Thwarting Phishers with the SmartScreen Filter
Phishing
refers to creating a replica of an existing web page to fool a user
into submitting personal, financial, or password data. The term comes
from the fact that Internet scammers are using increasingly
sophisticated lures as they “fish” for users’ financial information and
password data. The most common ploy is to copy the web page code from a
major site—such as AOL or eBay—and use it to set up a replica page that
appears to be part of the company’s site. (This is why another name for
phishing is spoofing.)
Phishers send out a fake email with a link to this page, which solicits
the user’s credit card data or password. When a recipient submits the
form, it sends the data to the scammer and leaves the user on an actual
page from the company’s site so that he or she doesn’t suspect a thing.
A
phishing page looks identical to a legitimate page from the company
because the phisher has simply copied the underlying source code from
the original page. However, no spoof page can be a perfect replica of
the original. Here are five things to look for:
The URL in the address bar—
A legitimate page will have the correct domain—such as aol.com or
ebay.com—whereas a spoofed page will have only something similar—such
as aol.whatever.com or blah.com/ebay.
Note
With
some exceptions (see the following discussion of domain spoofing), the
URL in the address bar is usually the easiest way to tell whether a
site is trustworthy. For this reason, Internet Explorer 8 makes it
impossible to hide the address bar in all browser windows, even simple
pop-ups.
The URLs associated with page links—
Most links on the page probably point to legitimate pages on the
original site. However, some links might point to pages on the
phisher’s site.
The form-submittal address—
Almost all spoof pages contain a form into which you’re supposed to
type whatever sensitive data the phisher seeks from you. Select View,
Source, and look at the value of the <form> tag’s action
attribute—the form submits your data to this address. Clearly, if the
form is not sending your data to the legitimate domain, you’re dealing
with a phisher.
Text or images that aren’t associated with the trustworthy site—
Many phishing sites are housed on free web hosting services. However,
many of these services place an advertisement on each page, so look for
an ad or other content from the hosting provider.
Internet Explorer’s lock icon in the status bar and Security Report area—
A legitimate site would transmit sensitive financial data only using a
secure HTTPS connection, which Internet Explorer indicates by placing a
lock icon in the status bar and in the address bar’s new Security
Report area. If you don’t see the lock icon on a page that asks for
financial data, the page is almost certainly a spoof.
If
you watch for these things, you’ll probably never be fooled into giving
up sensitive data to a phisher. However, it’s often not as easy as it
sounds. For example, some phishers employ easily overlooked
domain-spoofing tricks such as replacing the lowercase letter L with the number 1, or the uppercase letter O with the number 0. Still, phishing sites don’t fool most experienced users, so this isn’t a big problem for them.
Novice
users, on the other hand, need all the help they can get. They tend to
assume that if everything they see on the Web looks legitimate and
trustworthy, it probably is. And even if they’re aware that scam sites
exist, they don’t know how to check for telltale phishing signs. To
help these users, Internet Explorer 8 comes with a new tool called the SmartScreen Filter. This filter alerts you to potential phishing scams by doing two things each time you visit a site:
Analyzes the site content to look for known phishing techniques (that is, to see whether the site is phishy). The most common of these is a check for domain spoofing. This common scam also goes by the names homograph spoofing and the lookalike attack.
Internet Explorer 8 also supports Internationalized Domain Names (IDN),
which refers to domain names written in languages other than English,
and it checks for IDN spoofing, domain name ambiguities in the user’s chosen browser language.
Checks
a global database of known phishing sites to see whether it lists the
site. This database is maintained by a network of providers such as
Cyota, Inc., Internet Identity, and MarkMonitor, as well as by reports
from users who find phishing sites while surfing. According to
Microsoft, this “URL reputation service” updates several times an hour
with new data.
Here’s how the SmartScreen Filter works:
If
you visit a site that Internet Explorer knows is a phishing scam, it
changes the background color of the address bar to red and displays a Phishing Website
message in the Security Report area. It also blocks navigation to the
site by displaying a separate page telling you that the site is a known
phishing scam. A link is provided to navigate to the site, if you so
choose.
Note
In
the Security Report area, clicking whatever text or icon appears in
this area produces a report on the security of the site. For example,
if you navigate to a secure site, you see the lock icon in this area.
Click the lock to see a report that shows the site’s digital
certificate information.
If
you visit a site that Internet Explorer thinks is a potential phishing
scam, it changes the background color of the address bar to yellow and
displays a Suspicious Website message in the Security Report area.
For a suspected phishing site, click the Suspicious Website
text, and Internet Explorer displays a security report. If you’re sure
that this is a scam site, report it to improve the database of phishing
sites and prevent others from giving up sensitive data. You should also
send a report if you’re sure that the site is not
being used for phishing, because that improves the database as well. To
report a site, either click the Report link in the security report or
select Tools, SmartScreen Filter, Report Unsafe Website.