programming and human factors
by Jeff Atwood
Most of the hacking techniques described in the 1994 book Secrets of a Super-Hacker are now laughably out of date. But not all of them. A few are not only still effective, but far more effective in the current era of ubiquitous internet access. As the author notes early in the book, some attacks are timeless:
Hacking may seem harder than before, but it really isn't. The culture may have become more aware of security, but the individual user still lives in a world of benign indifference, vanity, user-friendliness, and friendly-userness. Users who are in-the-know will always want to help the less fortunate ones who are not. Those who aren't will seek the advice of the gurus. And so social engineering and reverse social engineering live on, as you shall discover in these pages.Ease of use will always rule. The "dumb" password will be a good guess for a long time to come. People just don't choose "6Fk%810(@vbM-34trwX51" for their passwords.
Add to this milieu the immense number of computer systems operating today, and the staggering multitudes of inept users who run them. In the past, computers were used by the techno-literate few. Now they are bought, installed, used, managed, and even programmed by folks who have a hard time getting their bread to toast light brown. I'm not denigrating them -- I applaud their willingness to step into unfamiliar waters. I just wish (sort of) that they would realize what danger they put themselves in every time they act without security in mind.
I don't think there's any better illustration of the timelessness of social engineering hacks-- and the vulnerability of unsophisticated mainstream users-- than phishing. The results of a 2006 phishing study, Why Phishing Works (pdf), are truly sobering:
Phishing is remarkably effective. Bear in mind that the users in this study were told in advance to expect a mixture of real and fake websites, so these results may actually be better than real world performance, as hard as that is to believe. Here's a detailed breakdown of the test sites used in the study, along with the percent of users who were unable to correctly identify whether the site was real or a spoof:
| % Wrong | |||
| Bank of the West | Spoof | URL (bankofthevvest.com), padlock in content, Verisign logo and certificate validation seal, consumer alert warning | 91 |
| PayPal | Spoof | Uses Mozilla XML User Interface Language (XUL) to simulate browser chrome w/ fake address bar, status bar and SSL indicators | 81 |
| Etrade | Real | 3rd party URL (etrade.everypath.com), SSL, simple design, no graphics for mobile users | 77 |
| PayPal | Spoof | URL (paypal-signin03.com), padlock in content | 59 |
| PayPal | Spoof | URL (IP address), padlock in content | 59 |
| Capital One | Real | 3rd party URL (cib.ibanking-services.com), SSL, dedicated login page, simple design | 50 |
| PayPal | Spoof | Screenshot of legitimate SSL protected Paypal page within a rogue web page | 50 |
| Ameritrade | Spoof | URL (ameritrading.net) | 50 |
| Bank of America | Spoof | Rogue popup window on top of legitimate BOFA homepage, padlock in content | 36 |
| Bank of the West | Spoof | URL (IP address), urgent anti-fraud warnings (requests large amount of personal data) | 32 |
| USBank | Spoof | URL (IP address), padlock in content, security warnings, identity verification (requests large amount of personal data) | 32 |
| Ebay | Spoof | URL (IP address), account verification (requests large amount of personal data) | 32 |
| Yahoo | Spoof | URL (center.yahoo-security.net), account verification (requests large amount of personal data) | 23 |
| NCUA | Spoof | URL (IP address), padlock in content, account verification (requests large amount of personal data) | 18 |
| Ebay | Real | SSL protected login page, TRUSTe logo | 14 |
| Bank Of America | Real | Login page on non-SSL homepage, padlock in content | 14 |
| Tele-Bears (Student Accounts) | Real | SSL protected login page | 9 |
| PayPal | Real | Login page on non-SSL homepage, padlock in content | 9 |
| Bank One | Real | Login page on non-SSL homepage, padlock in content | 0 |
There's only one conclusion you can draw from the study's results: when presented with a spoofed web page, a large percentage of users will always fall for it. Forever.
Once that spoofed page is up, even if we use the extraordinarily optimistic estimate that only 15 percent of users will fall for it, that's still a tremendous number of users at risk. Given the poor statistics, the only mitigation strategy that makes sense is to somehow prevent showing the spoofed page to the user. The good news is that the latest versions of Firefox and Internet Explorer have anti-phishing capabilities which do exactly that: they use real-time, distributed blacklists to prevent showing known spoof sites to users. I visited the PhishTank site to gather a set of known phishing URLs to see how well these browsers perform.
Firefox may be using PhishTank as a source; every URL I visited showed the most severe warning, blocking the phishing site from the user behind a sort of smoked glass effect. Unfortunately, it's all too easy to click the little red X and use the page. I don't think it's a good idea for this dialog to be so easily dismissable, like any other run of the mill dialog box.
IE7 opened some of the recent phishing sites with no warnings at all. But a few triggered the heuristic check for "suspicious", with a dropdown warning obscuring part of the site:
Others made the IE7 blacklist and were blocked completely behind a gateway page. I prefer this to the Firefox approach; once the URL is reported as a phishing site, there's absolutely no reason to show any of its content to the user.
I'm no fan of distributed blacklists, but I think they're a necessary evil in this case. Throughout the last ten years of incremental browser security improvements, users have always been susceptible to spoof attacks. It doesn't matter how many security warnings we present, or how much security browser chrome we wrap websites in. Phishing is the forever hack. If the phishing page is displayed at all, it invariably reels a large percentage of users in hook, line, and sinker. The only security technique that can protect users from phishing scams, it seems, is the one that prevents them from ever seeing the phishing page in the first place.
Phishing via email would be a whole lot harder if companies would digitally sign their newsletters. In all my years on the internet, I've NEVER received a digitally signed email. Like others, I, too, am always getting real emails from the companies I do business with that contain links. If those emails were signed, I'd feel a lot better about them. For instance, I get Microsoft's TechNet and MSDN Flash newsletters. Those things are chock full of links. Not only are they not signed, sometimes they purportedly come from a named individual on the Microsoft newsletter domain and not from the domain itself. I have no idea whether they are valid or phishing attempts. Surely, any company that does business on the web (especially Microsoft) must have some kind of certificate. Why don't they use one to sign their emails?
David A. Lessnau on May 7, 2007 2:16 AMMost people should not use the web, at least not someone who couldn't set the time on their VCR.
Furthermore, a good percentage of those who do shouldn't buy things or do financial business on the web.
Personal computers quit being personal as soon as we moved off of Windows 3.11. Now they are '1984-esque' adapter units into the Matrix.
People who incorrectly identified legit sites as illegitimate sites shouldn't be considered to have done the wrong thing. Any site which presents a login/password form without SSL has blown it and people are right to be refuse to interact with it.
kokorozashi on May 7, 2007 3:49 AMAnd another thing: Those alerts you get for self-signed certificates on production servers? Pure evil. Regular people have no idea what they mean and just try to figure what to click to continue with whatever they are doing regardless of the stern wording. We knew that. But I wanted to point out there is common practice which makes this even worse than usual. Many sites put self-signed certificates into production and then tell people who complain to just click through the warning alert. How stupid is that? The sites are too cheap to get a proper certificate, or perhaps they use software which is architected to scale poorly such that proper certificates are cost-prohibitive, and then the site takes the attitude that its users are being unreasonable when they try to protect themselves. cPanel, I'm looking at you.
kokorozashi on May 7, 2007 3:55 AMHack != Crack.
This might not work for the average user, but I would love to see a "details" section in the warning notice that explained which traits of the page triggered the warning. That would help people learn what to look for even when there is no warning.
I just picked a random site from PhishTank and tested it with IE 6. It did not give *any* warning or whatsoever and merrily continued showing the page. The mere thought of number of users still using IE 6 give me shudders!
Kiran Varma on May 7, 2007 5:47 AMI haven't read the study in detail but it seem to me that it's sort of missing the point. The issue is surely how to train people to only use their bookmarks to reach important sites in the first place. If people don't click on links in e-mails and on the web in the first place, it's less important that they are an expert on how to tell a phishing site from one that's not.
Also if people are told to expect a mix of real and fake sites, they may feel that they have to put half real and half fake and if they err on the side of caution as they might in real life, they might feel they are putting too many as fake.
delirium on May 7, 2007 6:18 AM@Kiran
IE6 doesn't have any phishing filter whatsoever installed so don't be surprised :)
phil on May 7, 2007 6:22 AMMy mom has just started using the Internet recently, and this sort of thing terrifies me.
How do you explain to a total neophyte how to identity that poorly defined "shadiness" that gives away a scam on the Web?
It scares the crap out of me that I pretty much have to rely on Internet Explorer to protect her from this stuff...unless I want to sit there with her the entire time she's using her computer and personally check the validity of each and every site she browses to.
Matt Blodgett on May 7, 2007 6:30 AM"The issue is surely how to train people to only use their bookmarks to reach important sites in the first place."
That's how I taught my parents to do: "Only use this bookmark here to open the Internet Banking page. Period. Never, ever, give any attention to any e-mail you receive from your own bank." They've never been caught (yet), although I'm sure they'd not succeed in that study.
delirium:
That's fine and dandy, but (IMHO) on the other side, we also need to teach companies not to send e-mail out with web links in them. It's a major convenience, but it would be a lot simpler to teach neophytes "don't click on any link that comes from e-mail." Instead, I get e-mails from capital one saying "Hey! Your statement is ready! Click here to check it!"
Also, Jeff: Phishtank is a cool resource, but it really just band-aids the problem. I'm part of a group that combats phishing websites, and the general consensus is that phishtank, while a very good repository of data, doesn't actually DO anything besides say "yup, thats a phish!"
While this is arguably useful for the reasons you stated, this only helps people who use the phishtank feed. The sizable majority of people on the website do nothing to remove the phish. Which is the real-world equivalent of watching a mugging and doing nothing.
Just a plug for one of the groups that do stuff (not the one I'm involved with: a href="http://wiki.castlecops.com/PIRT"CastleCops' Phishing Incident Reporting and Termination Squad/a a crack group individuals that handle termination of phish. If you ever get a phish, submit it to them.
Just my $0.02
Innismir on May 7, 2007 6:57 AMTo Matt Blodgett: You do not have to rely on IE. Install FireFox and also install the "McAfee SiteAdvisor" plugin/extension. Not only does this give you one extra line of defense, it also rates search results from the major engines. After you install it, with the pluging, go to Google, search on screen savers. To the right of the results one each line you will see either a Green check, yellow or red X. The sites that are know for bad things will be marked with the red x's. I put this on my wife's pc and we have had no issues for over a year with spyware and the likes. And yes the siteAdvisor helps with Phishing too.
To Jeff: Good article!
ShadesOfGrey on May 7, 2007 7:01 AMHey I have that book !
Ah the memories.. it was my first "computer security" book :)
They are really smart, I have maximum variation for paypal hacks. I have also made a post for it.
Some are with https, some https://paypal.com.something.com and rest is all paypal look. The emails are smart too the anchor text is for paypal.com but the link to some other sites.
http://www.idealwebtools.com/blog/paypal-hacking/ has more variations.
AjiNIMC - Gmail a part of my personal nerve center on May 7, 2007 7:14 AMStonehat: You're probably going to have to give that one up. So few people know there's a distinction, and even fewer care.
Eam on May 7, 2007 7:16 AMWhat about DOS attacks by inclusion of real sites to blacklists?
GUI Junkie on May 7, 2007 7:20 AMPersonally, I suspect the quoted study is flawed in several ways.
I might fail some of the sample "is this website phishing?" tests, but that doesn't make me susceptible in the real world as I would never end up logging in to a phishing site anyway.
Why?
Well, despite several of my financial services' attempts to defeat my browser's autocompleting feature, I have forced my browser to autocomplete part of my login information. As a result, when I login to PayPal, if I make a typo in the URL, (or otherwise end up at a phishing site) the login information won't complete and I'll be suspicious.
Unfortunately, one day one of my banks will find a way to completely block autocomplete, at which time either they will indemnify me against any successful phishing attacks or I will find a bank with a focus on security rather then one so devoted to wasting my time.
More importantly though, phishing IS solvable using a security technique that does not rely on the user being responsible for the identification AND authentication mechanisms.
Right now, bank security is "something you know" online, and "something you know" AND ("something you have" OR "something you are") in person. We need to get "something you have" into the picture when banking online.
In other words, if the user is not capable of revealing their password in a trivial way, it will stop phishing in it's tracks.
Smartcards are one solution. Client side certificates are another.
Neither are a perfect security solution themselves, but both can stop phishing completely if properly implemented.
Dave on May 7, 2007 7:51 AMRight on, orange. Americans are well off. The rest of the world has every right to take things dishonestly from them. After all, we wouldn't want the anyone to think that things like honesty, integrity and civility were anything more than American traits.
apple on May 7, 2007 7:53 AMPeople should follow one simple rule: never click in a link in an email. Always use bookmarks to go to banking shopping sites.
Mike on May 7, 2007 7:54 AMHi, John Roberts from OpenDNS, the company which operates PhishTank.
PhishTank doesn't block phishes, but provides free, high-quality data to lots and lots of service which use the data to protect their customers from phishing. That's all it is intended to do, and it's doing it well. The data is used by Yahoo Mail, Opera, Kaspersky and others (not all of whom have chosen to be named).
You can use it, too. http://www.phishtank.com/api.php
Cheers,
John
I think the simple trick is the rule I've given the non-tech-security-literate that I know:
"If you didn't type the URL in, don't give them any details."
Numerous corllarys:
Never follow links in e-mails.
Never google your bank and follow that link either.
If you don't know what I mean by web address or URL you aren't ready to use any online financial services.
Nice work with the anti-phishing blacklist, but in the end it cannot possibly keep up. Like ORBS it will always be a step or two behind the latest ones in use.
Keith on May 7, 2007 9:53 AMthe biggest question I have with this study is: did they just show the users the pages in question, asking them to guess (is it real?), or did they ask users to navigate there? There is no hard and fast rule for whether a site is real or spoofed, but I normally don't just click on random links or start entering personal data into a preloaded page.
a better test would be to give users a list of things to do on the web with ( find Capital One login page ) and see how many can do that using a search engine rather then typing in the URL box. How many users go to spoofed sites now?
Can't we send a SEAL team to russia, china, nigeria and the like to extract the phishing and spamming royalty and execute them during a live internet feed? That would be sweeeet
Jorge on May 7, 2007 10:23 AMThere is also another layer of protection - the email client. A lot of email clients now try to detect scam emails and mark them as such.
[ICR] on May 7, 2007 10:37 AMI will agree with this 100. I have yet to come into contact with one of these sites, and hope I never do, because for one.... I NEVER look at the address bar, and I am in the upper bracket of computer users, so that is kinda scary for me.
Jeremy on May 7, 2007 10:38 AMSeems to me that you're pushing the "Fair Use" idea by copy/pasting that entire table from the PDF. It's clear from the prose that it comes from the PDF, but I think you really ought to call out the source explicitly at top and bottom, or better yet, just use an excerpt.
Franklin on May 7, 2007 10:39 AMIf you read the study, they describe how they set it up. They gave the users a list of links to try in turn (the links were randomized) and the users were asked to determine if the website is real or not. They also used Firefox on MacOS X laptop. Given that I use IE and Windows all the time and that some of the sites I never use, I would bet I would be fooled by a fair number of sites, too. But, as others have noted, I always use my own links to get to web sites, not following links that come in via e-mail. So in the real world, I wouldn't be as easily fooled.
David on May 7, 2007 10:47 AMIt's clear from the prose that it comes from the PDF
I would hope that's obvious since I didn't personally conduct the study. I don't think quoting a single table of results is grounds for your comment.
Jeff Atwood on May 7, 2007 11:26 AMJust a comment, a hacker isn't a cracker.
Check this link: a href="http://en.wikipedia.org/wiki/Hacker"http://en.wikipedia.org/wiki/Hacker/a
... and this too: http://en.wikipedia.org/wiki/Hacker_ethic
Samir on May 7, 2007 11:41 AMCan't we send a SEAL team to russia, china, nigeria and the like to
extract the phishing and spamming royalty and execute them during a
live internet feed? That would be sweeeet
Before you send anybody to any other country read this Anti-Phishing Work Group report. Make sure you scroll down to page 4 (Countries Hosting Phishing Sites).
http://www.apwg.com/reports/apwg_report_DEC2005_FINAL.pdf
workaholicus on May 7, 2007 11:41 AMI prefer this to the Firefox approach; once the URL is
reported as a phishing site, there's absolutely no
reason to show any of its content to the user.
I would tend to prefer Firefox as it not only stops the user from going any further, but also because it may inadvertantly educate users that the very real looking site behind is fake. There may be some value to showing the page.
Also, the IE page has the look of a 404 page and some users will simply glaze over it.
Drew on May 7, 2007 12:14 PMThe full archive of the Anti-Phishing Working Group reports is here:
http://www.antiphishing.org/phishReportsArchive.html
for the month of February 2007:
--
unique phishing reports: 23610
unique phishing sites: 16463
brands hijacked by phishing campaigns: 135
brands comprising the top 80% of phishing campaigns: 14
Country hosting the most phishing websites: United States
Contain some form of target name in URL: 25.4 %
No hostname just IP address: 17 %
Percentage not using port 80: 2.5 %
Average time online: 4 days
Longest time online: 30 days
--
Thank you Jeff. I don't know why I didn't post the link to reports archive just that old one :)
The reports go only this far. There is no data on "beneficiary's" country of origin, and most of the time they are multi-national groups (a href="http://www.sophos.com/pressoffice/news/articles/2006/11/phishing-arrests.html"http://www.sophos.com/pressoffice/news/articles/2006/11/phishing-arrests.html/a)
Contain some form of target name in URL: 25.4 %
While working on security solutions we have discovered that a lot of phishing sites/pages (even those containing some form of target name) are hijacked sites and pages. So it's not that all phishing sites are deliberately hosted by their registered owners. General tightening of security on your own website/hosting helps prevent phishing. One thing is when site is hacked and data is lost, other thing is when innocent site suddenly starts spreading malware or hosting phishing pages.
workaholicus on May 7, 2007 1:10 PMLots of people are saying "Only use your bookmark for banking websites, don't click on a link", but that's not guaranteed to be safe either. I came across a home PC recently that had been infected with a virus, and the "HOSTS" file contained a bunch of fake DNS entries. In other words, you could use an existing bookmark or type in the real URL for your bank, and you'd be redirected to the fake site. (I was involved in this because the person who owned the PC recognised that the website looked different to normal.)
John C. Kirk on May 8, 2007 3:47 AMA lot of the problem, I think, can be stopped when the site gets registered. If ICANN gets a request for a domain called paypal.scam.com they should be able to flag that and contact the registered paypal.com account to make sure it's supposed to be there. Of course, some discretion should be used. PayPal really doesn't need to know if I register a domain that's called paypalsucks.com. The phrase "Policing the Internet" comes to mind here.
Still, the point is ICANN should be able to prevent many of the phishing sites before they even go up.
Spencer on May 8, 2007 7:03 AMI can see the argument for IEs method- users are indeed stupid. Consider however, that Firefox users are generally smarter and more computer savvy than IE users, and probably more entitled to the option of viewing the page.
Dylan on May 8, 2007 7:11 AMAt the bottom of this problem lies the built-in lack of safety on the Internet, specifically the fact that mass e-mails are basically free and the sender is easily forged.
If ISPs would simply block mass e-mails unless the sender was validated not to be a spammer (whitelist), and if ISPs would simply refuse to transfer e-mails without a secure identification of the sender... this wouldn't be a problem at all since the links to fishing websites would never get to their victims.
Coincidentally, virtually all other spam and viruses would vanish, too. So why doesn't it happen? Because ISPs like the business of spammers and don't want to invest in security, especially if it might inconvenience their users.
As long as e-mail is free, global, and anonymous this won't go away.
Chris Nahr on May 8, 2007 1:14 PMBank of America's online banking website uses a "two-way" authentication. That is, while I have to identify myself to the BofA site to access my online banking, the site also has to identify itself to me. It does so by displaying a unique identifying signature (the "SiteKey") on the login page. I chose the signature privately, over a secure connection, when I registered for online banking in the first place. No phisher knows what it is, so absent a seriously sophisticated man-in-the-middle attack, no one can spoof "my" BofA login page.
I provide my credentials to the site, the site provides its credentials to me, and we decide to trust each other.
Wolf Logan on May 9, 2007 7:29 AMPlease don't use the word "Hack" when you mean "crack". A hacker is on who knows a lot about computers (including ultra-secret tricks) and works on them a lot. A cracker is somebody who thwarts protection. A phreaker is extinct, but is a person who cracks the phone system (you used to be able to hear the telephone network doing it's stuff when you made a long-distance call). Look up "The new hacker's dictionary" - it's a very good reference to jargon, a newer version of the jargon file.
Gabriel J. Smolnycki on May 11, 2007 3:32 AMOh yes, use OpenDNS. It blocks phishing sites with a page like IE, but it WONT LET YOU CLICK TO GO PAST!!!!! This in my opinion is even better - if they know it's a phishing site, don't let people go there!
@Eam
Stonehat: You're probably going to have to give that one up. So few people know there's a distinction, and even fewer care.
too bad for you. it's rude to call a hacker a cracker. A cracker ISN'T a hacker, no matter which way you slice it. A hacker is honest, a cracker isn't.
This is the site going around right now with the service@paypal.com address in the email. It's a VERY good disguise and I almost fell for it myself. I know it's going to catch a lot of users and mess with their bank accounts. Hope paypal is keeping an eye on it considering what kind of site they are. It could literally cost thousands if not millions if they don't get it shut down soon.
Anybody know how to hack phishing sites as "payback"? I feel like spending the time to learn hacking just to go around the internet hacking and shutting down these phishing sites to keep them from hurting people. If I knew where to start, I would have started already.
Anybody out there know of groups that do hack phishing sites to shut them down? I'd love to have someone to email websites to so they could take care of it or teach me how to do it. Dishonesty is a really big pet peeve of mine and it makes me more angry than anything else imaginable.
If anyone has a group that does this or knows where I could start learning and then set up a group myself, please email me at BauerWilliams@msn.com and I will be very grateful.
Anybody else want to band together to help stop the phishing sites with me? I'm very serious and really would like to do something to protect some of the less computer literate people from being scammed. I'm not by any means an expert, but I know the basics, I just need to learn how or where to get them shutdown.
Thanks in advance for any info you can share, I'll happily, very happily settle for a group I can send the sites too until I've earned the trust needed to be shown how to do it myself. My intentions are completely honest and I have no desire to play anyone or to do things I shouldn't do. Like someone else in this thread said, a hacker isn't a cracker. A hacker is honest and a cracker isn't and I'd really like to be a hacker (kind of an internet superhero!)..yeah, I'm an old geek, but what can I say. I'm from the generation that wants to save the world. (almost 40!!! OMG I'm getting old!!)
ok I've rambled enough LOL
Thanks
http://www.joewein.net/419/emails/2005-11/08/379508.25.htm
Others made the IE7 blacklist and were blocked completely behind a gateway page. I prefer this to the Firefox approach; once the URL is reported as a phishing site, there's absolutely no reason to show any of its content to the user.
Firefox 3 do this.
@Gabriel J. Smolnycki: Only the Jolly Roger brand of phreakers are extinct, those who move on are still alive, well, and saving themselves a fortune.
Schmoo on December 11, 2008 5:53 AM@dave
don't trust you browsers domain-specific autocomplete. for one thing, DNS can be hacked. Viruses manipulate hosts files. ARP-spoofers can overrule DNS, routing and everything else. Proxy servers may be compromised. Man in the middles are a real possibility.
@drew
I think it would be a nice *option* to show the page. Actually loading it gives the exploiter information (since they can identify the source of request, perhaps even identify the way you 'found the phishing site' because of unique ID-s in the url etc. etc.). Now, combine that with all-to-common cross-site scripting info, general privacy issues (referers, browser plugins etc. etc.) and you know you had better *NOT* load the page, even if read only. Of course, an option would be to show a static image from the anti-phishing database (much like popular web-snapshotters or thumbnailers).
Oranges are lame. Protesting continues
Seth on May 6, 2009 2:21 AMmore @dave
oh and I almost forget you cannot trust your own home network for DNS security, ARP safety etc. etc. once you use wireless *somewhere* in the network (especially with bridging links to LAN). WiFi is breachable (not only WEP).
The truly paranoid will therefore never be able to recognize 'true' websites from 'phishing' unless the authentication is two-way and gives external verification. This is talked about in a few other comments.
-----
urrrggh. still have to provide the fruit. I should think by now grapefruits are more in order
I pretty much have to rely on Internet Explorer to protect her from this stuff
Dude she's lost...
HMan on May 7, 2009 2:43 AMDialogs are useless to prevent users from doing anything, they just click through them as fast as they can.
I don't feel too sorry for users who end up on these sites. How did they get there? Did they type in the address in the browser.
Probably not, they probably clicked on an email link that said "Free Stuff Click Here".
If you give people a loaded gun, some of them will shoot thier foot off.
The phishing blacklist is a good idea, but it will always be a few steps behind, plus its just a band aid.
Maybe a better approach is that when you register your URL like www.mysite.com you have to give reliable contact information, so that if you site is bad, authorities can find and arrest the offender(s).
Are any of these Phishers punished when there site is discovered? Probably not. Start enforcing some type of "internet" laws and punishments and some of the activity may be contained. I know this might be hard when some sites are overseas.
Otherwise, better tell grandma not to buy anything online.
Jon Raynor on February 6, 2010 10:02 PMI never answer any of these phishing emails and never open attachments unless I know where they're from. Some of these others though, can creep in through other means. I have, for example, been known to visit dubious websites although my MVPS hosts file should block the worst. How effective are normal antivirus and anti malware programs, of which I have several running, at picking these up, particularly malicious BHOs? I've read the article on Learn Hacking which drag me to know more about phishing attack.
Faiz Ahamed on September 24, 2011 4:15 PMThe comments to this entry are closed.
Subscribe in a reader
Subscribe via email
|
|
Traffic Stats |