One of the few things that - perhaps - alerts users that they've been phished is when (after entering perfectly valid login details) they see something like this:
...or like this:
Generally, when net-savvy users get phished, they're alert enough to know that messages such as the ones above are a clue that they might have stumbled onto a Phishing page (assuming they're 100% sure they entered their details correctly, of course). This "break" in the login cycle has always been a weakness of a phish page, and the typical flow of events is as follows:
1. Visit Phish page
2. Enter details
3. User is told "your login cannot be processed at this time", and your information is stolen
What if the process could go like this:
1. Visit Phish page
2. Enter details
3. Phish page steals your information, but logs you into the target site
You'd miss that vital clue - the failed login - and assume everything was okay.
Well, a Phish for the popular Habbo Hotel caught my eye today because it does just that - seamlessly logging you into Habbo Hotel once your details have been stolen. Here is the Phish page in question:
Click to Enlarge
Here I am, entering my login details into the page:
At this point, a regular Phish page risks giving the game away because of the familiar variations on "Your login could not be processed" that appear at this point in the procedure.
However, the Phish page takes you to a
page hosting an encoded base64 script (inside which, the hidden code goes about its business of logging you into the site for real. No, we're not going to make it easier for wannabe Phishers and show everyone how its done).
From there, the user is deposited onto the Habbo Hotel website, fully logged in - no "Your login could not be processed" messages here!
Click to Enlarge
Meanwhile, my login has been stolen (it's the one in red) and placed in the ever growing pile collected by the Phisher:
Click to Enlarge
From the point where I decided to login to Habbo Hotel, to the point where I'm actually logged into the site there is no break in the usual procedure and I have absolutely no indication I've just been phished. If this kind of devious tactic is employed for banking phishes, it'll make it all the more crucial that end-users start to think about running Anti-Phishing programs and browsers that have built-in Phish Detectors because the stakes seem to have raised once again.
"Unfortunately, the few 'honest' toolbars have indeed taken the wrath of users as a result of the spyware, parasite, adware and other creepy applications of an otherwise good technology.
What's interesting is that, as far as my own toolbar system goes, I've had offers from clients all over the world to develop different kinds of toolbars -- and without fail -- it is the US-based companies that seem most willing to cross the line and request applications that I simply refuse to develop.
We're talking about features like:
- Forced Install
- Hidden Install
- Report all URLs back
- Report all searches back
- Forcibly and hidden set home page
- Forcibly and hidden set default search engine
- Forcibly generate un-blockable pop-ups
- Install and run hidden executables
- Bypass all security and anti-virus tools
- The list goes on...
What's sad is that I'm able to generate the most powerful and incredibly useful toolbars imaginable. Ones that can save countless hours of time and effort. Ones that can be customized on a per-user basis to make the Internet and use of ones's own computer a pleasure.
However, there will always be people around who's sole motivation is the almighty dollar -- and who will do ANYTHING to get it.
These people don't care about you, your wants, your needs, your security or safety -- as long as they can line their pockets with your money, or by taking advantage of actions you perform (even one lousy click!).
They'll infect your machine, using whatever means necessary, and they won't stop -- EVER."
The "industry" has certainly cleaned up since then, but the insistence on wanting to cram a toolbar on every PC, ever, remains. I must admit to being kind of disturbed that none of these companies seemingly want to take "No" for an answer - instead of leaving alone, they keep coming back every month or so. Of course, given the potential for mass moneymaking that's on offer I can't say I'm entirely surprised...