Slashdot: News for Nerds


Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

cancel ×


Obligatory (2, Interesting)

lbmouse (473316) | more than 8 years ago | (#14346456)

Netcraft confirms it.

Seriously, it is a pretty good bar. I just wish its appearance/position was a little more customizable.

Re:Obligatory (1)

pjotrb123 (685993) | more than 8 years ago | (#14352076)

Although the Netcraft toolbar does the job, it slowed my browsing experience so much as to be unusable. Sometimes it made me wait for a minute before giving the green (or red) signal. Or sometimes there simply was no reply at all from their servers. I found that I'm smart enough to decide on my own if a Phishing attempt is being made, so far with a 100% score. And my brain works a whole lot faster than the Netcraft servers.

Don't know about others.

how about... (1, Informative)

Anonymous Coward | more than 8 years ago | (#14346457)

using your brain! watch out for strange urls, bad grammar, missing/bad certificates, etc...

Re:how about... (1)

rajats (891347) | more than 8 years ago | (#14367642)

Many times it is not necessary that looking at URLs could give you an idea. Sometimes, websites use URL redirection parameters while authenticating clients eg: Esomeothersite%2Ecom%2F An attacker could exploit this kind of a website authentication mechanism to send someone an obfuscated URL in the urlredir parameter that would redirect the user to a site which looks exactly like and says "invalid credentials" ... it's very difficult for users not to fall prey to this kind of a situation because, let's face it, most people do not look at the URL for every request. The website creators themselves have to become knowledgeable about how to avoid such attacks.

Never tried them. (5, Informative)

Threni (635302) | more than 8 years ago | (#14346631)

> Do Slashdot readers have any recommendations on which Anti Phishing toolbar to
> use, or on how to improve upon the existing ones?"

If you're smart enough to install this kind of solution then you're not going to fall for the phishing attempts in the first place. Email from paypal/ebay/your bank that doesn't start with your name? Delete it. Get a plausible looking email asking you to click on a link and log in? Type the URL manually anyway (I use a local homepage which just contains a bunch of links to those accounts, Slashdot etc). Have an account somewhere that doesn't address you by your full name in emails? Close the account and use another bank.

By the same token, this stuff is obvious to everyone reading Slashdot. Right?

Re:Never tried them. (1)

Saeed al-Sahaf (665390) | more than 8 years ago | (#14346651)

Better yet, don't bank or do scetchy money transactions over the Internet. Few people actually have to.

Re:Never tried them. (1)

Threni (635302) | more than 8 years ago | (#14346763)

> Better yet, don't bank or do scetchy money transactions over the Internet. Few
> people actually have to.

I use Cahoot's online bank in the UK (5+% savings account, ~4% current account) - seems safe to me. Should I be scared? Why? Where's the risk? Not phishing, so is SSL insecure?

I don't know... (1)

Saeed al-Sahaf (665390) | more than 8 years ago | (#14346899)

I like to drink coffee. Sometimes I wonder about the relationship between coffee and high blood pressure. Is there one? Have studies been done? Can I get a cup of drip?

Re:I don't know... (1)

Threni (635302) | more than 8 years ago | (#14347029)

I could go without coffee I guess, but that concept is about as interesting to me as going without online transactions due to an ill-informed assessment of the risks.

Or use GMail (1)

brunes69 (86786) | more than 8 years ago | (#14346652)

I find GMail catches 100% of all phishing attempts directed at me, resulting in it sterilizing all the links, and moving them to the Spam bucket. Even if it is "unsure" about an email, it will put a huge warning at the top and semi-sterilize the links.

It doesn't catch 100% of my spam, but it does well over 99% I would say. And none of the ones that get through are anything resembling phishing.

Re:Or use GMail (1)

Threni (635302) | more than 8 years ago | (#14346714)

> Or use GMail

I do both (using HTTPS to access gmail, not the lame http it offers you - you have to edit that yourself - or use a plugin).

Re:Or use GMail (1)

MillionthMonkey (240664) | more than 8 years ago | (#14368711)

A friend of mine got on GMail's shitlist somehow last year, even though she was emailing me from a GMail account herself- which she had gotten from my invite. Every single email from her had the big yellow box warning: "This email may not be from whom it claims to be." Which struck me as funny, since it was essentially tagging email being sent from one GMail account to another. I think she complained to Google and after a few days it went away.

Just mouse over (1)

brontus3927 (865730) | more than 8 years ago | (#14347200)

really simple solution that I tell my non-technically inclined relatives. Check the link. Move the mouse over the link and see what it says in the status bar. If it says the internet address is something with a bunch of numbers after the http:/// [http] then it's not a legitamite site.

There are going to be a VERY small number of sites that this isn't true, but these kinds of sites are unlikely to be anything that most people are going to be ever needing to use.

Re:Just mouse over (1)

eurleif (613257) | more than 8 years ago | (#14349542)

Most phishing emails I've seen do something along the lines of <a href="" onmouseover="window.status=''">, so that's not a reliable solution if your email client has JavaScript enabled.

Re:Just mouse over (1)

brontus3927 (865730) | more than 8 years ago | (#14349791)

I guess the other half of it then it to turn off javascript in the email client, like Thunnderbird does by default

Re:Just mouse over (1)

WebCrapper (667046) | more than 8 years ago | (#14351072)

I agree - if you're smart enough to look for the signs, you don't need the bar.

I humor these idiots once in awhile, if I'm sitting at the computer and watch a message come in (and I'm really bored). I'll hit their site, give false info and submit it.

One of the funniest things I've seen is one site that used an java popup image to put it over the default location of the IE toolbar. So when I cliked the link, part of my Firefox tabs where covered up (I'm in webdev, so I can't disable javascript). Laughed my butt off over that one.

Luckily my wife is still pissed off at paypal for screwing her over on a fraud issue and she refuses to visit their website for anything. Won't even touch eBay anymore - its great!

Re:Never tried them. (2, Interesting)

XO (250276) | more than 8 years ago | (#14349329)

yeah, exactly how does an "Anti Phishing" toolbar work? Only thing I can think of is a built-in blacklist. Just use Opera, and it will flat out tell you if the site you are looking at is the site that it claims to be.

Re:Never tried them. (1)

secolactico (519805) | more than 8 years ago | (#14349786)

Email from paypal/ebay/your bank that doesn't start with your name? Delete it. Get a plausible looking email asking you to click on a link and log in? Type the URL manually anyway (I use a local homepage which just contains a bunch of links to those accounts, Slashdot etc)

Or, if possible, use the phone. If you get an unexpected e-mail from your financial institution, call them. Don't use any link or phone # in the e-mail. You should have a couple of customer service numbers with you for any bank or credit card company you use.

If you get an e-mail from a bank you've never done business with, it's a scam. If you get an e-mail from e-bay/paypal, it's most likely a scam (if you do business with them, read their e-mail communications guidelines to help identify legitimate mails from scams).

And if somebody offers you untold millions to help transfer money, it's a scam. And if it wasn't, it might be a form of money-laundering that's illegal in more jurisdictions that you care to count.

A healthy dose of mistrust goes a long way towards protecting you from phishers and scammers.

Re:Never tried them. (1)

ppz003 (797487) | more than 8 years ago | (#14352072)

Everyone reading Slashdot? Maybe. But for those of us who try to protect our family and friends, these tools can be invaluable. I also like to teach people how to use the no-script [] extension.

anti phishing already installed in IE7 (2, Interesting)

mdman (846276) | more than 8 years ago | (#14346888)

IE7 has anti phishing features installed in it already..

Re:anti phishing already installed in IE7 (1)

spacefight (577141) | more than 8 years ago | (#14351031)

IE7 ist not available to the broad public. Why do some people point to a not-yet released product?

Re:anti phishing already installed in IE7 (1)

J0nne (924579) | more than 8 years ago | (#14351665)

IE7 is a bitch to install on non-english systems (it involves switching files while you're installing it, and within the time the setup progress bar is running), it's beta software (MS beta, not open source it's-stable-but-we're-afraid-of-releasing-a-final- beta).

Besides, I don't think a lot of people feel comfortable to send every url they visit to a company that just bought the backend technology from Claria/Gator (or any company, for that matter), but that's something most phishing toolbars do, if I understand it correctly.

Phishing? whazzat? (3, Interesting)

redelm (54142) | more than 8 years ago | (#14346957)

My email reader does not render HTML. When I encounter pure HTML email, I just delete it. Or bounce it back to spoof@... as eBay and PayPal have requested.

In the unusual case (once per week) that I actually _want_ to look at a website mentioned in email, I cut'n'paste.

HTML email is abomination. Autoload images is evil.

Google solution. (3, Informative)

ScaryFroMan (901163) | more than 8 years ago | (#14348519)

"Google Safe Browsing" [] seems to work pretty well.

Re:Google solution. (1)

spacefight (577141) | more than 8 years ago | (#14351044)

Yeah right, very nice and you are transmitting every page URL you visit too Google for a checkup. Same goes with the Google Toolbar (page rank check). If you can live with this, go for it!

Re:Google solution. (1)

flubbergust (818863) | more than 8 years ago | (#14357460)

Why can only Americans download it? Are they more likely to fall for phishing scams than the rest of the world?
I got to admit that I didnt look around that much there so I havent found an answer yet.

Sticker (1)

MrNougat (927651) | more than 8 years ago | (#14352900)

Put a sticker above the screen on every monitor that reads:

"No one will ever ask for personal information via email. If anyone does, do not give it."

Re:Sticker (1)

Detritus (11846) | more than 8 years ago | (#14358003)

"No one will ever ask for personal information via email. If anyone does, do not give it."

Written by someone who has never worked in a large corporation or bureaucracy.

Re:Sticker (2, Insightful)

MrNougat (927651) | more than 8 years ago | (#14358652)

I've worked for a company with 1000 employees in 72 locations in the US. Financial services company. If that's not bureaucratic, I don't know what is.

I think, generally speaking, much time is spent trying to prevent social engineering attacks with technological methods. Phishing is not an attack against a technological resource; it's an attack against a person using technology. The weakness being exploited is in the person, not in the computer system. Trying to protect a computer system from phishing is like trying to protect a bank teller from being robbed. It's not the bank teller being robbed, it's the money in the bank. Sure, the bank teller is a conduit through which robbery can occur, and by that logic, protecting the bank teller will reduce the risk of robbery. But a better way is to protect the money by putting it in a vault. I don't know of any banks that don't have vaults.

Reducing people's weakness to phishing by telling them - over and over, or with a sticker - that no legitimate company will request personal information via email is like putting the bank's money in a vault.

Re:Sticker (1)

Detritus (11846) | more than 8 years ago | (#14359984)

You make some good points. My experience has been that corporations love email and prefer it to physical paper. These days you can apply for, or renew, a security clearance via email. They email you a program, an electronic form, and you fill it out and email the data file back to them. How are you going to convince them?

Re:Sticker (1)

MrNougat (927651) | more than 8 years ago | (#14360107)

Okay so how about modifying my sticker to read:

No one will ever ask for personal information via email unless you have solicited the request yourself. If anyone asks unsolicited, do not give it.

I know, I know. This means we're going to have to make another sticker with the definitions of "solicited" and "unsolicited" on it. And with LCD monitors all the rage, there's hardly room around the edge of the screen for two stickers and a Post-It with your username and password.

I agree that email is a great form of communication, and that it is often used to transmit personal information from one place to another. The only time that's valid is when I (the end user) initiate the exchange.

Back to technology, I think the limitations of SMTP make it easier for phishing, etc., to work. There's currently no way to easily verify the identity of the sender. Easily, I say, because I know there are S/MIME certs, but how many end users even understand those? Either some new email protocol needs to be developed which demands that the sender is verified, or something like SenderID needs to be glommed onto SMTP. That would stem the tide of all sorts of ill-begotten emails, not just phishing.

Call Me a TROLL: Who needs a tool bar? (1)

chivo243 (808298) | more than 8 years ago | (#14353492)

If you are dumb enough to help Person X from country X based on an e-mail.... send me your money, and tell me before I hire you. If you get sucked into something about your bank/credit card via the internet, too bad for not asking a stooge at the institution. If people can't follow these simple steps:
1. If you don't know them you don't owe them. HIT DELETE
2. Your financial Institutes will never ask you via e-mail for any info. Call the institution and tell them what you have received.
3. If in doubt, ALWAYS sleep on the decision.
I leave you with these thoughts, would you give anybody a blank signed check? (remember those) Or would you give your your PIN or Password to anybody?
And on the lighter side, cordless drills, orbital sanders and the various saws would love a tool bar! I know I can use a drink at then end of the day... :-}>

Celebrity Greeter at the Tool Bar? (1)

chivo243 (808298) | more than 8 years ago | (#14353573)

None other than Tim Taylor!
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account