![[Write]](../images/3fdbk.gif){kind=small}
![[Home]](../images/3home.gif){kind=small}
![[Up]](../images/3uppp.gif){kind=small}
![[previous]](../images/3left.gif){kind=small}
![[Next]](../images/3rigt.gif){kind=small}
ANTI-PHISHING FILTERS
Is this a phishing site?
Phishing is a term used in the field of computer security to describe the act of tricking someone into giving away confidential information by masquerading as a trustworthy person or business. One common form of phishing is to impersonate a legitimate website with the intent to coerce users to give away information. Well-made phishing websites are often distinguishable from genuine ones and you need to look closely at their mode of operation to understand that they are fraudulent. For network users, it is important to avoid visiting phishing sites. There now exist tools that is supposed to help with this. However, some of these tools appear to be broken.
Recently, a reader informed me that one of the web-pages on the
site you are reading now (my personal website) was flagged
by Norton Internet Security Online as a phishing site.
The URL flagged as dangerous was
http://hannemyr.com/photo/flash.html#nettl,
and Norton attached the verdict “known phishing site“ (kjent
nettfiskingsside) to it. [The page has changed since 2007,
but the link goes to the version of it Norton flagged as dangerous.]
A part of the security warning page that Norton pops up if you try to
visit my site (in Norwegian) is shown below. Click on the image to
see a full screen dump.
![[phishing warning]](../images/hannemyr01.jpg "Screendump from Norton Internet Security Online. Click on the image to see a full screen dump.")
The webpage in question is a simple text page and read-only. It doesn't ask the user for any type of information. Why Norton Internet Security Online arrived at the conclusion this page is part of a phishing site is a mystery.
Verified?
False positives are bad, but giving crooks a “verified“
seal of approval is worse. Below are two screen dumps of the
verification tool built into the Opera web browser concerning
the websites nexline.co.uk and gearxs.us.com.
Each is reported as a
“Verified Site“ that “has been verified by a trusted
third party“.
![[falsely verified site]](../images/nexline2.png "Screendump from NexLine.co.uk. Click on the image to see a full screen dump.")
![[falsely verified site]](../images/gearxs4.png "Screendump from GearXS.us.com. Click on the image to see a full screen dump.")
These two sites does not impersonate other sites, but they masquerade as legitimate e-commerce sites, which they are not. For the record, both were at the time the above screen shots were recorded (fall 2006) well known fraud sites set up for phishing and for receiving advance payment without ever delivering merchandise. They've since been taken down.
There is a description of the MO of gearxs.us.com at aa419.org. Briefly, it featured a bogus BBB Reliability Seal (hint: the seal's URL is not at BBB), and its checkout page was un-secure, and tried to trick marks into typing in their credit card number, expiry date, CVV2 code, and social security number (SSN) in order to buy electronics good at prices to good to be true. No legitimate merchant needs to know his customer's SSN, but an identity thief does.
My confidence in tools did not improve when I turned to
anti-phishing site PhishTank to
check their verdict, only to find that they also had failed to
identify the site correctly as a phishing site.
![[Phisthnak]](../images/gearxs6.png "Screendump from PhishTank. Click on the image to see a full screen dump.")
Closing Note
I don't know why Norton flagged my site as a known phishing site, or why the anti-phishing tool built into Opera gave two well known fraud sites a clean bill of health. But I suspect that part of the problem is that many anti-internet-fraud efforts are crowd-sourced, and with very little quality assurance regime in place.
A case in point is PhishTank. It appears to rely entirely on random reviewers only known by their handles to be able to correctly call a fraudulent site based upon no published criteria. From the look of it, the people serving as reviewers at PhishTank are able to spot phishing sites that impersonate well known brand sites with bogus URL. For instance, when a site claiming to be http://paypal.com is located on this weird URL: http://www.paypal.com.t9pn9fhrdzxix7c8ev2.124oixogepxsafolns74.com/cgi-bin/webscr/?login-dispatch&login_email=marc@die-artillerie.de&ref=pp&login-proc=ok, the PhishTank reviewers are able to tell that it is a phishing site. But they haven't a clue about how to identify sites like http://gearxs.us.com as fraudulent, and end up giving the crooks running such sites a clean bill of health.
Acknowledgements
Thanks to Jarle Lund for providing the screen dump from Norton Internet Security Online.
Copyright © 2007 Gisle Hannemyr. Some rights reserved.
This work is licensed under a
Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License.
![[English]](../images/uu44x32b.gif){kind=small}
![[Norwegian]](../images/no44x32b.gif){kind=small}