"Ian" <webappsec2@fishnet.co.uk> wrote on Thu, 16 Dec 2004 10:42:23:
<snip>
>> Personally, I like stringing them on and giving them false
information and
>> wasting their time. Its fun, I recommend all of you try it : )
> You make have stumbled across a solution here ;)
You both probably meant this as a joke, but just for safety, let me warn
anybody against doing this, or entering phishing sites `just for fun`.
Since we're doing research on secure user-interface extensions to
browsers to prevent web spoofing and phishing, I've been looking at many
phishing and spoofing web sites (see article at
http://www.cs.biu.ac.il/~herzbea//Papers/ecommerce/spoofing.htm or
extension for Mozilla/FireFox at http://trustbar.mozdev.org). However,
this should be done very carefully (read: from a specially protected,
not sensitive machine), since many of these sites try (also) to use
different browser vulnerabilities to break into machines. While I am
sure you are all trying to maintain your browsers and OS updated and
configured securely, there is always the risk of some exploit you were
not aware of. So, I suggest you don't visit these pages `just for fun`.
> Why not code an automated system that fills
> in their bogus log in screens with false
> information?
I'm not sure if you were serious but if you were... this idea isn't. Too
many sites being attacked, this system would take substantial effort to
build; and it could be abused to launch DOS attack on web sites, by
making people running this program (`to punish phishers`) attack honest
sites (or would you be able to really identify the honest sites? how?)
Best, Amir Herzbreg
Associate professor, computer science dept.
Bar Ilan University
http://AmirHerzberg.com
