Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Security The Internet

A Better Anti-Phishing Toolbar? 33

Posted by Cliff from the browsing-where-you-are-supposed-to-be dept.
Saqib Ali asks: "There have been recent discussions on Security Focus mailing lists about several Anti Phishing Toolbars available for Firefox. Do Slashdot readers have any recommendations on which Anti Phishing toolbar to use, or on how to improve upon the existing ones?"
This discussion has been archived. No new comments can be posted.

A Better Anti-Phishing Toolbar? More

A Better Anti-Phishing Toolbar?

Comments Filter:

  • Obligatory (Score:1, Interesting)

    by lbmouse ( 473316 )
    Netcraft confirms it.

    Seriously, it is a pretty good bar. I just wish its appearance/position was a little more customizable.
    • Although the Netcraft toolbar does the job, it slowed my browsing experience so much as to be unusable. Sometimes it made me wait for a minute before giving the green (or red) signal. Or sometimes there simply was no reply at all from their servers. I found that I'm smart enough to decide on my own if a Phishing attempt is being made, so far with a 100% score. And my brain works a whole lot faster than the Netcraft servers.

      Don't know about others.

  • how about... (Score:1, Informative)

    by Anonymous Coward
    using your brain! watch out for strange urls, bad grammar, missing/bad certificates, etc...
    • Many times it is not necessary that looking at URLs could give you an idea. Sometimes, websites use URL redirection parameters while authenticating clients eg: www.goodsite.com/login?urlredir=http%3A%2F%2Fwww% 2 Esomeothersite%2Ecom%2F An attacker could exploit this kind of a website authentication mechanism to send someone an obfuscated URL in the urlredir parameter that would redirect the user to a site which looks exactly like www.goodsite.com and says "invalid credentials" ... it's very difficult for use

  • Never tried them. (Score:5, Informative)

    by Threni ( 635302 ) on Tuesday December 27, 2005 @03:17PM (#14346631)
    > Do Slashdot readers have any recommendations on which Anti Phishing toolbar to
    > use, or on how to improve upon the existing ones?"

    If you're smart enough to install this kind of solution then you're not going to fall for the phishing attempts in the first place. Email from paypal/ebay/your bank that doesn't start with your name? Delete it. Get a plausible looking email asking you to click on a link and log in? Type the URL manually anyway (I use a local homepage which just contains a bunch of links to those accounts, Slashdot etc). Have an account somewhere that doesn't address you by your full name in emails? Close the account and use another bank.

    By the same token, this stuff is obvious to everyone reading Slashdot. Right?

    • Better yet, don't bank or do scetchy money transactions over the Internet. Few people actually have to.
      • > Better yet, don't bank or do scetchy money transactions over the Internet. Few
        > people actually have to.

        I use Cahoot's online bank in the UK (5+% savings account, ~4% current account) - seems safe to me. Should I be scared? Why? Where's the risk? Not phishing, so is SSL insecure?

        • I like to drink coffee. Sometimes I wonder about the relationship between coffee and high blood pressure. Is there one? Have studies been done? Can I get a cup of drip?
          • I could go without coffee I guess, but that concept is about as interesting to me as going without online transactions due to an ill-informed assessment of the risks.
    • I find GMail catches 100% of all phishing attempts directed at me, resulting in it sterilizing all the links, and moving them to the Spam bucket. Even if it is "unsure" about an email, it will put a huge warning at the top and semi-sterilize the links.

      It doesn't catch 100% of my spam, but it does well over 99% I would say. And none of the ones that get through are anything resembling phishing.

      • > Or use GMail

        I do both (using HTTPS to access gmail, not the lame http it offers you - you have to edit that yourself - or use a plugin).
      • A friend of mine got on GMail's shitlist somehow last year, even though she was emailing me from a GMail account herself- which she had gotten from my invite. Every single email from her had the big yellow box warning: "This email may not be from whom it claims to be." Which struck me as funny, since it was essentially tagging email being sent from one GMail account to another. I think she complained to Google and after a few days it went away.
    • really simple solution that I tell my non-technically inclined relatives. Check the link. Move the mouse over the link and see what it says in the status bar. If it says the internet address is something with a bunch of numbers after the http:/// [http] then it's not a legitamite site.

      There are going to be a VERY small number of sites that this isn't true, but these kinds of sites are unlikely to be anything that most people are going to be ever needing to use.

      • Most phishing emails I've seen do something along the lines of <a href="http://123.123.123.123/" onmouseover="window.status='http://paypal.com'">, so that's not a reliable solution if your email client has JavaScript enabled.
        • I guess the other half of it then it to turn off javascript in the email client, like Thunnderbird does by default
        • I agree - if you're smart enough to look for the signs, you don't need the bar.

          I humor these idiots once in awhile, if I'm sitting at the computer and watch a message come in (and I'm really bored). I'll hit their site, give false info and submit it.

          One of the funniest things I've seen is one site that used an java popup image to put it over the default location of the IE toolbar. So when I cliked the link, part of my Firefox tabs where covered up (I'm in webdev, so I can't disable javascript). Laughed my b

    • Re:Never tried them. (Score:3, Interesting)

      by XO ( 250276 )
      yeah, exactly how does an "Anti Phishing" toolbar work? Only thing I can think of is a built-in blacklist. Just use Opera, and it will flat out tell you if the site you are looking at is the site that it claims to be.
    • Email from paypal/ebay/your bank that doesn't start with your name? Delete it. Get a plausible looking email asking you to click on a link and log in? Type the URL manually anyway (I use a local homepage which just contains a bunch of links to those accounts, Slashdot etc)

      Or, if possible, use the phone. If you get an unexpected e-mail from your financial institution, call them. Don't use any link or phone # in the e-mail. You should have a couple of customer service numbers with you for any bank or credi
    • Everyone reading Slashdot? Maybe. But for those of us who try to protect our family and friends, these tools can be invaluable. I also like to teach people how to use the no-script [mozilla.org] extension.
  • IE7 has anti phishing features installed in it already..
    • IE7 ist not available to the broad public. Why do some people point to a not-yet released product?
    • IE7 is a bitch to install on non-english systems (it involves switching files while you're installing it, and within the time the setup progress bar is running), it's beta software (MS beta, not open source it's-stable-but-we're-afraid-of-releasing-a-final - beta).

      Besides, I don't think a lot of people feel comfortable to send every url they visit to a company that just bought the backend technology from Claria/Gator (or any company, for that matter), but that's something most phishing toolbars do, if I unde

  • Phishing? whazzat? (Score:4, Interesting)

    by redelm ( 54142 ) on Tuesday December 27, 2005 @03:52PM (#14346957) Homepage
    My email reader does not render HTML. When I encounter pure HTML email, I just delete it. Or bounce it back to spoof@... as eBay and PayPal have requested.

    In the unusual case (once per week) that I actually _want_ to look at a website mentioned in email, I cut'n'paste.

    HTML email is abomination. Autoload images is evil.

  • Google solution. (Score:3, Informative)

    by ScaryFroMan ( 901163 ) <scaryfroman&hotmail,com> on Tuesday December 27, 2005 @07:16PM (#14348519)
    "Google Safe Browsing" [google.com] seems to work pretty well.
    • Yeah right, very nice and you are transmitting every page URL you visit too Google for a checkup. Same goes with the Google Toolbar (page rank check). If you can live with this, go for it!
    • Why can only Americans download it? Are they more likely to fall for phishing scams than the rest of the world?
      I got to admit that I didnt look around that much there so I havent found an answer yet.
  • Put a sticker above the screen on every monitor that reads:

    "No one will ever ask for personal information via email. If anyone does, do not give it."
    • "No one will ever ask for personal information via email. If anyone does, do not give it."

      Written by someone who has never worked in a large corporation or bureaucracy.

      • Re:Sticker (Score:2, Insightful)

        by MrNougat ( 927651 )
        I've worked for a company with 1000 employees in 72 locations in the US. Financial services company. If that's not bureaucratic, I don't know what is.

        I think, generally speaking, much time is spent trying to prevent social engineering attacks with technological methods. Phishing is not an attack against a technological resource; it's an attack against a person using technology. The weakness being exploited is in the person, not in the computer system. Trying to protect a computer system from phishing i
        • You make some good points. My experience has been that corporations love email and prefer it to physical paper. These days you can apply for, or renew, a security clearance via email. They email you a program, an electronic form, and you fill it out and email the data file back to them. How are you going to convince them?
          • Okay so how about modifying my sticker to read:

            No one will ever ask for personal information via email unless you have solicited the request yourself. If anyone asks unsolicited, do not give it.

            I know, I know. This means we're going to have to make another sticker with the definitions of "solicited" and "unsolicited" on it. And with LCD monitors all the rage, there's hardly room around the edge of the screen for two stickers and a Post-It with your username and password.

            I agree that email is a great form
  • If you are dumb enough to help Person X from country X based on an e-mail.... send me your money, and tell me before I hire you. If you get sucked into something about your bank/credit card via the internet, too bad for not asking a stooge at the institution. If people can't follow these simple steps:
    1. If you don't know them you don't owe them. HIT DELETE
    2. Your financial Institutes will never ask you via e-mail for any info. Call the institution and tell them what you have received.
    3. If in doubt,
  • None other than Tim Taylor!

Slashdot Top Deals

Get hold of portable property. -- Charles Dickens, "Great Expectations"

Close