Tag: anti-phishing

The phishing complexity dichotomy

The complexity of phishing exploits is growing, with targeted attempts and corporate email inboxes with bullseyes painted on them.

Of course, if you are a small to medium sized business who relies on your website for bringing in business, you might have something entirely different to worry about – something as simple as Internet Explorer 7 (combined, of course, with Microsoft’s certificate-based anti-phishing initiative).

So, big corporations get legitimacy for their own sites, while their inboxes get pummeled. Meanwhile, little guys are left out in the cold because they can’t get certificates, and the phishers won’t have any need to target them because their business will be sucking wind as a result of the IE 7 “red light.”

Nice.

UPDATE: Techdirt says it might come down to simply not wanting to pay ol’ Microsoft for the right to “be green.” I wonder how Firefox might react to this.

UPDATE 2: Who cares about certificates anyway – they often aren’t worth the website they’re printed on.

UPDATE 3: Is this someone’s idea of revenge?

Urban warfare in hunt for phishers

Charles Bronson would be proud – a vigilante group is hunting and shutting down phishing sites.

The Phishing Incident Reporting and Termination (PIRT) group as dedicated themselves to this task – and it seems they are engaged in cooperative efforts (unlike some).

If nothing else, a whole bunch of eBayers should be a little happier.

MS phishing blacklist makes me wonder

As part of its anti-phishing romp (deemed suitable only for US customers, of course), Microsoft is going to be blacklisting websites deemed shady. Which brings up an interesting question – how is such a nice gesture going to be implemented?

If Microsoft stores all these sites themselves, then you have to call on Microsoft every time you surf. Which means Microsoft gets a nice little picture of all your browsing habits, whether you go to check your VISA bill or arbitrarily hit “www.IAMGOINGTOSTEALALLYOURMONEY.com.” If the boys in Redmond pass the blacklist on to you, refreshing every time a new scam site pops up on the list (which is about once every tenth of a millisecond), then you are going to need a bigger hard drive.

Microsoft’s choice – anti-phish, or just plain prejudice

Microsoft release their latest anti-phishing toolbar, but decided the trial would only be for the US. Now, even some prominent, smart folks are calling them to task.

Isn’t a beta supposed to be tested with a subset of potential users, so kinks can be worked out before release to the masses? Would it make more sense for Microsoft to release versions of the anti-phishing tool in every language under the sun, and struggle with multitudes of reworks? Maybe they should release a version of the software for every version of IE they ever created, since someone out there must be using Internet Explorer on a Win 95 machine someplace, somewhere?

But, since I don’t use IE and don’t use Windows, maybe I should just shut the hell up, eh?

Password hashing to stop the phish

A couple of faculty members from Stanford University have developed a new tool in the war against phishing that could become very sticky. Instead of sending passwords input into web pages across the net in plain sight, John Mitchell and Dan Boneh have developed a hashing methodology which scrambles the passwords in line with the valid website address for which it is intended.

The process has purportedly been implemented on several popular web browsers, although I don’t know which. And while the program, entitled simply PwdHash, requires the user to re-enter passwords for all their valid site acccounts and use some special characters ahead of the password each time they enter it thereafter, this seems like a pretty straightforward approach to protecting everyday folk.

Gmail gets some anti-phishing measures

Google recently introduced phishing countermeasures into their Gmail product. We do know that there will be alerts sent out warning Gmail users of suspected internet scams, and that there is now a button to report spams. What Google is using technology wise to thwart phishing we may never know, as Google loves chalking everything up to “proprietary”.

You can catch more here, although I don’t know why the ISSJ News Desk chose the .NET Developer’s Journal for this piece of news.