Just found this:

http://toolbar.netcraft.com/

It looks promising. I've already tested it on some phishing sites I knew of and it worked - it popped up a warning telling me about possible XSS. Maybe we're closer to a solution than I thought. Then again, maybe not.

Could a website create a sort of unreproducable graphic? Like the Holograms on MS CD's or a water mark on a dollar bill that verify's the authenticity of the page.

If Ebay, Amazon or Google decide to nip this issue the could develop some sort of element that says this is authentic.

If certain elements or iamges are being hijacked or not served from the correct server, then a message saying 'this is not an authentic source' could be shown.

While I'm not a developer by trade I do have some devlopment background. I just figure Amazon or Google who love technology could come up with something interesting.

BetaNews mentions everything except the only real solution which is taking legal action against phishers.

What will be more interesting is that Microsoft will not be able to address this issue it looks like with longhorn, and certainly not with XP's certain tools. Microsoft finally included a decent level of security with XP, with a firewall that does well enough and bugging the user to stay up to date with AV... but phishing is an open hole and it will take education, not definition-based updates or toolbars or browser updates to stop this. It could seriously erode people's confidence in computing in general, let alone browsing the web, at least for people burnt by this.

I'm not going to act like I know anymore about phishing than is explained in this article, but it seems like there would have to be some way to have the browser be able to identify XSS, either through a plugin (i.e. Firefox plugins) or maybe even a function integrated into future browsers (IE8 maybe? lol - it would take that long).

Is anyone formulating ideas for a service or product that can help with this? Like I said below, in my humble amateurish opinion, it seems like this would be easier to tackle on the client side. That's just my two cents.

The basic problem is the incredible lack of knowledge of most PC users of how to use their OS. These are not "noobies". Some of these people have been using computers for many years. They don't realize that Windows has a command line, can't create toolbars in the taskbar, move icons to the QuickLaunch Bar and have never edited their registry.

When they download software they almost always think that bigger is better. These people don't have a clue or know where to buy one. There are a lot of "so-called" experts who have never written a lesson plan or created a training module, so their "help" is in computer jargon that only geeks can understand.

If you have no idea of how to install and configure your OS. Understand what a baseline and system image are, then phishers are going to eat your system. This is an even bigger problem if you have lots of bandwidth.

We got to stop whining now, what part of DO NOT give out account information, SSN or other sensible data online, does people not understand? my bank for example tells me loud and clear that they will NEVER ask for such things other than via snail mail, so since I actually read my terms of service agreement I discard ALL email sent from "them" to me, it is THAT easy to avoid phishing.

And hey IF the message was genuine, then they are out of luck because you are just following your agreement.

So stop whining, you would not give ME any info if I walked up to you on the street and introduced myself as your Banker would you? it is the same with emails etc.

lol. ummm... did you read beyond the 4th paragraph? This vulnerability is not related to e-mail. XSS can be exploited on any site that allows third parties to post information (Google, eBay, Amazon, etc...). We are far beyond the age where e-mail attachments were the biggest concern.

This scam can easily affect ANYONE if they are not careful. This time you don't have to click the link in the e-mail that says "get more smileys" ;-)

When I posted this comment, this was in the address bar:
http://www.betanews.com/http://hackersheaven.com/

Is that normal? :p

That was really interesting. Is there any way to identify these tricks on the client side? For example, could someone write a FireFox plugin that checks the address bar for multiple domains? Or would that even work in most cases?

Anyway, I'm definitely going to be more paranoid from now on. Thanks a lot :p

There is a good plug-in for FirFox called spoof-stix. It is a toolbar that tells you what site you are on reguardless of what URL you typed in the address bar....

These XSS vulnerabilities that Phishers exploit are all the more dangerous because they originate __from the valid site__, yet the attacker can still execute malicious code.

The firefox plugin you mention will not protect you in any way from the class of vulnerabilities Jeremiah described.

That sounds like it would help a little, but would it catch scripts in the URL that could redirect information entered on the website?

I was wondering if someone could write a plugin like that to look for more than one domain and/or scripts that could be malicious.

It sounds to me like this problem would be much simpler to tackle on the client-side than on the server side, but that is just my humble amateurish opinion.