AOL Blocking Phish Sites
One way that the unscrupulous have of gaining access to your personal information is to use “social engineering” to trick you into clicking on a link that will take you to a different website than the one you think you should be going to. If you get those emails that say “Go to https://www.ebay.com/some-long-string-of-numbers-and-letters to verify your account” you end up going to “http://www.phisherheaven.com/now-we-can-steal-your-identity” when you click on the link then you know what I’m talking about.
Now, the good guys are starting to fight back. Qualcomm’s Eudora 6.2 email program will examine the URL and pop-up a tooltip to tell you if a link goes some place other than where it says it is going. Now, AOL has announced it will begin to work internally and with partners to identify and block member access to phishing sites.
This is good news. Even though Eudora’s warning is a good thing, too many people still click on those links without thinking about what they are doing. If ISPs simply blocked access to the sites as they are discovered, then incidents of identity theft will plummet.
Is this approach fraught with peril? Certainly it is. Blocking access to a site based upon its content is a dangerous and often unpopular thing to do. And make no mistake, the blocking AOL is talking about is content-based, i.e., if the site’s content demonstrates that it is an attempt to phish personal information from AOL’s users, then AOL will block it based upon its content.
This brings up the question of who watches the watchers. Already this week AOL has been sued over the actions of one of its chatroom monitors. If the person who runs the list for AOL decides, for instance, that they do not like this blog, who is watching to make sure that this domain does not end up on the list? AOL has promised not to do so, but who is watching to make sure that doesn’t happen?
Only AOL can answer that.
MickC @ April 20, 2005