WebApp Sec: Warning about accessing / attacking phising and spoofing sites

[Amir Herzberg <herzbea () cs biu ac il>]

"Ian" <webappsec2 () fishnet co uk> wrote on Thu, 16 Dec 2004 10:42:23:

<snip>

>> Personally, I like stringing them on and giving them false 
information and
>> wasting their time. Its fun, I recommend all of you try it : )

> You make have stumbled across a solution here  ;)

You both probably meant this as a joke, but just for safety, let me warn 
anybody against doing this, or entering phishing sites `just for fun`. 
Since we're doing research on secure user-interface extensions to 
browsers to prevent web spoofing and phishing, I've been looking at many 
phishing and spoofing web sites (see article at 
http://www.cs.biu.ac.il/~herzbea//Papers/ecommerce/spoofing.htm or 
extension for Mozilla/FireFox at http://trustbar.mozdev.org). However, 
this should  be done very carefully (read: from a specially protected, 
not sensitive machine), since many of these sites try (also) to use 
different browser vulnerabilities to break into machines. While I am 
sure you are all trying to maintain your browsers and OS updated and 
configured securely, there is always the risk of some exploit you were 
not aware of. So, I suggest you don't visit these pages `just for fun`.
> Why not code an automated system that fills
> in their bogus log in screens with false
> information?

I'm not sure if you were serious but if you were... this idea isn't. Too 
many sites being attacked, this system would take substantial effort to 
build; and it could be abused to launch DOS attack on web sites, by 
making people running this program (`to punish phishers`) attack honest 
sites (or would you be able to really identify the honest sites? how?)
Best, Amir Herzbreg
Associate professor, computer science dept.
Bar Ilan University
http://AmirHerzberg.com