This page demonstrates how the Saphe solution protects the user's information from all the known Phishing attack methods.
Passive Phishing includes:
- Passive impersonation of the real server
Active Phishing includes:
- Active impersonation of the real server (involving the real server)
- DNS poisoning
- Man-in-the-Middle capabilities
Imagine the following scenario: an unsuspecting user received an e-mail from his bank, claiming that there is some kind of problem in his account, and that he can easily fix it online. A link is supplied for his convenience.
At first glance the e-mail seems OK - The language is very formal and phrased just as the user would expect from a real bank message. The sender's address seems right, and the supplied link also seems to match (more or less) the URL of the bank (as far as the user can tell). This must be a legitimate message from his bank - how else would they know what his e-mail address was? The message mentioned some problem in his account, and nobody wants problems in their account. But it seems that it can be easily solved without even getting up from his chair. "The Internet made everything so easy", he thinks to himself and follows the link.
The obedient browser opens the link, and the user looks for the small lock icon at the bottom, just as he was taught - this means that the connection is secure! The web page, which looks exactly like the real bank's login page prompts the user for his user-name and password. The user types them in without thinking twice, and solves his little 'problem'. Now the Phisher is in possession of his user-name and password.
The Phisher is therefore faced with two options: give up, or use Active Phishing methods (which the Saphe solution also protect against).
Note that some of the current anti-Phishing methods also protect from passive Phishing attacks. However, using idiosyncratic characteristics to prove that the server on the other end of the line is indeed the real server does not protect against Active Phishing, as any active Phisher will be able to mediate between the user and the real server, which will allow him to obtain the password.