Phishing attacks soon could be personalized

Danger by calling the browser history

So far, phishing emails are due to their clumsy type: not only the often wheelbearing german, but also the fact that you get two password requests of citibank every hour, without being at all the customer, warns every halfway intelligent people. But it was not so hard to find out if someone is actually customer of the bank or not.

If you are sitting in front of a foreign computer and the internet browser is open, it is quite easy to find out if the owner is always visiting a specific page or not: in the former case, the browser will automatically yield the address, but in any case in the history so that the link to the visited page appears in a different color. Only the regular loosen of the browser history can prevent this, but is bursting, because then you have already read an article for the third time when the list is interesting and your own thought bad.

From the outside, so without sitting in front of the computer, the history should not actually be accessible. But here, there is obviously a security chuck, as the new scientist reports in its latest edition: markus jakobsson and his colleagues at indiana university have discovered this. Obviously, it is possible to determine how to click on the left if any website in the browser history or. Is stored in the browser cache or not, since the response times of the browser can be different and this can be detected more clearly about certain css tricks.

If the phishers do not send their spam mails – as today mostly ubrow – with identical contents, but deposit in these identifiers, betrayed by the spammers website, which of the 100.000-based e-mail addresses have been drawn the click, only the browser history must be queried, to present a mutchy of a website that the sacrifice has actually visited or a second, now seemingly from this bank originating to send e-mail.

The remedy, the jakobsson tomorrow on the last day, the 26. However, may the world wide web conference in 2006 in edinburgh, however, does not want to find the reading of the browser history effectively on the internet. Instead, when visiting your website, the banks should also flood the browsers with the addresses of their competitors, so as to confuse the phishers and to return to today’s stand. But which bank will already indirectly indirectly indirectly indirectly indirectly referred to your competitors?

More useful seems to be the second thought of jakobsson: every customer should get their own secret url for his online banking access, which the phishers can then do not understand and assign this bank. However, it was also difficult for the customer to determine if he is really on a website of his bank or not. Disable history and cache is not a usable solution.

Did, however, is already well thought out to provide with the same trick visitor of news pages based on their surfing history with for you appropriate messages or advertising; so exactly what is achieved today with the cookies of the advertising networks. And just as little as today it was allowed to drove to enthusiasms when the night-time visit to a sex singing the next day on "discussion" websites suddenly leads to an enhancement of striking advertising and an excerpt news offer …