Hi, John Roberts from OpenDNS, the company which operates PhishTank.
PhishTank doesn’t block phishes, but provides free, high-quality data to lots and lots of service which use the data to protect their customers from phishing. That’s all it is intended to do, and it’s doing it well. The data is used by Yahoo Mail, Opera, Kaspersky and others (not all of whom have chosen to be named).
the biggest question I have with this study is: did they just show the users the pages in question, asking them to guess (is it real?), or did they ask users to navigate there? There is no hard and fast rule for whether a site is real or spoofed, but I normally don’t just click on random links or start entering personal data into a preloaded page.
a better test would be to give users a list of things to do on the web with ( find Capital One login page ) and see how many can do that using a search engine rather then typing in the URL box. How many users go to spoofed sites now?
Can’t we send a SEAL team to russia, china, nigeria and the like to extract the phishing and spamming royalty and execute them during a live internet feed? That would be sweeeet
I will agree with this 100. I have yet to come into contact with one of these sites, and hope I never do, because for one… I NEVER look at the address bar, and I am in the upper bracket of computer users, so that is kinda scary for me.
Seems to me that you’re pushing the “Fair Use” idea by copy/pasting that entire table from the PDF. It’s clear from the prose that it comes from the PDF, but I think you really ought to call out the source explicitly at top and bottom, or better yet, just use an excerpt.
If you read the study, they describe how they set it up. They gave the users a list of links to try in turn (the links were randomized) and the users were asked to determine if the website is real or not. They also used Firefox on MacOS X laptop. Given that I use IE and Windows all the time and that some of the sites I never use, I would bet I would be fooled by a fair number of sites, too. But, as others have noted, I always use my own links to get to web sites, not following links that come in via e-mail. So in the real world, I wouldn’t be as easily fooled.
Can’t we send a SEAL team to russia, china, nigeria and the like to
extract the phishing and spamming royalty and execute them during a
live internet feed? That would be sweeeet
Before you send anybody to any other country read this Anti-Phishing Work Group report. Make sure you scroll down to page 4 (Countries Hosting Phishing Sites).
I prefer this to the Firefox approach; once the URL is
reported as a phishing site, there’s absolutely no
reason to show any of its content to the user.
I would tend to prefer Firefox as it not only stops the user from going any further, but also because it may inadvertantly educate users that the very real looking site behind is fake. There may be some value to showing the page.
Also, the IE page has the look of a 404 page and some users will simply glaze over it.
unique phishing reports: 23610
unique phishing sites: 16463
brands hijacked by phishing campaigns: 135
brands comprising the top 80% of phishing campaigns: 14
Country hosting the most phishing websites: United States
Contain some form of target name in URL: 25.4 %
No hostname just IP address: 17 %
Percentage not using port 80: 2.5 %
Average time online: 4 days
Longest time online: 30 days
While working on security solutions we have discovered that a lot of phishing sites/pages (even those containing some form of target name) are hijacked sites and pages. So it’s not that all phishing sites are deliberately hosted by their registered owners. General tightening of security on your own website/hosting helps prevent phishing. One thing is when site is hacked and data is lost, other thing is when innocent site suddenly starts spreading malware or hosting phishing pages.
Lots of people are saying “Only use your bookmark for banking websites, don’t click on a link”, but that’s not guaranteed to be safe either. I came across a home PC recently that had been infected with a virus, and the “HOSTS” file contained a bunch of fake DNS entries. In other words, you could use an existing bookmark or type in the real URL for your bank, and you’d be redirected to the fake site. (I was involved in this because the person who owned the PC recognised that the website looked different to normal.)
A lot of the problem, I think, can be stopped when the site gets registered. If ICANN gets a request for a domain called paypal.scam.com they should be able to flag that and contact the registered paypal.com account to make sure it’s supposed to be there. Of course, some discretion should be used. PayPal really doesn’t need to know if I register a domain that’s called paypalsucks.com. The phrase “Policing the Internet” comes to mind here.
Still, the point is ICANN should be able to prevent many of the phishing sites before they even go up.
I can see the argument for IEs method- users are indeed stupid. Consider however, that Firefox users are generally smarter and more computer savvy than IE users, and probably more entitled to the option of viewing the page.
At the bottom of this problem lies the built-in lack of safety on the Internet, specifically the fact that mass e-mails are basically free and the sender is easily forged.
If ISPs would simply block mass e-mails unless the sender was validated not to be a spammer (whitelist), and if ISPs would simply refuse to transfer e-mails without a secure identification of the sender… this wouldn’t be a problem at all since the links to fishing websites would never get to their victims.
Coincidentally, virtually all other spam and viruses would vanish, too. So why doesn’t it happen? Because ISPs like the business of spammers and don’t want to invest in security, especially if it might inconvenience their users.
As long as e-mail is free, global, and anonymous this won’t go away.
Bank of America’s online banking website uses a “two-way” authentication. That is, while I have to identify myself to the BofA site to access my online banking, the site also has to identify itself to me. It does so by displaying a unique identifying signature (the “SiteKey”) on the login page. I chose the signature privately, over a secure connection, when I registered for online banking in the first place. No phisher knows what it is, so absent a seriously sophisticated man-in-the-middle attack, no one can spoof “my” BofA login page.
I provide my credentials to the site, the site provides its credentials to me, and we decide to trust each other.
Please don’t use the word “Hack” when you mean “crack”. A hacker is on who knows a lot about computers (including ultra-secret tricks) and works on them a lot. A cracker is somebody who thwarts protection. A phreaker is extinct, but is a person who cracks the phone system (you used to be able to hear the telephone network doing it’s stuff when you made a long-distance call). Look up “The new hacker’s dictionary” - it’s a very good reference to jargon, a newer version of the jargon file.