Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Mozilla The Internet Security IT

10 Anti-Phishing Firefox Extensions 129

An anonymous reader writes "A list of 10 anti-phishing Firefox extensions was published at Security-Hacks: 'For most Internet users, defending against phishing attacks is a top priority. One popular way to combat phishing attacks is to maintain a list of known phishing sites and to check web sites against the list.'"
This discussion has been archived. No new comments can be posted.

10 Anti-Phishing Firefox Extensions

Comments Filter:
  • if only (Score:5, Insightful)

    by wizardforce ( 1005805 ) on Friday June 01, 2007 @12:21AM (#19348079) Journal

    For most Internet users, defending against phishing attacks is a top priority.

    unfortunately it isnt, a lot of people ignore security measures designed to protect them from phishing. case in point, banks that used images/etc to show the authenticity of the website their customers use was largely ignored, few noticed it and similar studies show few have such security as one of their concerns. these extensions might have done good if people listened to them but the real fix for phishing is to educate people on ways to avoid going to the sites in the first place. typing in addresses instead of following links, paying attention to what comes after the tld and disabling javascript for starters.
    • by syzler ( 748241 )
      case in point, banks that used images/etc to show the authenticity of the website their customers use was largely ignored

      I never have understood how showing me a picture is supposed to prove a web site's authenticity. This seems highly susceptible to man-in-the-middle attacks since the attacker can use the information from you to retrieve the images from the bank's site to display to you.

      Showing an image seems to give a false sense of security to the end user. Would it not be better to teach people
      • Showing an image seems to give a false sense of security to the end user. Would it not be better to teach people to take SSL certs seriously and to verify the cert matches the site the user thinks they should be accessing?

        and that is why they also tested people's observational skills- researchers observed people's interaction on a set up computer that would direct people to a site that had some significant difference compared to the real site and few refused to continue doing business as usual... the bigg

      • Re: (Score:3, Insightful)

        by profplump ( 309017 )
        It is highly susceptible to a MiM attack. However, in order to pull off a MiM attack you'd have to at least start the login process for lots of different people from the same system, which aids in detection. It doesn't do anything to help the first few users, but it can help the bank shut down the attacker directly.

        Second, it completely stops passive attack like are common with eBay pishing sites -- you can't just simulate the login page, say "Bad Password" and the redirect to the real page, you have to cus
    • by ect5150 ( 700619 )

      paying attention to what comes after the tld and disabling javascript for starters.
      While this is certainly true, for the individuals who think the internet is the 'little blue e' on their desktop, they have no idea what you are talking about. I've asked individuals to alter a URL by hand and they just give me blank stares (we are talking about more than 5 people at a time). The level of education you are referring to is in my opinion far more substantial than most realize.
  • And the top #1... (Score:5, Insightful)

    by funkdancer ( 582069 ) <funky AT funkdancer DOT com> on Friday June 01, 2007 @12:21AM (#19348081)
    Is my bloody brain and eye superfilter combo. With these, I don't need any stinking slow-me-down-even-further plugins.
    • Re:And the top #1... (Score:5, Interesting)

      by Ash Vince ( 602485 ) on Friday June 01, 2007 @01:43AM (#19348451) Journal
      Here Here.

      I have never seen a phising attempt that was convincing enough that I would actually think it was a website done by a bank. I have seen some that were close, but they always fell down visually somewhere. I also have never given my bank my email address so I would be very surprised if they sent me an email.

      On another point I used to ring up my friends and put on a silly voice and see if the could figure out is was me. On one occasion my mates girlfriend answered the phone so I pretended to be from mastercard. To my suprise not only did she not realise who it was, I also managed to get her credit card number out of her. I owned up and told her who I was before she finished giving me the number but it made me realise how many people fall for this far too easily.

      Phising is nothing new, its just that now its easier to trawl looking for daft people in a more automated fashion.
      • by notnAP ( 846325 )
        Oh, I've seen a few that were plenty close, but I still also agree 100%. After all the GP mentioned the eye and brain filter. On quite a few occasions, I've checked out some phish sites, via cleaned html requests, just to check them out. In one case, I reported the offender to the local authorities and his boss because he was idiotic enough to be hosting it here in the states, on his work computer, at a university. And he was a professor. (Sure, it may have been a pwned box, but just the same...

        Yeah, I'm t

      • You obviously don't know much about this technique....tell me which bank you use, I will copy their webpage EXACTLY and have a layer sitting there keylogging your browser either MS or FF. Then in the background it will login as it it was the original page. You will get your info back as per the real page cuz it will be the real page underneath... As for your www.bankname.com, a quick find & replace in your host file, or ns cahce poisoning of your router/modem(new ones only depending on the company us
        • I bank with HSBC. I also only visit my bank website from (Gentoo) Linux using firefox via the bookmark I set sometime ago.

          To get at my hosts file you need me to run your dodgy code as root. Since I am a fairly paranoid individual this is unlikely to happen. I have not used a web browser from the root account ever. The only thing I use my root account for is mounting disk images from the command line and using portage.

          My router does not cache DNS requests as far as I am aware.

          This discounts both of your atac
        • I never click a link in an email to do something that relates to logins. I don't care how authentic something looks, if _one_ link exists, I usually hit "report phishing attempt" in gmail (to assist other users) after spending the tiniest amount of time to classify it as a scam. The only thing I'd ever respond to is one that says "please locate us via your bookmarks" .... in which case I'll punch in the URL from memory and see what they want.

          As for DNS, I thought the topic was the typical phishing website a
  • Clicking (Score:5, Insightful)

    by biocute ( 936687 ) on Friday June 01, 2007 @12:21AM (#19348083)
    How much phishing can be prevented if people stop clicking on hyperlinks, and use copy-and-paste instead?
    • by Perseid ( 660451 )
      Nah. Most phishing attempts would show up in the status bar if you're looking for it. I think most people who would fall for simple phishing schemes wouldn't know the difference between dumbass.com and dumb.az.
    • Re: (Score:2, Insightful)

      by zygwin ( 1091281 )
      You can actually drag the link to the address bar in Firefox.It's a real time saver.
      • ... or a blank spot on the tab panel for a new tab, or a tab itself to open in that tab... handy... but I like the feature of Galeon that lets you paste a link into the window with the middle button, can't figure out how to make firefox do this.
    • For that matter, how about not clicking OR copy-and-pasting?

      I mean, think about it. If it's your bank, you already know it's URL anyway, you probably even have it bookmarked. Why on Earth would anyone need to follow a link from some dodgy email to go log in to their bank? No, bloody seriously.

      Let's try to think like the most clueless user for a moment, and actually believe that my bank wants me to log in to verify I still exist. Well, ok. I already have a bookmark to the bank, I'll go log in there.

      Ah, but m
      • You are thinking about it (which of course is a good thing).

        Many users do not think about it - at least the ones that fall for the scams are more likely thinking like this:

        "Oh, my bank needs to verify my identity. Oh, convenient, there's a link here, then in one go I can open the Internet and go there.".

        That of course is much easier than opening the browser, digging through your bookmarks (and plenty of users don't keep bookmarks - my wife for example always types in yahoo.com and hotmail.com to check he

      • by FST777 ( 913657 )
        You have to realize that while a majority of people have an IQ of 100 and up, some don't. And some of those do use the internet.

        The point is that there are people out there who are just to stupid to think about phishing. The problem is getting them to install an anti-phishing tool. In some case one can do that for them, which might be helpfull. There is where such a thing is needed.
    • by suv4x4 ( 956391 )
      How much phishing can be prevented if people stop clicking on hyperlinks, and use copy-and-paste instead?

      Approximately 3.10832701%. If people cared to see what they copy, they'd also care to look at the address bar of what they clicked. But they don't.

      Another question, since this seems to be the trend: How much phishing can be prevented if we forbid both links and copy/paste, and remove any ability to type a string and get a site. Instead the bank will give their clients little floppies with hardcoded short
  • priorities (Score:2, Insightful)

    "For most Internet users, defending against phishing attacks is a top priority."

    No, I disagree, I don't think it is a top priority for most users. Try pr0n.

    Seriously though, it should be on the list... but let's be realistic.
  • Firefox 2 (Score:4, Informative)

    by SteveAyre ( 209812 ) on Friday June 01, 2007 @12:25AM (#19348101)
    Or just upgrade to Firefox 2, which has the feature built in. [mozilla.com]
    • Just for continuity, so does Firefox 3.
    • Yes, and it protects you from spyware which would send all the URLs you visit to a "don't do no evil" company, too, right?

      I know this can be disabled, but how many people even know how to change the defaults?
    • by Sigma 7 ( 266129 )

      Or just upgrade to Firefox 2, which has the feature built in.
      What's the threshold? I've submitted reports of phishing sites, but haven't really seen any changes in reaction within Firefox.

      In particular, I've been looking at "online pharmacy" sites that are obviously fake (e.g. have you submit credit card information over http rather than https) - which is a common trend for 99% of these fake pharmacy sites that I've been to.

  • Just a summary... (Score:2, Informative)

    by dclozier ( 1002772 )
    I was hoping for a review of the extensions but only found a summary of what was available. More of the same information can be found by searching [mozilla.org] for 'phishing' extensions.
  • Eh? (Score:3, Insightful)

    by Mystery00 ( 1100379 ) on Friday June 01, 2007 @12:42AM (#19348179)
    "For most Internet users, defending against phishing attacks is a top priority."

    I think 'most' users would say "what the hell is phishing?" Only way to prevent phishing is to bring up a "Welcome to the internet, here are a few things you should know about before you go on: ... " splash screen when they open up their browser for the very first time.

    ...

    Followed by another splash screen that says "If you ignored the previous information, you are now entering with the risk of doing something extremely stupid, would you like to bring up the Welcome screen again? [Yes] [Yes]"

    • Re: (Score:2, Insightful)

      by Hucko ( 998827 )

      I think 'most' users would say "what the hell is phishing?" Only way to prevent phishing is to bring up a "Welcome to the internet, here are a few things you should know about before you go on: ... " splash screen when they open up their browser every time.
      There, fixed it for you.
  • by unassimilatible ( 225662 ) on Friday June 01, 2007 @12:46AM (#19348195) Journal
    Easy way to defeat the phishers, OpenDNS [opendns.com]. Or you could actually look at the status bar to see what site you are clicking on...
    • Why is OpenDNS smarter?

      We fix typos in the URLs you enter whenever we can. For example, if you're using OpenDNS craigslist.og will lead directly to craigslist.org.

      When you try to go to a website that won't load, instead of a browser error we show you OpenDNS Guide and help you get to where you want to go.


      How about not breaking shit and returning a notfound?
      • by Ilgaz ( 86384 ) *

        Why is OpenDNS smarter?

        We fix typos in the URLs you enter whenever we can. For example, if you're using OpenDNS craigslist.og will lead directly to craigslist.org.

        When you try to go to a website that won't load, instead of a browser error we show you OpenDNS Guide and help you get to where you want to go.


        How about not breaking shit and returning a notfound?

        The semi spyware/pyramid scheme/web 2.0 abuser/search engine abuser toolbar you advertise via referral on your signature could be a good starting point not to "break the shit".

    • by Ilgaz ( 86384 ) *
      I use Opendns and I help Phishtank but OpenDNS itself is only a DNS service which only interests in hostname part, not the page. Using OpenDNS may help against complete evil hosts who serves nothing but phishing but you still need phishtank extension/support for page / url based phishes.

      I think that is main reason why phishtank was started by openDNS.

      As phishtank verifier I think the good old days of checking status bar, viewing browser address bar are soon over if not already. I have even seen couple of cr
  • having read the article it seems that the problem is more about people believing bs emails etc. and about keeping a list of anti phishing sites to stop it. seems like an issue for setting up friends/family machines who are not tech savvy than an issue for most /. readers who i assume are the few who actually lookout for this kind of thing
  • by Animats ( 122034 ) on Friday June 01, 2007 @01:06AM (#19348265) Homepage

    Blacklists aren't really working any more. As with spam, where each spam message is now different, and as with viruses, where the smarter ones are different for each copy, the more advanced phishing sites now generate multiple sites, not just one site.

    PhishTank is fooled by this. It assumes that a "phish site" is a unique URL. The phishing sites are now wise to that trick; many sites generate a new URL for each user, and some even generate a new domain. Current domains in PhishTank [phishtank.com] include "session-97701.nationalcity.com.userpro.io", "session-300962.nationalcity.com.userpro.io", "session-5489554.nationalcity.com.userpro.tw", "session-2721837.nationalcity.com.directories.io", etc. There are presumably many, many more that no user has reported yet. So the blacklist defense is failing.

    It's thus too late for approaches based on manual detection. In the early days of spam, we all reported spam sites to SpamCop, which then blocked them. That stopped working years ago. The same has now happened for phishing sites.

    The hard line approach is to implement something that prevents putting in credit card or bank information into forms unless the target page has a solid SSL certificate. (And not one those "Instant SSL - Domain Control Only Validated" cheapo certs that mean nothing, either.) It's getting harder to make even that work, with more and more Javascript processing going on in the browser. The browser may not be able to detect that the user is filling in a form.

    We (SiteTruth [sitetruth.com]), of course, are trying to promote the idea that you don't want to deal with a website unless the business behind the website can be clearly identified, so we do have a bias here. Nor do we have all the answers. But from the amount of activity in this area of security in the last month, it's becoming clear that some major tightening-up on business legitimacy on the web is needed.

    "On the Internet, no one knows if you're a dog" just isn't good enough any more.

    • by diqmay ( 773248 )
      pssssst!

      you're using Yahoo as a host but they aren't a verifiable website? Methinks you shouldn't be doing business with them.
    • It seems the blacklist would work perfectly if nationalcity.com.userpro.io, or just userpro.io was blocked. The startling thing about those numbers is the huge gaps, though I doubt they are sequential, it seems the reports are few and far between. The best reason to avoid blacklists is the fact they are always behind the times, no matter how often you update them. Your hardline approach seems valid, if there was a 'secure transaction' setting client side that disabled scripting then validated certificates a
      • Re: (Score:3, Interesting)

        by Animats ( 122034 )

        It seems the blacklist would work perfectly if nationalcity.com.userpro.io, or just userpro.io was blocked.

        Notice that they're using "userpro.tw" and "directories.io" as well. And "prouserbase.tw", "udll.tw", "usersetup.io", "kloot.hk", and more. That phish operation has a domain farm with hundreds of domains known, and probably many more that haven't been reported yet.

        CastleCops identifies this as a botnet. [castlecops.com] One that buys domains with stolen credit card numbers.

    • by radtea ( 464814 )
      We (SiteTruth), of course, are trying to promote the idea that you don't want to deal with a website unless the business behind the website can be clearly identified, so we do have a bias here. Nor do we have all the answers.

      Sitetruth's rating of Sitetruth says: "Site ownership not clearly verified, or some issues exist with the business."

      You claim to be applying California law, which says that a business must clearly identify itself and give its address to customers. Yet your silly little rating tool give
      • by Animats ( 122034 )

        SiteTruth rates SiteTruth itself as "Site ownership identified but not verified." (a yellow question mark), which is correct - there's a valid name and address on the web site, but no third party verification of business identity. That's a neutral rating by our standards. The red circle with a bar through it is a bad rating. To get a good rating, a green checkmark, some third party has to verify business identity. A valid BBBonline seal (and yes, we check) or an SSL cert with a name and address will do

  • by aerthling ( 796790 ) on Friday June 01, 2007 @01:16AM (#19348293)
    I can't wait for the top 10 'Top 10 Firefox Extension' list.
  • If you know which sites are 'bad', simply add them to the hosts file and loop them to the home address. No need for a plugin.
    • Yep, works greatly against IP numbers: http://123.45.67.89/ [123.45.67.89] Where your.bank.com is your homebank, 123.45.67.89 is the phishing site.
    • Better still, bearing in mind that the best defence is a good offence, you should submit your details to the site (or *some* plausible details). With a script. Hundreds and hundreds of times, different every time.

      You can generate valid-but-fake credit card numbers using the checksum algorithm used to verify the numbers. Names and addresses can be generated from a randomish list, just like the names spammers use. Use their own tools to attack them.
  • by macraig ( 621737 ) <mark.a.craig@gmail . c om> on Friday June 01, 2007 @01:24AM (#19348343)
    Did anyone else notice that all of the promoted extensions but the last one seem to be the work of commercial enterprises, and apparently tied in some way to their for-profit motives? Is it possible that the author or security-hacks.com got some perks or quid pro quo for the journalistic promotion of these extensions and the commercial entities behind them?

    I'm often too skeptical for my own britches, but that also why I do in fact pay attention to my bank's "sitekey" and why I don't these products to avoid phishing attacks. All but the last one just seem to be trading one form of ignorance - of phishing - for another - of capitalism.
  • by SplatMan_DK ( 1035528 ) on Friday June 01, 2007 @01:28AM (#19348381) Homepage Journal
    Most modern phising is done very professionally, and the pages totally mimic the real thing. I recently received a phising e-mail regarding PayPal accounts and out of curiosity I took a look at it. The result was shocking. The page I was directed to was an exact duplicate of the real PayPal system. The link I followed did not use scripting. It did belong to the wrong domain, but most normal users would not have noticed it. Copy-pasting the link would not have made any difference.

    The "fix" against phising is a better authentication method.

    For some reason, many banks and payment providers in the US only use username/password (one-factor) authentication. In Europe most banks use at least a 2-factor security system, where the logon information is combined with either a physical security token (RSA or similar), an encryption key file, a supplemental 6 digit PIN sent by SMS to the user, etc.

    The whole approach attempting to eliminate phising by filtering webpages, making fancy browser plugings or stuff a lot of security-bloatware on the computers is essentially wrong. The only reason simple phising attacks work is because the authentication mechanism is way too simple.

    Adding another factor of security to the systems is a trivial task in terms of programming and implementation. And it works - the European home banking systems are the proof of that.

    Phising gets a lot more difficult when SMS messages, encryption keys or physical tokens are involved in the logon procedure. Since all these methods have been well explained and documented in books ranging back to the early 80's, I really don't understand why these simple methods are so largely ignored...
    • The "fix" against phising is a better authentication method.

      no! the best authentication method in the world can not protect against this: http://it.slashdot.org/article.pl?sid=07/05/15/221 6235 [slashdot.org]
      • People who click on links like that should have their computers immediately taken away from them. If you drive irresponsibly then they take your license. If you're stupid enough to click on links like that then it should be the same punishment. Take the internet away from these people.

        We lock up people who pose a danger to themselves and others, this should be no different. Might want to cut them off from the breeding pool while we're at it too.
      • I am pretty sure that neither my mom, aunt, or even my boss would ever install a plugin where the terms "HTTP", "AJAX", or other techno-babble words were involved.

        Besides - why sign *all* the traffic when all that is really needed is to digitally sign (and encrypt) the two parties involved in the transaction?
        • by moranar ( 632206 )
          Hey, you were the one to say "The "fix" against phising is a better authentication method." I didn't say it'd be ipso facto apt for mom and pop.

          Besides, the explanation to developers on mozdev isn't necessarily the one I'd give to grandma, but I hoped it wouldn't be necessary to say this.

          For any technical comments about enigform, you are more than welcome to address the comments on the site, not to a random slashdotter.
          • Calm down. Take another cup of coffee. I ment no disrespect. I simply observed that the proposed solution was of a rather technical nature... and that "common people" would not be able to use it by themselves. :-)
            • by moranar ( 632206 )

              Since it's still at a very early phase of development, I'd say that there's plenty of time (or none at all, if we think of the original problem) to make it work, and then make it friendly. Though it's possible that, without being somewhat friendly, it will not work -as in be useful and used- at all.

    • by J0nne ( 924579 )
      No, the 'fix' has been available in browsers since 1993, and it's called 'bookmarks'. Don't be so stupid to follow links to your bank/paypal/ebay from some random e-mail/website, just use the bookmark in your browser to go to the website instead.

      As long as the phishers haven't hijacked your dns settings, this method is safe. And if someone managed to either compromise your hosts file/dns servers, you have other things to worry about...
      • Are you seriously suggesting we totally abandon the use of anchor-tags in HTML mails?

        I would't call that a "fix". I would call it a "work-around" with a heavy negative inpact on usability.

        Our company and our customers send tons of HTML formatted mails with anchor-tags. Allmost all of them are individual links to specialized content targeted each reciever. It would be devestating for the end-users if we were to abandon these specialized anchor-tags.
        • by J0nne ( 924579 )
          No, I'm suggesting that people use bookmarks to go to their bank's website instead of following links in e-mails, not to get rid of anchors altogether. Or do you send e-mails with links to banks to other people at work?
          • We do not link to peoples banks :-)

            But we do link to pages connected to peoples userprofiles, and which require a valid logon. Like Slashdot we offer the option to use a "never ending logon" without expiration (using a cookie).

            There are many benefits in such personalized links, and the banks could use them without danger if only the authentication method was secure.
    • For some reason, many banks and payment providers in the US only use username/password (one-factor) authentication. In Europe most banks use at least a 2-factor security system, where the logon information is combined with either a physical security token (RSA or similar), an encryption key file, a supplemental 6 digit PIN sent by SMS to the user, etc

      SEB, my Swedish bank, sent me a hardtoken - a little calculator like gizmo. The bank sends you two 4 digit numbers, then you enter your 4 digit pin to log into
      • by Ilgaz ( 86384 ) *
        The device I use in Istanbul is calculator like independent/dedicated device which they also offer a J2ME phone software lately.
        http://www.vasco.com/ [vasco.com]

        It seems your bank was seriously tricked by some MS puppet company.
        • It seems your bank was seriously tricked by some MS puppet company.

          Read the comment more carefully. My bank has a hardtoken. It doesn't completely protect against MIM attacks if someone can act as a proxy between me and the bank for a while - they can wait until I make a transfer and hijack all my money. But it is OS independent.

          If you want to protect against MIM attacks where the attacker acts as proxy, I think you need something much beefier. Given that you need to get the client to pass things to a USB d
      • Why would it not protect against a MIM attack?

        The whole point of the multi-factor authentication is to establish a secure identification of two parties and encrypt the communication between them.

        I am pretty sure the communication between you and your bank is encrypted when you have established a connection using your token.
        • The SEB system can't protect against an MIM attack.

          Consider. I go to the website to pay a bill. Someone sits between me and the bank - they could install some malware that sets them up as a proxy. I enter 100SEK and the phone company's bank account in the the MIM site. The MIM site intercepts this and puts 1000SEK and their account into the bank site. The bank then sends them the two numbers which are either random or linked to the fraudulent transaction. They send them to me. I sign them and enter them int
        • by maxume ( 22995 )
          The token based systems don't help you know you are talking directly to your bank. They help the bank know that you are actually involved with the transaction, but a man in the middle attack can still present you with a fake site and use your input to fiddle with your account on the actual site. Multiple factors over the same channel don't do much to prevent a sophisticated enough proxy.
          • I disagree.

            The bank knows the ID of the token in question, and the keys it should return. The MIM/proxy does not. If the end user establishes a secure connection to the bank, the proxy in the middle will still not be able to use the encrypted data exchanged between the two points.

            The proxy can only effectively make an attack if the user accepts an unsecured connection. If not, the MIM/proxy is not in possession of the keys needed to lure information out of the encrypted traffic.
      • Actually I found that someone has actually done a Windows only trusted client for banking

        http://digg.com/linux_unix/SEED_How_South_Korea_s_ Encryption_Standard_is_Holding_the_Nation_Back [digg.com]
        In Korea, you have certificate issued by your bank. When you shop online, instead of typing in your credit card number and billing address/CCV as you do in the US, you give you credit card number, certificate (protected by passphrase) and usually some kind of challence/response system like a printed security card with number
  • Pointless (Score:5, Insightful)

    by quokkapox ( 847798 ) <quokkapox@gmail.com> on Friday June 01, 2007 @01:34AM (#19348401)

    All of these anti-phishing tools are a waste of time. The real problem is educating users about safe computing practices.

    People simply need to learn that you just don't click on a link in an unsolicited email supposedly from your bank, any more than you would deposit your paycheck into a newly opened bank branch in the nasty part of town, with shoddily painted signage and shifty-looking tellers.

    98% of people can learn principles of safe computing. The remaining 2% are a lost cause. Instead of coddling people's ignorance, we should focus on education. Crooks are always going to be out there trying to take advantage of people. This problem is not going to go away or be solved by technological safeguards. It is counterproductive to devise and improve ways for people to continue ignorant, careless behaviour, "La la la, click on whatever links I see," download and run this, that and the next thing, rather than teaching them how to be careful about what code they run and where they type their password.

    • Yes. It keeps occurring to me that perhaps the net SHOULD be represented as a dangerous, confusing place, because that way people might actually be cautious. Your bank account, credit card, passwords, and PC can be effectively stolen. Sorry Hollywood, you were right! (The Net)
    • by catbutt ( 469582 )
      Or better yet, we should use eugenics to make future generations smarter. Seems more likely to be effective than your plan to just teach everyone to be less dumb.
  • grow a brain? (Score:3, Insightful)

    by SQLz ( 564901 ) on Friday June 01, 2007 @01:53AM (#19348499) Homepage Journal
    I don't know, phishing attempts seem pretty damn obvious to me.
    • Trite, but true. I recently had about a worst-case phishing attack. I bought something through PayPal, and then I got two emails "from Paypal" at almost exactly the same time. I even labled both emails as being related to the thing I was buying. But then when I looked at the link it was giving, the status bar indicated it was a different site from Paypal. And that's a pretty easy, completely accurate check.

      So, even when I was *expecting* something from the spoofed site, at that exact time, *and* expect
  • This is the same style of 'security solution' as Anti-Virus software.

    Phishing is really easy to prevent.
    1. Don't submit information on non-encrypted pages
    2. Check certificate to make sure it's for the company you want to send the information to.

    Amazingly this is really simple, protects better than any 'anti-phishing' list and has been part of the default functionality of web browsers for many years.
  • OpenDns + Netcraft + Common sense
  • I guess ZoneAlarm registered customers may be surprised in finding how their own original login page [zonealarm.com] works.

    Even if you're not a registered user, just follow the link above and enter fake credentials.

    The game becomes spicier if you have auto-completion enabled for that form...

    Have fun with those antiphishing toys ;)

    Original proof of concept courtesy of Elio [wilderssecurity.com], original XSS courtesy of .mario [ckers.org].

  • If only there were an extension to block real phishing on the web [amyleblanc.com]
    ...
    NJ Transit [nynj.net] , PATH train [nynj.net] schedules online
  • Phishing and other scams are easy to avoid if one simply use the brain to think with:

    - Banks don't send out security warnings by email with a handy link in so you can 'confirm your details'.
    - Banks never ask for all of your security details even when you are logging on to their actual site - they ask for part of them only.
    - And of course, you should get a teeny bit suspicious when you receive tens of 'security warnings' or similar from banks in a day, especially when you don't have account there.

    The top pri
  • As reported earlier on /. :
    http://it.slashdot.org/article.pl?sid=07/05/31/122 6222 [slashdot.org]

    There is a number of unsecure extensions to hijack FireFox. Presumably Googles code as well as other stuff.

    I suggest everybody who thinks of installing such a anti-phishing toolbar should also check out the article above.
  • by greenlead ( 841089 ) on Friday June 01, 2007 @03:52AM (#19349061) Journal

    My brain features the Logic subroutine, which prevents me from falling for scams like phishing. This is a killer application; everyone should install it!

    • Re: (Score:2, Insightful)

      by zolaar ( 764683 )
      When I opened up my Grandma's brain to install the update ( ::cough,cough:: whoa, dusty!!! ), everything seemed to go alright... at first... things just started going downhill not too long after I got the thumbscrews back in...

      Yeah. Frequent, unexpected shutdowns/crashes. Memory leaking all over the place. Some peripherals seem to be completely unaddressable, others seem to have had their drivers corrupted as they work in spasms. Half the time she's completely unresponsive, maybe some I/O call is failin
  • by SlashDread ( 38969 ) on Friday June 01, 2007 @04:28AM (#19349239)
    "For most Internet users, defending against phishing attacks is a top priority."

    I cannnot read past this bullshit red herring line.

    Not a single user I know, even understands the word "phishing".
  • by Kjella ( 173770 ) on Friday June 01, 2007 @04:38AM (#19349281) Homepage
    ...will come up with a way that having ten different anti-phishing extensions is a good thing. Phishing attacks rely on the uneducated and careless users, which need protection from themselves. If you're qualified to go through these ten extensions and pick the one(s) which are useful, you almost certainly don't need one. So yeah, I guess somewhat interesting for those that manage other people's computers, but it won't do much good for the average Firefox-at-home user. They'll be much better off if the built-in, default phishing protection is improved.
  • aye, I be usin' my SpoofStick aaall the time when I'm online. Never whipped it out for no fishin' website, though. Weirdos.
  • Why the hell do you need a Firefox extension to protect yourself from Phishing?

    It's simple enough: NEVER, EVER respond to an e-mail purporting to be from a bank. If your bank really need to contact you, they will find a way. If there's really a problem with your account, you will have to visit a branch to sort it out anyway. You NEVER have to "confirm your details". Barring special circumstances, there are only two valid reasons for ever visiting a bank; paying in money through the HITW machine, and
  • Any serious fisher will:

    Use a botnet to install a certificate as a ca on the machines,
    update the hosts file so that their banks web site points to a new address.
    Setup a website with the banks correct address as setup in the host file with a certificate signed by the CA they've installed on the host machine, that proxy's the real banks website.
    Sit and collect all the login information required with what appears to be a valid url with a valid SSH certificate (that all important padloc
  • They left out McAfee SiteAdvisor [siteadvisor.com]. I'm surprised, b/c SiteAdvisor doesn't just detect phishing sites, but also sites that spam or provide spyware downloads.
  • by grev ( 974855 )
    http://noscript.net/ [noscript.net]
  • My bank uses ActiveX on its website, and so I use the IE engine when using my bank online. In IETab I have a web page filter like this: "https://online.mybank.net/*", which will activate the IE engine. So if I am lead to a web page, say https://online.mybamk.net/ [mybamk.net], Firefox will still use the FF engine without ActiveX support and not the IE engine, and then phishing web sites trying to mimic my bank can't use ActiveX against me, when I have this setup.
  • ... Stuff that matters to the companies selling their products to said users and astroturfing this site.
  • The article missed an important anti-phishing Firefox extension: The Netcraft toolbar [netcraft.com] which is free and has been a top performer in third-party comparisons [netcraft.com] of toolbar effectiveness.
  • Most of "top 10" list appears to be composed of reactive solutions, which rely on user reports. A proactive one automatically detects if a user is entering what appears to be a credit card or debit card number over an http or unsigned https connection - a common trait for most phishing sites.

    Based on the article, Google Safe Browsing should either be at the top or bottom of the list, and not obscured by having a reactive entry in a more prominant position.

    As a side note, these phishing sites want as much t

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...