The modern plague of phishing
Once upon a time, the so-called Nigerian letters were adopted to online versions by devious spammers. They were basically email versions of advance fee frauds and I suppose that a few people fell for these traditional scams delivered by snail mail. Unfortunately the spammers have evolved along with the rest of the world. The vulnerable exploit has been changed from “common sense” to “advanced computer knowledge”.
Phishing and other fraud involving social engineering techniques has expanded a lot during the last years and it can be found in email, IM, blog comments and more. Anti-phishing filters are having a hard time to keep up with the attackers. There are often several clues which reveals the phishing attempt, such as spelling errors, IP address instead of host name and lack of personalization in the message.
However, modern malice such as IDN spoofing and cross-site scripting makes it hard for casual surfers to detect the phishing activity. Even Hanselman got phished (and immediately felt embarrassed). If even computer-savvy experts fall prey to this kind of scam, it’s definitely gotten bad. How can we as developers better protect the average web citizens?
Modern browsers such as Firefox 2, Opera and Internet Explorer 7 contains anti-phishing support by using blacklists of known phishing sites. Anti-phishing toolbars can help by displaying correct domain names. But technology can’t save people from themselves, which is one of the reasons why social engineering techniques are so devious and hard to counter. In the end, it often comes down to common sense:
Would you give your car key to someone in the street claiming to be a mechanic for free? Not likely.
Would you send your bank account number and pin code in plain text to someone on the internet claiming to be working for your bank? Apparently several people seem to think this is a great idea.
Software developers are putting in a lot of effort to get rid of the phishing threat, but that doesn’t justify anyone to shut off their brain entirely as soon as they connect to the web.