A Google patent application from this morning describes a process of presenting an image overlay and disabling links on Web pages that are determined to likely be sites involved in attempting to masquerade as trustworthy to collect sensitive information from visitors, such as passwords or financially sensitive information.
Browser system and method for warning users of potentially fraudulent websites
Invented by Cynthia Y. Kuo, Fritz J. Schneider and Collin E. Jackson
US Patent Application 20070130327
Published June 7, 2007
Filed: December 5, 2005
Abstract
A user is warned of a potentially fraudulent document, such as a webpage, by a warning message that is overlaid on top of the document and of the browser chrome. The warning message is associated with a warning icon displayed in the browser chrome.
The potentially fraudulent document is rendered in the browser such that the links within are not accessible to the user. The rendering may include superimposing an image over the document or rendering a snapshot of the document instead of the document itself.
This method would involve determining fraud by checking the web address against a blacklist, or looking at a set of rules (heuristics) to determine if the page showed signs of containing fraudulent content.
The overlay described in the abstract is a purposeful alternative to pop-ups, which many people dislike. I’ve seen my share of ads that “warn” you about the dangers of “being online” and the security risks you take “connecting to the Internet.”
The blacklist may contain specific URLs or URL patterns (e.g., www.badoperator.com/*).
The heuristics may include rules that consider:
- The age of the domain (very new domains may be more likely to host a phishing site),
- The physical location (e.g., the country) of the domain name owner,
- Similarity of the URL to a legitimate URL that is often targeted,
- PageRank status of the URL,
- A comparison of a fingerprint of a document’s content or document structure with the fingerprints of known targets, and identifying documents that contains the logos of known targets.
Hi Miriam,
I had been receiving a lot of those, and forwarding them to eBay. I haven’t gotten many of them for a while.
It’s really good to hear that eBay has figured out a way of letting people know that those folks are phishing.
Cheers.
Hi Bill,
I thought it might be interesting to add to this that eBay appears to have recently started doing something similar with the onslaught of phishing that takes place via email through their system. I believe this is new (but it may just be that I have only recently become a phishing target).
The basic deal is that phishers contact ebay sellers through the Contact this Seller feature on eBay with messages something like this:
“I can’t believe that you still haven’t sent me my item. You took my money and you haven’t delivered what I purchased. I will report you to eBay and to legal authorities if you don’t immediately send me my item.”
The first time I ever got something like this, I was totally baffled, but over the past few months, not only are such emails showing up in my inbox with a PHISHING label appended to the subject line, but if you click on the ID of the sender in the email body, eBay is doing an overlay on the sender’s profile that says “This is a known phishing site”.
It’s a good thing, I think, because I can imagine the panic caused to eBay sellers who get emails like this, may not be terribly Internet savvy, and think that their reputation is about to be damaged for something they haven’t knowingly done.
Darn those phishers. What crummy folks they are.
I enjoyed your post!
Miriam
The only true way to prevent phishing attacks is to educate the public. While I think that these companies efforts are noble, they’d do better with educational mini-courses.
Hi Cybercriminal,
I agree completely that education of the public is one of the most important steps that companies concerned about stopping phishing can take.
I do think that businesses which provide services online feel an obligation to try to do something to be socially responsible to their customers, and to people who might be harmed by people engaging in phishing activities. It is possible that some of the technological solutions being pursued can make a difference and I think that many of them have, but ultimately, it does come down to having an educated consumer making good choices.