Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

[phormwatch]

Can someone provide me a list of all of Phorm's domains?

i.e. www.webwise.com, etc.

[Dephormation]

Quote:

Originally Posted by phormwatch

Can someone provide me a list of all of Phorm's domains?

i.e. www.webwise.com, etc.

Some here

http://www.badphorm.co.uk/e107_plugi...topic.php?7062

121media.com
openinternetexchange.com
openinternetexchange.net
oix.com
oix.net
webwise.com
phorm.com
phormdev.com
webwise.net
youcanoptin.com

[rryles]

Quote:

Originally Posted by davews

The phishing databases only need the URL, there is no need to set up a secure connection to flag it as a dodgey url.

Opera's anti-phishing works by checking a remote database as well, nothing needed to be stored on your computer.

I'm not quite sure what you're trying to say so I'll try to clarify my statement:

Webwise cannot check phishing urls that use https because of where it sits in the network.

Other solutions (such as those built into IE/Firefox/Opera) can and do check phishing urls that use https.

Webwise uses a remote database of phishing urls so doesn't suffer from lag in updates. However Firefox's system optionally uses a remote database as well so is just as good. I don't know about Opera's system so can't comment.

[phormwatch]

[QUOTE=Dephormation;34589943]Some here

Thanks as ever, Dephormation.

Report Phorm/Webwise as a Phishing Scam
================================================== =====

Phorm domains to report:

webwise.bt.com
121media.com
openinternetexchange.com
openinternetexchange.net
oix.com
oix.net
webwise.com
phorm.com
phormdev.com
webwise.net

---
US-Cert: US Computer Emergency Readiness Team
http://www.us-cert.gov/nav/report_phishing.html

Report phishing scam by sending email to:
phishing-report@us-cert.gov
---
APWG: Antiphishing Workgroup
http://www.antiphishing.org/

Report phishing scam by sending email to:
reportphishing@antiphishing.org
---
Microsoft Support:
http://support.microsoft.com/kb/930167

To report a Web site that you suspect is a phishing Web site, follow these steps:
1. Start Microsoft Internet Explorer.
2. On the Tools menu, point to Phishing Filter, and then click Report This Website.
3. Select the language that is used on the Web site.
4. Select the I think this is a phishing website check box.
5. Click Submit.
---
Bank Safe Online:
http://www.banksafeonline.org.uk/index.html
Report phishing scam by sending email to:
reports@banksafeonline.org.uk
---
Yahoo Security Center:
Use the form on the website:
http://security.yahoo.com/article.html?aid=2006102506
---
Symantic Phish network:
http://www.phishreport.net/consumers.html
Report Suspected Phishing Sites:
https://submit.symantec.com/antifraud/phish.cgi
---
Millersmiles.co.uk:
http://www.millersmiles.co.uk/submit.php
Send email of website address to:
spoof@millersmiles.co.uk
---
Phishtank:
http://www.phishtank.com/
Submit URL on website
---
Castlecops:
http://www.castlecops.com/pirt
Submit URL on website

Quote:

Originally Posted by HamsterWheel

I'm certain that Webwise will warn of both http and https phishing sites. I have asked them to confirm this though.
Remember Phorm are a sponsoring member of the AWG http://www.antiphishing.org/sponsors.html and would not be daft enough to offer something that did not cope with a large proportion of phishing attacks.

Also remember that their anti-phishing will not need you to download updates of known sites like most of the norton's etc do, so will be much more up-to-date. So a much better, and free offering than that currently available.
You see - Phorm is simply the best :-)

How often will Phorm's database of phishing sites be updated?

The answer is - you don't know becasue Phorm have not released that information. Like everything else you've scrawled on this forum, your "information" is baseless.

As I've said before Norton et al produce the data for the phishing lists. Phorm will only ever get a list that is, at best, days out of date.

Incidently, Phorm are listed as an APWG Sponsoring Vendor Member. It costs them $7500 and for that they get "..."a series of marketing/sponsorship benefits, including being listed as sponsoring vendors on the Anti-Phishing Working Group public website". Other SVMs include Facebook but no ISPs from outside of the USA, no banks or other financial organisations, no national communications companies, no government departments form anywhere in the world - hardly a sign that APWG is a genuine and recognised coalition. In fact it is just another one of those worthy sounding trade organisations and it's entire membership consists of a handful of American companies who sell ati-phishing "solutions".

There is nothing about Phorm's SVM status with this organisation that says anything about Phorm's ability to offer any sort of product nor does it give any indication of quality.

And whoever said that Phorm aren't daft - another unfounded assumption on your part. Everything we've seen so far shows an amazing lack of foresight and business sense as well as an astonishing ability to totally misjudge their target market - hardly a sign of intelligence in the business world. Add to that thei gross negligence in failing to get the ISPs to actually sign a contract before going public with this scheme and anyone who has ever been in business would tell you that "daft" is not a strong enough word for this company.

[SelfProtection]

Quote:

Originally Posted by Dephormation

Some here

http://www.badphorm.co.uk/e107_plugi...topic.php?7062

121media.com
openinternetexchange.com
openinternetexchange.net
oix.com
oix.net
webwise.com
phorm.com
phormdev.com
webwise.net
youcanoptin.com

This may be of interest but I haven't had time to check it out.
http://googleonlinesecurity.blogspot...-security.html

It was said that Webwise will warn of both http and https phishing sites and there seems to be some debate.

I am totally against the main purpose of Webwise (to spy/categorise usage of the internet for profit) and I agree that anti-phishing is already readily available and so there is no need to have Phorm or Webwise at all.

But, I can't see why we're challenging that the Webwise system won't be able to detect calls between my PC and the web to start a session with a secure site. AFAIK the set up of the secure connection cannot OC begin until a connection has been at least made with the site to set it up because the site server and my PC have to exchange some data to set it up and that cannot be done in any "scambled" method which means it is all visible to the phorming system. So I don't see why a Webwise system could not warn about the connection to a suspected phishing site then ignore your data stream from then on, if you continue to browse the site. Of course whether it ignores your data from then on really is the question...

But it makes no odds to me and OC it should make no odds to anyone else because Webwise gives NOTHING AT ALL to the customer which they cannot get for free elsewhere without having someone spying on their every action.

Hank

[JackSon]

Quote:

Originally Posted by Hank

But it makes no odds to me and OC it should make no odds to anyone else because Webwise gives NOTHING AT ALL to the customer which they cannot get for free elsewhere without having someone spying on their every action.

Hank

Having mulled it over a bit this afternoon, bearing in mind the popular tag line is that WebWise gives good default protection for those who are not tech-savvy. I see that as also not only just having no added benefit, but actually hazardous and potentially harmful to the non tech-savvy.

We know that WebWise flags up only known phishing sites - it makes no claim of identifying sites that have malicious downoads, use browser exploits or give large amounts of spam etc. So that is really only one specific sector of today's on-line threat base. The danger I see is that the non tech-savvy people *may* think "I have WebWise protecting me, I don't need to look for any other protection". That has the potential of givng the most vulnerable poeple a very dangerous false sense of net security. That doesn't help the non tech savvy, I believe that harms them.

N.B I apologise for excessive use of the term 'non tech-savvy', couldn't think of anything appropriate to replace it with. I would be hopeless on Radio 4's Just a Minute.

[rryles]

Quote:

Originally Posted by Hank

But, I can't see why we're challenging that the Webwise system won't be able to detect calls between my PC and the web to start a session with a secure site. AFAIK the set up of the secure connection cannot OC begin until a connection has been at least made with the site to set it up because the site server and my PC have to exchange some data to set it up and that cannot be done in any "scambled" method which means it is all visible to the phorming system. So I don't see why a Webwise system could not warn about the connection to a suspected phishing site then ignore your data stream from then on, if you continue to browse the site.

You're correct that some data needs to be sent "unscrambled" to set the connection up. However this isn't enough information to decide if the connection should be flagged as a phishing attempt. Webwise will only see the ip address, port and possibly the domain name of the site you are visiting. There are types of attack where this data will be for a completely legit site so will appear OK.

The URL is not sent until the encrypted connection has been set up.

Quote:

Originally Posted by rryles

You're correct that some data needs to be sent "unscrambled" to set the connection up. However this isn't enough information to decide if the connection should be flagged as a phishing attempt. Webwise will only see the ip address, port and possibly the domain name of the site you are visiting. There are types of attack where this data will be for a completely legit site so will appear OK.

The URL is not sent until the encrypted connection has been set up.

It just seems odd that something sitting at the ISP level would not be able to say https:\\aphishsite.com or https\\xxx.xxx.xxx.xxx when requested is a phishing site on their list (disregarding for the moment how complete that list is)

I confess to not knowing enough in this area though!

Hank

[Privacy_Matters]

Share Price: 925.00
Bid: 875.00
Ask: 975.00
Change: -100.00 (-9.76%)
Faller - Phorm Reg S

Says it all

[rryles]

Quote:

Originally Posted by Hank

It just seems odd that something sitting at the ISP level would not be able to say https:\\aphishsite.com or https\\xxx.xxx.xxx.xxx when requested is a phishing site on their list (disregarding for the moment how complete that list is)

I confess to not knowing enough in this area though!

Hank

Cryptography is often counterintuitive. Think of it this way: The way https was designed was to hide as much information as possible from eavesdroppers. If you visit https://www.example.com/path/file.php?do=something_bad then all that gets sent unencrypted is www.example.com*. www.example.com might be a legit site but with a poorly coded page that allows it to be used as part of a phishing attempt.




* Note: This isn't technically correct. That probably isn't even sent (unless you're using an up to date browser supporting Server Name Indication - in which case it'll likely also have a built in phishing filter). Instead the ip address for that domain is. Although to look up that address www.example.com is sent unencrypted to a DNS server.

I'm trying to keep it simple though.

[jca111]

Quote:

Originally Posted by rryles

Cryptography is often counterintuitive. Think of it this way: The way https was designed was to hide as much information as possible from eavesdroppers. If you visit https://www.example.com/path/file.php?do=something_bad then all that gets sent unencrypted is www.example.com*. www.example.com might be a legit site but with a poorly coded page that allows it to be used as part of a phishing attempt.




* Note: This isn't technically correct. That probably isn't even sent (unless you're using an up to date browser supporting Server Name Indication - in which case it'll likely also have a built in phishing filter). Instead the ip address for that domain is. Although to look up that address www.example.com is sent unencrypted to a DNS server.

I'm trying to keep it simple though.

So are phorm intercepting the DNS queries as well? Even that wouldn't work tho - as the result could easily be in your local DNS Cache.

[madslug]

Quote:

Originally Posted by HamsterWheel

I'm certain that Webwise will warn of both http and https phishing sites. I have asked them to confirm this though.

If Webwise looks at anything that is not on port 80, then BT is misleading everyone.

BT's data path clearly states: "Only HTTP traffic is processed within the Rules Engine and thereafter in the rest of the system."
http://webwise.bt.com/webwise/customer_choice.html

[rryles]

Quote:

Originally Posted by jca111

So are phorm intercepting the DNS queries as well? Even that wouldn't work tho - as the result could easily be in your local DNS Cache.

They say they only intercept port 80 so no DNS. Intercepting DNS queries would solve some of the issues but far from all. To come up with a half decent system they would have to intercept ALL traffic. Consider this:

https://258.23.239.2:22/

(IP address intentionally broken so it doesn't go anywhere)

The bottom line is this is a bad way to implement phishing protection.