Google recently announced changes to their email service Gmail that would aid users in determining the real sender of an email message.

Google actually has added a series of improvements to Gmail. Emails from a sender who is not already in a Gmail user’s contacts are now shown prominently in the header. This change makes it easier to identify the sender directly without having to look at all email headers.

But the changes do not stop here. It sometimes happens that someone sends an email for another user or from another website, for instance by using a web form. This is now also reflected in the email header directly. Gmail users now see the name of the sender as well as the sender’s email address and a via link.

Probably the biggest change from an anti-phishing point of view is a new warning that appears if Gmail believes that the email could have been sent by someone else. Gmail shows a “This message may not have been sent by” warning underneath the sender with links to learn more and to report a phishing email.

All three additions are visible directly when an email has been opened on the Gmail website. The new information improve security for all Gmail users, provided that those users pay attention to the notifications and additional information.

Especially the first two additions can be overlooked easily due to their gray font color on white background. The phishing warning on the other hand uses a yellow background so that it can be easily spotted by everyone. (via)

Sites like Web of Trust allow users to share information about phishing sites, but scores of similar tools exist and as it would be counter-productive for each to maintain their own database of phishing sites.

PhishTank centralises phishing reports and allows developers to use their data free-of-charge in their own applications, with manual or automatic download enabled (although the latter requires a free API key).

PhishTank offers a service a lot of web users will use without even realising it. Whilst certain tools might submit their data to PhishTank too, you can help your fellow web users and fight phishers through submitting data directly to PhishTank.

With a free registered account, reports can be submitted through a web interface or through email. It is extremely easy to send the next phishing attempt that manages to get through your spam filters to PhishTank. Providing you have that email address registered with them, all you have to do it forward it to phish (at) phishtank.com .

Whilst it might not directly benefit you to do so, you are helping users who might help you too. If nothing else, you are keeping your credit card interest rate down marginally, as your bank has to pay less out to compensate phishing victims!

Experienced users on the other hand know that no software or script will reach an accuracy of 100%. There will always be false positives and negatives meaning regular websites that are identified as phishing websites (although they are not) and phishing websites that are not identified as such. The latter is obviously more devastating for the user.

Adding the hostname to the titlebar gives the user the opportunity to quickly check if he is on the right website. This in addition to other indicators can aid the user tremendously. More tips can be found at our Phishing Explained article.

There is however another benefit for users who work with password managers like KeePass who make use of the title for identification purposes.

Hostname in Title Bar (via Technix Update) is an experimental Firefox add-on which means that you have to sign in to the Mozilla website before you are allowed to download and install it.

Installing a software that protects the computer against most forms of phishing would be one way to deal with the lack of knowledge. Delphish is a free anti-phishing extension for Microsoft Outlook and Mozilla Thunderbird. It adds a new toolbar to the email client with several new options. The most important button in that toolbar is the Check for Phishing button which analyzes the mail in two steps. The first step is a comparison to an online database that contains known phishing emails. If that check is positive the result will be shown and the mail will be moved into the phishing folder.

If the first comparison is negative Delphish will analyze the contents of the mail to determine factors that are normally used in phishing emails. A whitepaper that is available on the Delphish website details that process but should be left for the interested that have a technological and mathematical background. Some of the factors that play a role in determine if the mail is a phishing email are: Geolocation, link analysis, context analysis and reputation analysis.

Even with the extension installed common sense should be used as well. You can use Delphish as a first layer of defense against phishing but should make sure that you are able to analyze the mails by yourself as well.

Worst case ? They transfer all your money from your bank account or create bogus ebay auctions for great buy it now prices. The average user has a hard time detecting fake websites. A guideline would be to never click on links in emails, check the SSL lock in the status bar and take a look at the sites certificate. Most users do not know about this, enter Phishtank SiteChecker.

The Phishtank SiteChecker Add-on checks with the Phishtank phishing database everytime you load a website and displays a warning if you are about to enter a website that is listed there. That is the theory..

I performed a few checks and discovered some interesting results. As we all know Firefox 2.0 has built in Phishing protection. I tried to access some of the websites that are listed on the phishtank site and none that I tested were shown as phishing websites by phishtanks sitechecker. Firefox itself however warned me everytime I opened one of the sites mentioned in the list.

This could mean two things. Phishtank Sitechecker and Firefox 2.0 don’t work well together which means that once Firefox 2.0 checks the site and gives you a phishing warning the sitechecker is somehow hindered to do that or the sitechecker is not working that well.

This could still be a nice extension for Pre 2.0 versions, I would suggest you keep an eye on the extension. At the moment it is not useful at all. Even 1.x users of firefox should consider upgrading to 2.x instead of installing that add-on at the moment.

Update:

The new version is working fine for me, suggest you update to the newest version asap.

To make this work they have to capture your data on one of their servers. A link is always provided in the email which looks pretty normal, e.g. http://www.ebay.com/. You might know that the html link tag is able to provide a link and a text that is shown instead of the link. Those criminals use this to their advantage showing ebay.com and directing the user to a different location.

Onwards to the tips:

• Phishing only works if you click on a link that leads to a website that looks similar to the one you want to visit. If you do not click a link in the email but enter the url of the company directly in your browser window you are save. This is the best tip to prevent phishing at all. Do not follow email links.
• If you receive an email asking you to call a company compare the phone numbers and use the ones that you know and not the ones mentioned in emails. Social Engineering is a rising threat as well. Most people do not know that phishing can also happen by phone. Check the phone numbers in emails.
• You receive an email stating that you are the highest bidder for a golden ring on eBay or that your phone bill is incredibly high and that you can verify the bill by clicking on the document attached. Use your brain. You know that you are not the highest bidder and that the phone bill can´t be real as well. To check the first type in the url of eBay in your browser, you will see there is no such auction. Call your phone company in the second one and they will verify that this is a phishing attempt.
• Always verify that you are at the right website before entering data. Firefox 2 and Internet Explorer 7 will have anti-phishing tools on board but it is always a good idea to verify this for yourself. Look at the url, is it the right one ? It should normally be a https:// website which can be verified by looking at the yellow padlock in the status bar. If you click it you will see the certificate and you can compare the certificate to the one of the company that you want to visit. (some company’s store the certificate information on their webservers, some don´t, call them and you will receive this information.)

To sum it all up. People like you and me will most likely detect fake websites and act accordingly. Normal users have a hard time identifying those websites and are the main phishing targets. They don´t know about the technical possibilities and simply assume that everything is alright.

Maybe because they are lazy, maybe because they do not want to spend time learning computer stuff. Who knows. Phishing will stop if the majority of users are educated and know how to handle computers.