On Wednesday this week, Google announced an extension for the Chrome browser that protects users of GoogleMail, Google for Work etc. from Phishing attacks.
The extension is free and easy to install. The Google announcement is here.
We would recommend that all Chrome users consider using this, since as we have been trying to tell everyone for last few years, Phishing and associated targeted Spear Phishing remain the most prevalent of attack vectors for harvesting user details, which are then used to obtain money directly, or sold on to other bad guys in bundles of up to millions of credentials.
Research by Google and The University of California suggests that the most effective Phishing campaigns are up to 45% effective – an astonishing number. It is about time Web service and application providers made an effort and this work by Google is a great start.
As you all know, the anatomy of a Phishing attack is for users to be directed to a fake login page via an email, or another web site. Once the details are entered, the user is redirected to the original site and may presume that they entered their password incorrectly rather than being scammed.
User education is another powerful tool in the defence against Phishing, we advise everyone to check the Bona Fides of the mail originator and to hover over any URLS in emails to confirm the destination matches the hyperlink.
In the Enterprise it is possible, but difficult, to maintain a list of sites with poor reputation and either prevent access to them (via firewalls or proxies) or report access to them, both of which are components of our NetSure360° Managed Security Service.
The reliability and frequency of updates about these sites varies and nobody can provide a guarantee. The use of Fast Fluxing (http://en.wikipedia.org/wiki/Fast_flux) makes this even harder, although some technologies (notably Palo Alto, fully integrated in NetSure360°) are making significant inroads.
One final thing; Google talks about its anti Phishing extension working thus: “Chrome will remember a “scrambled” version of your Google Account password“.
What could possibly go wrong?
If you would like to talk to us about Phishing, or even Fishing for that matter, please contact us on: 020 7517 3900 or email [email protected]
