Home page logo

webappsec logo WebApp Sec mailing list archives

RE: Phishing
From: Pete Simpson <pete.simpson () clearswift com>
Date: Thu, 13 May 2004 19:13:11 +0100

Earthlink have been receiving up to 40,000 calls per day from concerned
customers. In response they have developed and made freely available, to
anyone, a browser toolbar (ScamBlocker) that will alert when a user clicks
on an email link to one of the known fraudulent web sites. Just like
antivirus signatures, the strategy is reactive and relies on EarthLink
updating its list of fraudulent sites. Potentially, this may lull users into
a false sense of security. Widespread adoption of the tool may enhance the
effectiveness of this approach, with user feedback aiding timely reporting
of new phish scam sites. ScamBlocker can be downloaded at:

SpoofGuard from a team at Stanford University, works the same way, via "a
traffic light in your browser toolbar that turns from green to yellow to red
as you navigate to a spoof site. If you try to enter sensitive information
into a form from a spoof site, SpoofGuard will save your data and warn you.
SpoofGuard warnings occur when alarm indicators reach a level that depends
on parameters that are set by the user. SpoofGuard does more sophisticated
checks, against previous sites you may have visited, as inspecting the link
visited for signs of tricks used by known phishing attacks. SpoofGuard can
be found at:
http://crypto.stanford.edu/SpoofGuard http://crypto.stanford.edu/SpoofGuard

Both ScamBlocker and SpoofGuard are free, but only work with Internet

PassMark is a much more effective defence. The bank or other financial
service provider, provides the user with the ability to select an image,
unique to the user, that will be displayed whenever he visits the genuine
web site. This is a shared secret between the bank and the user and is not
amenable to spoofing. 

Thats why the phishers are now capturing screenshots when you go to the real


And the excellent anti-phishing analysis work done voluntarily at Code Fish
has led to them coming under heavy hacking attack.


However, the con artists (in league with skilled hackers) responsible for
the phishing phenomenon are consumate social engineers and will attempt to
catch the gullible few with an appropriate workaround. For example, one
Friday the user may receive a plausible email purporting to come from the
bank, warning that the PassMark database has been corrupted and requesting
the user to login (to a fake site) and select a new PassMark. Several
variations on this theme, as well as the screenshots, will undoubtedly
evolve to trick the unwary.

Another interesting approach is that pioneered by Dartmouth in 2002. This
uses coloured margins to the Mozilla browsers to indicate whether the window
can be trusted.

On the question of trust, do we trust TrustToolbar? Who claim to identify
spoof sites. "Avoid being caught in a Phishing NET"
Comodo offers the industries widest portfolio of free to use solutions to
combat the rising tide of Spoofed Web sites and Internet Phishing attacks.
Yet according to some it is classed as spyware...

Pete Simpson
ThreatLab Manager
Clearswift Ltd

Clearswift monitors, controls and protects all its messaging traffic in 
compliance with its corporate email policy using Clearswift products. 
Find out more about Clearswift, its solutions and services at 
This communication is confidential and may contain privileged 
information intended solely for the named addressee(s). It may not 
be used or disclosed except for the purpose for which it has been 
sent. If you are not the intended recipient, you must not copy, 
distribute or take any action in reliance on it. Unless expressly stated, 
opinions in this message are those of the individual sender and not of 
Clearswift. If you have received this communication in error, please 
notify Clearswift by emailing support () clearswift com quoting the 
sender and delete the message and any attached documents. Clearswift accepts no liability or responsibility for any 
onward transmission or use of emails and attachments having left the Clearswift domain.
This footnote confirms that this email message has been swept by 
MIMEsweeper for Content Security threats, including computer viruses.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]