Comments on: Fundraising Widgets = Possible Phishing Attack http://www.nonprofittechblog.org/fundraising-widgets-possible-phishing-attack Confessions of a Non-Profit Executive Director Mon, 15 Mar 2010 09:12:34 -0400 http://wordpress.org/?v=abc hourly 1 By: Rachel http://www.nonprofittechblog.org/fundraising-widgets-possible-phishing-attack/comment-page-1#comment-100594 Rachel Fri, 11 Sep 2009 22:47:28 +0000 http://www.nonprofittechblog.org/fundraising-widgets-possible-phishing-attack#comment-100594 Hi Ryan, Can you say more about how that could be done? Rachel Hi Ryan,
Can you say more about how that could be done?
Rachel

]]> By: abenamer http://www.nonprofittechblog.org/fundraising-widgets-possible-phishing-attack/comment-page-1#comment-1520 abenamer Sun, 24 Dec 2006 17:48:54 +0000 http://www.nonprofittechblog.org/fundraising-widgets-possible-phishing-attack#comment-1520 Agreed. It is still possible to create a fake site as part of your phishing campaign. The problem here is that people (including myself) immediately assume that these widgets are somehow safe despite the fact that they're hosted on other people's websites. So... the normal assumptions associated with fake phishing sites no longer apply. This is not a good thing. People will have to add yet another weapon to their phishing detection arsenal. Agreed. It is still possible to create a fake site as part of your phishing campaign. The problem here is that people (including myself) immediately assume that these widgets are somehow safe despite the fact that they’re hosted on other people’s websites. So… the normal assumptions associated with fake phishing sites no longer apply. This is not a good thing. People will have to add yet another weapon to their phishing detection arsenal.

]]> By: Ryan Ozimek http://www.nonprofittechblog.org/fundraising-widgets-possible-phishing-attack/comment-page-1#comment-1514 Ryan Ozimek Sun, 24 Dec 2006 16:09:51 +0000 http://www.nonprofittechblog.org/fundraising-widgets-possible-phishing-attack#comment-1514 Great points, but I wonder if it's the widgets themselves that are the issue here. Seems like even in a time long ago, pre-widget era (somewhere between Web 1.0 and Web 2.0) you could make basic HTML Web pages that looked just like that of an official non-profit, and run your phising campaign. It seems to me that what could really be used here is a "Verified by XXX" icon, dynamically generated on donation pages, much like those Verisign buttons you get when you go to make a payment on an SSL page verified by Verisign. That way, no matter if someone is coming from a widget or a full Web site, when they land on the donation processing page they can be assured that the organization is legit. Best, Ryan Great points, but I wonder if it’s the widgets themselves that are the issue here. Seems like even in a time long ago, pre-widget era (somewhere between Web 1.0 and Web 2.0) you could make basic HTML Web pages that looked just like that of an official non-profit, and run your phising campaign.

It seems to me that what could really be used here is a “Verified by XXX” icon, dynamically generated on donation pages, much like those Verisign buttons you get when you go to make a payment on an SSL page verified by Verisign. That way, no matter if someone is coming from a widget or a full Web site, when they land on the donation processing page they can be assured that the organization is legit.

Best,
Ryan

]]>