Tuesday, March 30, 2010 at 10:07 AM
Webmaster Level: Intermediate
In our recent post on the Google Online Security Blog, we described our system for identifying phishing pages. Of the millions of webpages that our scanners analyze for phishing, we successfully identify 9 out of 10 phishing pages. Our classification system only incorrectly flags a non-phishing site as a phishing site about 1 in 10,000 times, which is significantly better than similar systems. In our experience, these “false positive” sites are usually built to distribute spam or may be involved with other suspicious activity. If you find that your site has been added to our phishing page list (”Reported Web Forgery!”) by mistake, please report the error to us. On the other hand, if your site has been added to our malware list (”This site may harm your computer”), you should follow the instructions here. Our team tries to address all complaints within one day, and we usually respond within a few hours.
Unfortunately, sometimes when we try to follow up on your reports, we find that we are just as confused as our automated system. If you run a website, here are some simple guidelines that will allow us to quickly fix any mistakes and help keep your site off our phishing page list in the first place.
- Don’t ask for usernames and passwords that do not belong to your site. We consider this behavior phishing by definition, so don’t do it! If you want to provide an add-on service to another site, consider using a public API or OAuth instead.
- Avoid displaying logos that are not yours near login fields. Someone surfing the web might mistakenly believe that the logo represents your website, and they might be misled into entering personal information into your site that they intended for the other site. Furthermore, we can’t always be sure that you aren’t doing this intentionally, so we might block your site just to be safe. To prevent misunderstandings, we recommend exercising caution when displaying these logos.
- Minimize the number of domains used by your site, especially for logins. Asking for a username and password for Site X looks very suspicious on Site Y. Besides making it harder for us to evaluate your website, you may be inadvertently teaching your visitors to ignore suspicious URLs, making them more vulnerable to actual phishing attempts. If you must have your login page on a different domain from your main site, consider using a transparent proxy to enable users to access this page from your primary domain. If all else fails...
- Make it easy to find links to your pages. It is difficult for us (and for your users) to determine who controls an off-domain page in your site if the links to that page from your main site are hard to find. All it takes to clear this problem up is to have each off-domain page link back to an on-domain page which links to it. If you have not done this, and one of your pages ends up on our list by mistake, please mention in your error report how we can find the link from your main site to the wrongly blocked page. However, if you do nothing else...
- Don’t send strange links via email or IM. It’s all but impossible for us to verify unusual links that only appeared in your emails or instant messages. Worse, using these kinds of links conditions your users/customers/friends to click on strange links they receive through email or IM, which can put them at risk for other Internet crimes besides phishing.
While we hope you consider these recommendations to be common sense, we’ve seen major e-commerce and financial companies break these guidelines from time to time. Following them will not only improve your experience with our anti-phishing systems, but will also help provide your visitors with a better online experience.
14 comments:
Well a good move but it won't be too strict for all those people engaged in phishing as they will find out a new solution to the problem.
http://www.risedream.com/blog/
http://www.risedream.com
According to the first listed bad behavior, Facebook should be listed as a phishing site. It's always asking for my e-mail password so it can find more friends for me.
Well websites like facebook and linkedin ask for usernames and passwords after you are logged in to their site and spiders/bots can't crawl those pages.
Thanks verymuch for your article, it's very help us for build good web.
Regards,
ROBERT
You advise:
Don’t send strange links via email or IM.
Where do you stand on url shortening and Twitter; surely these are the most relevant aspects...
The site blogger.com is asking for my Google account. Definitely phishers.
Google are training people to enter their Google username and password all over the place, and then they have other people employed telling people not to do this.
Today I see christian anderson birthday logo. We do not know him, why the GOOD FRIDAY logo was used. We hope that Easter logo should be used on Sunday, because we have seen Holi or Diwali logos.....then why not chirstian festival logos ???? is it descrimination ????
found so many links during search but the content eas all just links to another links...that's just krazy
The best phishing site is found on Igoogle as a gadget. Spotcrime is a website that provides crime info for your neighborhood. No problem except it requires your email address and password:
Get FREE Local Crime Alerts
Stay updated with inbox alerts for your neighborhood!
Email:
Password:
Address:
e.g. 100 Main Str, Baltimore, MD
Please include Street and City,
State or Zip code
I just received an email from Wells Fargo that used a different root domain than their own. It was a server provided by the marketing firm they contracted with, but there was no good way to tell if it really was from Wells Fargo or not. I've seen this kind of nonsense before, and you're right - it does condition us to click strange links.
"Don’t ask for usernames and passwords that do not belong to your site. We consider this behavior phishing by definition"
I totally agree with you but Brent is true Facebook doesn't use any secured process to import/contact friends. Why not listing it?!
This Woooooooooooooow Bener.
cuantik buangget n when can I make like this.
thanks a lot google
I just registered a domain name from Godaddy.com and the next day I find the domain name to be a phishing site by Crome and Firefox..
Hi everyone,
Since over a year has passed since we published this post, we're closing the comments to help us focus on the work ahead. If you still have a question or comment you'd like to discuss, free to visit and/or post your topic in our Webmaster Central Help Forum.
Thanks and take care,
The Webmaster Central Team
Post a Comment