Fighting Phishing with AJAX - A Call to Arms - It's Fixed in the Next Release

Google Search

Ads / Sponsors

Project Wonderful - Your ad could be here, right now.

Google Ads

Site Rank

Powered by

My FOSS Work

Groups, etc.

Fighting Phishing with AJAX - A Call to Arms

Thursday, June 7. 2007

I have always wanted to beat "phishers" at their own game. Briefly, a phishing scam creates a page that looks like a legitimate site, requesting user name and password information. The scammers send phony requests via electronic mail under a variety of pretenses, urging customers to follow the enclosed link. Instead of going to your bank or eBay or PayPal, the link goes to their rogue server that looks like a legitimate site and the information is logged there for subsequent criminal activity.

As a rule, if everyone who received a phising attempt (or a mortgage solicitation for that matter) took the time to follow the link, then input bogus data, then the scam / solicitation would instantly be rendered ineffective. The criminals would be faced with sorting through thousands of garbage records in order to locate the actual victims.

Unfortunately as a society, we're don't do all that well at things that benefit the "collective good", so we're stuck with scams in our mailboxes.

But AJAX changes that.

I have often thought &mdash what better way to beat the capture of confidential information from gullible users than to flood phishing databases with useless data? The main problem is that it takes a little time, some programming expertise, and a web server to really do a good job.

My guess is that the proportion of technically savvy people who receive phishing attempts has to be at least as high as the proportion of gullible users. So if those of us with web skills generate scripts that in turn generate thousands of bogus requests, we at least make life difficult for the criminal element.

The benefit of AJAX is that you can use it to generate automated page requests right from the browser. A relatively simple bit of JavaScript code can put random data into a request, then direct it at the rogue server. You can share this page with your not-so-savvy friends, just to make IP address filtering more difficult for them.

The process is pretty simple: look at the source of the scam page, figure out what fields are in the form's request back to the server, then create an AJAX request that fills the form with random but correctly formatted data. Post the request to the server, then loop back and do it again. Repeat until someone takes the server down.

Someone could even write a little library to generate phone numbers, valid state codes, valid postal codes and credit card numbers, and then it would be even easier. I wish I had the time.

Posted by Alan Langford in Internet Technology at 11:51 | Comments (3) | Trackbacks (0)

1970 hits

Trackbacks

Trackback specific URI for this entry

No Trackbacks

Comments

Display comments as (Linear | Threaded)

Hello
how are u going to identify the phishing site.
this thing is only possible when we knw particular site is phinging

SREE

[Ed. Note: Come on, it's not really that hard. When the text in the link says PayPal.com, but the link goes to http://www.paypal.com.somesite.cn, you can be pretty sure it's phishing. Good mail clients like Thunderbird will warn you about links like this. Good browsers like Firefox will present a warning dialogue when you try to open a reported phishing site. Isn't that enough?]

#1 sree rama konduri on 2008-09-06 01:56 (Reply)

what about phishing links in email, user cannot identify by his eyes and not anti-hishing tools are doing thier best.
Do u have any more ideas about fighting with phishing

[Ed. Note: Aside from educating users a bit, I'm not sure what more the tools can do. I can only speak for Thunderbird, but if the URL in the link doesn't match the text in the link: (1) it pops up a very clear warning; (2) If you hover over the link, you can see the actual target URL in the status. That pretty much does it all for me. Lately the most popular phish attempts seem to all be related to Google AdWords... it's pretty simple to ask "gee, is the domain in this URL actually google.com or not?" If not, then the message is a phish.]

#1.1 sree rama konduri on 2008-09-08 12:14 (Reply)

dude is there any new ideas

[Ed. Note: I am not working on more ideas. My personal opinion is that current tools are pretty good. The big challenge is educating users and getting them to pay attention to the warnings. My idea is that people should pay attention. Good luck with that!]

#2 sree rama konduri on 2008-09-25 15:26 (Reply)

Add Comment

Name
Email
Homepage
In reply to
Comment	Enclosing asterisks marks text as bold (word), underscore are made via _word_. Standard emoticons like :-) and ;-) are converted to images. E-Mail addresses will not be displayed and will only be used for E-Mail notifications
	Remember Information? Subscribe to this entry
Submitted comments will be subject to moderation before being displayed.

Competition entry by David Cummins powered by Serendipity v1.0

Authors

Alan Langford
Alan Langford (developer blog)

Syndicate This Blog

RSS 2.0 feed

RSS 2.0 Comments

Geek Blog

On the Enforcability of the GPL

More Controversy: the Joomla Extensions Directory (JED) and the GPL

Simplifying Joomla Template Layouts

How to: Ubuntu PHP Remove Suhosin

Joomla 1.5.8 is... is what??

"IBM May Quit Technology Standards Bodies" WSJ Screams

In Search of an Application Framework: PHP GTK Python XULRunner

Why I Love Open Source

Web 2.0 and the One Page Web Site

Microsoft Security Fix Clobbers Two Million Password Stealers

Top Exits

www.extensionprofessionals.com (20)
www.ambitonline.com (14)
www.theglobeandmail.com (10)
www.joomla.org (9)
www.abivia.net (7)
www.google.com (7)
www.funnyordie.com (6)
www.softwarefreedom.org (6)
www.techcebu.net (6)
developer.mozilla.org (5)

Fighting Phishing with AJAX...

It's Fixed in the Next Release

Google Search

More Content