I’ve bemoaned Safari’s lack of anti-phishing features for awhile now to anyone who will listen (and sometimes even for Macworld). For those of you who aren’t as paranoid as I am, phishing is a type of attack that typically involves a fraudulent email which appears from to be from a legitimate source (perhaps your bank or eBay). Clicking a link in one of these emails takes you to a Web site crafted for one purpose: to steal your login information. The Web site looks legit, but it is, in fact, nefarious.
It looks like someone in Cupertino was listening to my frequent caterwauling. Apple yesterday released Safari 3.2, which addresses a number of security issues (detailed here) and also adds a new setting in the Safari Security preferences: ‘Warn when visiting a fraudulent website.’ Finally, Safari offers the same protection that the other major web browsers have had for a while now.
Safari 3.2 is available via Software Update or you can download it directly for Tiger, Leopard, or Windows.
Also worth noting is this Knowledge Base article that Apple recently posted. It outlines a few tips that will help you figure out if an email is legit or if it is a phishing attempt (the article is aimed at MobileMe users, but many of the tips are helpful to anyone who uses email).
I'm very curious as to know if Safari is using PhishTank, Google's database or it's own database that Apple maintains.
Or here's a thought: always use your own links or bookmarks. Never click a link from an email. Period - at least when your finances are involved. If you do, you deserve whatever scam you fell for IMO.
Just another phishy story. You should have seen the one that got away!
In response to what Walt said, I would like to point out that phishing scams are becoming frighteningly sophisticated.
The advice that he gives is a sensible precaution against the classic phishing techniques, but won't help in instances where an un-patched DNS server has been compromised with a cache poisoning exploit, or indeed some other exploit has been used either on the browser or server.
In such cases the user may even type in the correct URL manually and still have their details stolen.
Even phishing detectors on browsers can't detect all these exploits.
The only real protection is vigilance and using whatever tools are available.
With this in mind, I am that little bit more confident using Safari for online business and financial transactions now.