More fraudsters are adopting new approaches in an effort to make phishing sites undetectable by common security measures such as firewalls and content filtering web proxies.

By replacing some of the textual content on the phishing page with similar-looking images, fraudsters are making it much more difficult for automated systems to detect the presence of keywords such as “PayPal” and “credit card”. The following example shows a phishing page that uses this technique to make the page appear legible to a human, but not so legible to a computer:

Highlighting the text in the browser makes it apparent that some of the page is made up from images, which are easily read by a human, but will be ignored by content filters which only process the text on the page:

Because the content filters may not detect this page as being a PayPal phishing scam, it could slip through undetected, allowing the fraudster to harvest the credentials of thousands of PayPal customers.

Detecting “undetectable” phishing sites

The Netcraft Toolbar community is based upon a large network of human scrutinizers, each of which is able to report suspicious sites with far more accuracy and intelligence than any computer program. Sites such as the one shown in this example are therefore quickly discovered by the Toolbar community and subsequently blocked for all other users.

Netcraft has made the list of phishing sites reported by the Toolbar community and validated by Netcraft available as a continuously updated feed suitable for ISPs, hosting companies, enterprises, and other companies that operate mail servers and web proxies, or network monitoring systems. This offers an excellent level of defence against phishing, including those sites that use sneaky measures to trick their way past firewalls and web proxies.

If you would like to join the Netcraft anti-phishing community, the Toolbar can be downloaded from toolbar.netcraft.com.