox proponents... (Score:3, Insightful)
My favourite: SpoofStick (Score:2)
Why do you need a Firefox extension? (Score:2)
It's simple enough: NEVER, EVER respond to an e-mail purporting to be from a bank. If your bank really need to contact you, they will find a way. If there's really a problem with your account, you will have to visit a branch to sort it out anyway. You NEVER have to "confirm your details". Barring special circumstances, there are only two valid reasons for ever visiting a bank; paying in money through the HITW machine, and
how is this going to stop serious attempts (Score:2)
Use a botnet to install a certificate as a ca on the machines,
update the hosts file so that their banks web site points to a new address.
Setup a website with the banks correct address as setup in the host file with a certificate signed by the CA they've installed on the host machine, that proxy's the real banks website.
Sit and collect all the login information required with what appears to be a valid url with a valid SSH certificate (that all important padloc
SiteAdvisor (Score:2)
#0 (Score:1)
IETab as anti-phishing extension (Score:1)
News for clueless users... (Score:2)
TFA Missed One: Netcraft Toolbar (Score:2)
Comments - phishing filter quality (Score:2)
Based on the article, Google Safe Browsing should either be at the top or bottom of the list, and not obscured by having a reactive entry in a more prominant position.
As a side note, these phishing sites want as much t
Re: (Score:3, Funny)