Safe Browsing for Enterprise Users

Introduction

As phishing and spyware becomes prevalent, the need for safer web browsing becomes greater. Users become victim of spyware installation and phishing attacks on a daily basis. Phishing attacks result in release of confidential and private information. Spyware, an Internet parasite, results in loss of productivity, leak of confidential data and degradation of the system. Although none of the major web browsers promote spyware or phishing, some browsers are better at preventing these attacks then the others. This article talks about a Firefox in particular and how it can be properly configured to defend against spyware and phishing attacks.

Tools Used

The following is a list of all the tools and applications described in this article:

Firefox from < http://www.mozilla.com >
Flash Block from < http://flashblock.mozdev.org/ >
Netcraft Anti-phishing Toolbar from < http://toolbar.netcraft.com/ >
Citrix < http://www.citrix.com >

Go Firefox!

First step to safer browsing is to use a browser that promotes security by preventing automatic execution of code and loading of Active X Controls. Mozilla's Firefox browser fits this description. Firefox protects from viruses, spyware, and pop-ups. It has a built-in pop-up blocker to block unwanted pop-up and pop-under ads. Pop-up and pop-under ads are often used to install spyware on user's computers. By preventing these mal-ware pop-up, Firefox prevents the user from installing spyware unknowingly on their systems.

Preferences Web Features

To prevent accidental spyware installation the following must be configured:

Block Popup Windows. By default block all popup windows from all sites. Then go into the "Allowed Sites" dialog and allow certain sites to display pop-up windows. For e.g. I have configured my Firefox installation to display all pop-up from my bank:
Allow web sites to install software. Firefox automatically blocks all installation of plugins. The user has to manually go into "Allowed Sites" dialog and allow certain sites to install software. For e.g. I have configured my Firefox installation to allow plug-in installations from the following sites:
Load Images. Images are Advertiser's and spyware installer's best friends. So I have compiled a list of servers from which all the images must be blocked:
1. *.falkag.net
2. *.doubleclick.net
3. *.specificclick.net
4. *.peel.com
5. *.budsinc.com
6. *.maxserving.com
7. *.mediaplex.com
8. *.atdmt.com
9. *.advertising.com
10. *.casalemedia.com
11. *.tribalfusion.com
12. *.fastclick.net
13. *.specificmedia.com
14. *.qnsr.com
15. *.ru4.com
16. *.2mdn.net
17. *.ecrush.com
  Note: This is not a comprehensive list by any means. I maintain a updated list at < http://www.xml-dev.com/blog/index.php?action=viewtopic&id=169 > for anyone interested in blocking images from various ad servers.

Automatic Updates

Firefox's Software Update feature makes it easy to get the latest security and feature updates to the browser and the extensions. Firefox automatically downloads these small updates in the background and prompts you when they are ready to be installed.

Block that Flash!

Flash animations by advertisers are not only annoying, but can also become a source for mal-ware installation or phishing attack. So I recommend "Default Deny" approach to blocking all Flash animations. I use the Flash Block from < http://flashblock.mozdev.org >. Flashblock is an extension for the Mozilla, Firefox, and Netscape browsers that takes a pessimistic approach to dealing with Macromedia Flash content on a webpage and blocks ALL Flash content from loading. It then leaves placeholders on the webpage that allow you to click to download and then view the Flash content.

After installing the FlashBlock plugin, instead of Flash / Shockwave animation being started automatically, the users sees the following logos:
FlashBlocker

By clicking on the icon the can selectively start the animation, or configure the plugin to always display animations from certain trusted sites. For e.g. My Online Banking site.

Is it Phishing Season yet?

It is always phishing seasons on the Internet. And guess what? You are the victim. For protecting myself from becoming a victim of Phishing, I use the Netcraft's Anti-Phishing Toolbar.
Netcraft Toolbar Demo

The Toolbar community is effectively a giant neighborhood watch scheme, empowering the most alert and most expert members to defend everyone within the community against phishing frauds. Once the first recipients of a phishing mail have reported the target URL, it is blocked for community members as they subsequently access the URL. Widely disseminated attacks (people constructing phishing attacks send literally millions of electronic mails in the expectation that some will reach customers of the bank) simply mean that the phishing attack will be reported and blocked sooner.

The Toolbar also:

Traps suspicious URLs containing characters that have no common purpose other than to deceive.
Enforces display of browser navigational controls (toolbar & address bar) in all windows, to defend against pop up windows that attempt to hide the navigational controls.
Clearly displays sites' hosting location, including country, helping you to evaluate fraudulent urls (e.g. the real citibank.com or barclays.co.uk sites are unlikely to be hosted in the former Soviet Union).

Example:

This morning I received a typical phishing email seemingly from my Bank:
Chase Phishing Attempt Email

Upon Click the URL mentioned in the email, my Netcraft Toolbar displays the following warning message:
Netcraft Blocking a Phishing Site

Thus preventing me from unknowingly disclosing my credentials into a Phishing site.

Two features I like best about Netcraft Toolbars are the "Risk Rating" and the "Rank"

Risk Rating

The Risk Rating displayed by the Netcraft Toolbar offers a further level of protection against new sites that are not yet in Netcraft's database.

The above example shows a web site used to gather victims for laundering the proceeds of phishing frauds. Although the site contains sumptuously plausible content, the Netcraft Toolbar assigns a high Risk Rating because it is hosted under a newly registered domain, the site has never been seen in the Netcraft Web Server Survey, and the Chinanet Hebei Province network has hosted a number of fraud sites in the past. Hosting a web site on an unusual port number will also increase the Risk Rating, as will hosting a site from a raw IP address, as many phishing sites employ this tactic. The Risk Rating can be calculated fast enough to be performed for arbitrary sites as people visit them, and does not rely on manual categorization.

Many factors contribute to the risk rating of each site. The dominant factor for most sites is the age of the domain name in which the site appears. Domain names that have never been seen in the Netcraft Web Server Survey are given a high risk rating, since many phishing sites and relatively few legitimate sites fall into this category. Other factors which can influence the risk rating include:

    * Any other known phishing sites in the same domain.
    * Whether a hostname or a numeric IP address is used in the URL.
    * Whether or not a port number appears in the URL.
    * The hosting ISP's history with respect to phishing sites.
    * The hosting country's history with respect to phishing sites.
    * The top level domain's history with respect to phishing sites.
    * The site's popularity with Netcraft Toolbar users.

Rank

The rank depicts the popularity of the website currently loaded in the browser. Any legitimate online e-commerce site should have a rank of < 1000. If a particular site has a ranking in 10,000+ range, there is very good chance that this unpopular site is a phishing site.