Anti-phishing measures have been implemented by embedding their functions into browsers, as browser extensions or toolbars, and as part of website registry programs. Here are some of the main ways to solve the problem. Most websites targeted by phishing are secured sites, meaning strong SSL encryption is used for server authentication and is used to identify the URL on the website. In theory, it is possible to use SSL certification to ensure that the website reaches the client, and this used to be one of the design requirements of SSL version 2 and to ensure confidential browsing after certification. But in reality, this is easy to cheat.
The apparent flaw is that the browser's secure user interface (UI) is insufficient to handle today's powerful threats. There are three parts to secure authentication via TLS and certificates: showing that the connection is in authorized mode, showing which site the user is connecting to, and showing that the authority says it is indeed this site. All three need to be present for authorization and need to be/sent to the user for confirmation.
Secure connections: The standard for secure browsing from the mid-1990s to the mid-2000s was a lock, which was easily overlooked by users. Mozilla introduced a yellow-backed URL bar in 2005 to make secure connections easier to identify. Unfortunately, this invention was later withdrawn due to EV certificates: it instead displayed green for some high-priced certificates and blue for others. Browsing websites are shown in blue).
Which site: Users should confirm that the domain name in the browser's URL bar is actually the site they want to visit. The URL may be overly complex and not easily parsable syntactically. Users often don't know or can't identify the correct URL they want to link to, so verifying authenticity becomes meaningless. A condition for meaningful server authentication is to make the server's identification code meaningful to users; and many e-commerce websites change their domain names to become one of their overall website portfolios. Marketing company C. TV station (sub-domain structure), this method increases the chance of confusion. However, it is not enough for some anti-phishing toolbars to only display domain names of visited websites.
Another alternative is Firefox's petname add-on, which lets users type in their own website tags so they can recognize it when they return to the site in the future. If a site is not recognized, the software can warn the user or block the site entirely. This stands for User-Centric Server Identity Management. Some have suggested that a user-selected image would work better than a pet's name.
With the emergence of EV certificates, browsers generally display the organization name in white text on a green background, which makes it easier for users to identify and consistent with user expectations. Unfortunately, browser vendors have chosen to limit this prominent display to EV certificates, leaving other certificates to their own devices.
Who is the governing authority: The browser needs to indicate who the governing authority of the object the user is requesting to connect to is. At the lowest level of security, the authority is not named, so the browser is the authority as far as the user is concerned. Browser vendors assume this responsibility by controlling the root list of acceptable Certification Authorities (CAs). This is now standard practice.
The problem here is that no matter how browser vendors try to control quality, the quality of CAs on the market varies and they do not implement inspections. Not all companies that signed the CA obtained the certificate just to certify the same model and concept of the e-commerce organization. Certificate Manufacturing is a low-transaction certificate issued for the sole purpose of delivering credit card and email delivery confirmations; both uses are susceptible to distortion by fraudsters. By extension, a website with high transaction volume may be vulnerable to being fooled by another CA that may provide it. This might happen if the CA is on the other side of the world and is unfamiliar with high-volume e-commerce sites, or if the user simply doesn't care. Because the CA is only responsible for protecting its own customers and not the customers of other CAs, this vulnerability is entrenched in the model.
The solution to this vulnerability is that browsers should display, and users should be familiar with, the name of the governing body. This treats the CA as a brand and lets users know that there are only a few CAs they can contact in their country and region. The use of branding is also important for CA providers, stimulating them to improve the auditing of certificates: users will be aware of brand differences and require high-volume sites to have thorough inspections.
This solution was first implemented on early IE7 versions. The issuing CA will be displayed in the URL area when it displays an EV certificate. However this is just an isolated case. There is still resistance to CA branding the browser panel, leaving only the lowest and simplest security level mentioned above as an option: the browser is the management authority of the user's transactions.
At present, the world uses the highest level SSL certificate to effectively prevent phishing attacks. The globally trusted CA (GlobalSign) issues an EVSSL certificate to the website, activates the green address bar of the browser, and implements 256-bit security encryption to ensure The communication between the customer and the website is protected from eavesdropping, and the website's authenticated identity is clearly shown. Experimentation to improve security user interfaces brings convenience to users, but it also exposes fundamental flaws in the security model. There are many root causes for the failure of SSL certification used in safe browsing in the past, and they are intertwined.
Safety before threats: Because safe browsing occurs before any threat appears, security display was sacrificed in the "real estate wars" of early browsers. The original design of Netscape Browser had the site name and its CA name highlighted. Users are now often in the habit of not checking the hold information at all. Another popular way to combat phishing is to keep a list of known phishing sites and keep it updated. Microsoft's IE7 browser, Mozilla Firefox 2.0, and Opera all include this type of anti-phishing measures. Firefox 2 uses Google's anti-phishing software. Opera 9.1 uses blacklists from PhishTank and GeoTrust, as well as whitelists from GeoTrust. Some software implementations of this approach send visited URLs to a central server for inspection, which raises privacy concerns. According to a late 2006 Mozilla Foundation report citing a study by an independent software testing firm, Firefox 2 was found to be more effective at detecting fraudulent websites than Internet Explorer 7.
In mid-2006 an approach was proposed. The method involves switching to a special DNS service that filters out known phishing domains: this will be compatible with any browser, and it uses similar principles to blocking online ads using Hosts files to achieve its goal.
In order to alleviate the problem of phishing websites imitating themselves by embedding images (such as trademarks) of the victim's website, some website owners change the image to send a message to visitors that a certain website may be a scam. The image may be moved to a new file name and the original one permanently replaced, or a server may detect that an image will not be requested under normal viewing conditions and issue a warning for the image. Bank of America's website is one of many that asks users to select a personal image and displays the user's selected image whenever a password is requested. Users of the bank's online services are instructed to enter their password only if they see an image of their choice. However, a recent study shows that only a small number of users do not type their passwords when the image does not appear. Furthermore, this feature (like other forms of two-factor authentication) is vulnerable to other attacks, such as the Scandinavian Nordia Bank case in late 2005 and the Citibank case in 2006.
Safe shelling is a related technique that involves overlaying a registry form with a user-selected image as a visual cue to indicate whether the form is legitimate. However, unlike the website-based image system, the image itself is only shared between the user and the browser, not between the user and the website. The system also relies on a mutual authentication protocol, which makes it less vulnerable to attacks that compromise systems that only authenticate users. On January 26, 2004, the U.S. Federal Trade Commission filed its first indictment against alleged phishers.
The defendant, a California teenager, is said to have designed and built a web page that looked like America Online and used it to steal credit card data. Other countries have cited this precedent to track and arrest phishers. Internet fishing tycoon Valdir Paulo di Almeida was arrested in Brazil. He leads one of the largest phishing criminal gangs and is estimated to have stolen between US$18 million and US$37 million in two years. British authorities detained two men in June 2005 for their role in a phishing scam linked to the U.S. Secret Service's Operation Firewall, which targeted the largest and most notorious credit card theft at the time. website). In 2006, eight people were arrested in Japan. The Japanese police suspected that they had committed fraud through fake Yahoo Japan website phishing, and bail compensation was 100 million yen ($870,000). In 2006, the FBI's arrest operation continued, codenamed "CardKeeper" (CardKeeper), and detained a 16-member gang in the United States and Europe.
In the United States, Senator Patrick Leahy proposed the 2005 Anti-Phishing Act to the U.S. Congress on March 1, 2005. The bill, if it becomes law, would impose fines of up to $250,000 and jail terms of up to five years for criminals who set up fake websites and send fake emails to defraud consumers. The UK strengthened its legal weapons against counterfeit fraud in 2006 with the Fraud Act 2006, which introduced a general offense of fraud, punishable by imprisonment for up to 10 years, and prohibited the development or possession of phishing software packages with intent to defraud.
Many companies have also joined in the fight against phishing. On March 31, 2005, Microsoft filed 117 lawsuits with the U.S. District Court for the Western District of Washington. The lawsuit alleges that the "Jane Doe" defendants illegally obtained cryptographic and confidential information. In March 2005, Microsoft and the Australian government collaborated to teach law enforcement officers how to combat various cyber crimes, including phishing. In March 2006, Microsoft announced plans to prosecute an additional 100 cases outside the United States, and the company subsequently kept its promise and, as of November 2006, had prosecuted 129 criminal cases involving a mix of criminal and civil actions. AOL has also stepped up its efforts to combat phishing, suing three hackers for $18 million in early 2006 under the Virginia Computer Crimes Act, as amended in 2005, while Earthlink has joined in helping identify six men in Connecticut. The six individuals were later charged with phishing fraud in the state's case.
In January 2007, Jeffrey Brett Godin was convicted by a jury under the CAN-SPAM Act of 2003, becoming the first person in California to do so. The defendant was convicted. He was convicted of sending thousands of emails to AOL users, posing as AOL's accounting department and urging customers to submit personal and credit card data. He faced 101 years in prison under anti-spam laws and dozens of other charges including fraud, unauthorized use of credit cards, and misuse of AOL's trademarks, for which he was sentenced to 70 months in prison. After failing to attend an earlier hearing, Gaudin was detained and immediately began serving his sentence in prison.