Normally I don’t just go down and lay the smack down on other people’s work, but this site really worries me. This is exactly what I was talking about with Leggionare about how education can actually hurt people rather than help them. Take this top ten things to help with anti-phishing for instance. Let me make some comments here:

#10 Anti Phishing Check Point Bookmark all valid sites you have a relationship to (eg, bankofamerica.com), and when you get an email, ignore the links and if you think it is valid, then just use your pre-exisiting bookmark to login at the main page.

One word - pharming. Another two words, trojan horse. This only works if your system and network is completely clean.

#9 Anti Phishing Check Point Identify trademarked logos or names and verify that the origins are of the host site.

Easy enough, the phishers can host them themselves. And how are most users going to know how to verify that anyway? Any tips? You didn’t even mention SSL!

#8 Anti Phishing Check Point Phishers often set up webpages which contain the @ symbol in the URL. For example: www.youraccount@paypall.com. URLs containing the @ symbol are phishers, beware!

That trick hasn’t worked in more than a year and is rarely used because browsers have killed it. The only time @ is in a URL anymore is when it’s part of the query string as a parameter. You’re just confusing users with this messaging.

#7 Anti Phishing Check Point Check to ensure the email is addressed to you PERSONALLY. For example, if the email is from a Phisher posing as Bank of America, you may be addressed as “Client” or “Customer.”

How many people’s email addresses are joe.smith@company.com? This is trivial to get around, and there are tons of data mining software that handle this. At least 1-5% of the spam I get is targeted in this way, that’s really not a reliable method unless you never use your email address for internet shopping or sign up for anything ever AND never have it published anywhere that a spider can find. Good luck on that one. And I should also mention, there are LOTS of companies that don’t put the consumer’s name in the email.

#6 Anti Phishing Check Point Often emails from a legitimate holder of personal/finiacial information will list a series of dates and serial number in a header above the emails body text. The header will often read similar to: Date: Jan. 01, 2006 Serial Number: 5122bc6 Our Last Email was on: Dec. 01, 2006 Our Next Serial Number: 898fjf098 Use these dates and serial numbers as reference numbers!

This is just confusing more than anything. I’ve never seen that, and it’s pretty easy to convince people that it’s right, and if it’s not right, well, they’re going to click the link to figure out what’s going on with their account, now aren’t they?

#5 Anti Phishing Check Point Protect Yourself With Anti-Spam/Anti-Spyware Software! We recommend Adaware NOT Adware

Ad ware has nothing to do with Trojans, and I still might have a hard time believing that spyware is the root of account theft. Trojans, yes, adware no.

#4 Anti Phishing Check Point Anti-Spyware and Anti-Spam filters work to omit the transmission of personal data to “copycat websites” by proving the authenticity of the website the user is transmitting data, use them!

Kay… any advice as to HOW to use them and which ones you are referring to? I’m not aware of any anti-spyware that does domain name validity, but maybe I’m not up on things. How about throwing the consumer a bone and providing some links? Even I don’t know what you’re talking about and I’ve worked in the industry for over a decade.

#3 Anti Phishing Check Point Take Action!! Turn in the phishing scoundrels and clean up the web!! So you have received an email from an apparent Phisher/Spamer, now what?

Turn them in to whom? Where? Again, toss the consumer a bone. Clearly they don’t know this stuff or they wouldn’t be reading this document.

#2 Anti Phishing Check Point Forward, without opening, all unsolicited emails to spam@uce.gov. Report all phishing emails to reportphishing@antiphishing.org . Forward all emails from “copycat” websites to the authentic website.

Wait, how is this different from #3? Anyway, how are they going to report it as spam or phishing if they haven’t opened it to know that it’s spam or phishing? Half of the bullets above require them to open the email to verify that it’s a phishing email.

#1 Anti Phishing Check Point Avoid being a victim of Phishers and Spamers: Identify, Reduce and Respond. Contact your local internet security expert for consultation.

I love the concept, but who is my “local internet security expert”? Is there a phonebook for such things? “Hello, operator, can you give me the number for my local internet security expert, please?” Come on. This link is partly why education is ranked as the fifth dumbest concept in computer security. I don’t mean to pick on this author directly, but this is exactly what I’m talking about. We cannot ask our consumers to fix our security burdens for us. We have to supply them with the tools without their knowledge. Slipping content filters in on the network layer, or into their browsers or email clients is way more productive than giving them crazy conflicting messaging which is far more likely to get them into trouble than not.

This entry was posted on Thursday, August 17th, 2006 at 5:14 pm and is filed under Webappsec, Phishing. Responses are currently closed, but you can trackback from your own site.