Identicon-based Anti-Phishing Protection

I have come up with a couple of new, simple yet very effective, anti-phishing protection schemes using Identicon. One of them requires client-side support so I am interested in talking to browser vendors to build it into browsers ASAP. It's main features are: * dead simple user experience * no certification infrastructure or black/whitelists used * protection … Continue reading Identicon-based Anti-Phishing Protection

Forecast: Phishing for Ransom

I am expecting early adopter segment of phishers to soon seek easier angle of attack because a) increasing use and rapid advancement of anti-phishing technologies makes phishing harder, and b) each wave of phishing attacks educates their preys. I think Ransom Phishing is one such angle. Instead of phishing for authentication devices (username/password), ransom phishing's … Continue reading Forecast: Phishing for Ransom

Phishing Dilution

CNET reports that Cyoto is pumping bogus accounts and passwords to phishers, a technique they are calling dilution. The funny thing is that I proposed the same technique at the a APWG (Anti-Phishing Working Group) meeting almost two years ago which I called spoofback. At the time, technology providers seem to like the idea but … Continue reading Phishing Dilution

Storytelling Phish

Let me tell ya about what I think phishers will do next: storytelling. By storytelling, I mean they will send out a series of messages to each target that tells a coherent, memorable, and compelling story over time. First one might start gently, a notice of sort without any hyperlink. Next one might get more alarming … Continue reading Storytelling Phish

Chromeless Phish

When I built the visual spoofing demo, I could have done it in several ways including chromeless window but I went for the simplest way.  It turns out that some smart phisher recently launched a chromeless window-based phishing attack.  Following is screenshot of the browser window showing the phishing site which was still active at … Continue reading Chromeless Phish

Phishmark Patent

I found out last Friday that the Phishmark idea is likely to be covered by a patent filed by PassMark two years ago.  Although I haven't read their patent application yet, discussion with Louie Gasparini, CTO of PassMark, made it clear that the broad languages used in the patent covers not just use of user/site specific visuals … Continue reading Phishmark Patent