Four weeks ago, I shared the interesting case of 53.com, a real bank website whose numerical domain name confuses some members of the PhishTank community (not easy… discerning bunch!). The submission cited in that post remains undecided, although it’s (correctly) leaning toward “NOT a phish.”

I want to call attention to another example today.

The submission is 36895. There are nearly 250 votes on this submission, with a slight majority correctly recognizing that this is NOT a phish.

Why the confusion? The website is branded as NatWest, a major bank in the United Kingdom, but the domain name is nwolb.com (go to the submission to see the entire URL submitted).

The registrant for nwolb.com is:

The Royal Bank of Scotland Group plc
Waterhouse Square
138-142 Holborn
London EC1N 2TH
UK

NatWest was purchased by Royal Bank of Scotland Group in 2000, so this is legit.

You can also simply start at NatWest.com. Click the button at the top right titled “Log in.” The link redirects to…you guessed it…https://www.nwolb.com/ (with lots of other session/security stuff on the end of the URL).

I’m sure there are technical reasons, or historical business reasons, why the online bank lives on a different URL than the corporate website, but it’s certainly led to some confusion among an ever-more cautious online crowd.

If you have not yet voted on 36895, please vote “NOT a phish.”

Related note

In the comments about 53.com, some asked why we (the PhishTank administrators) don’t go ahead and decide this submission once and for all. My answer remains the same: as long as this is undecided, we will not step in. PhishTank administrators will step in to overrule false positives, if necessary. It rarely has been: maybe three times in nearly 25,000 submissions as I write this post.

The moderators are instrumental in flagging confusing submissions and drawing attention to possible problems, though they don’t overrule the community.

According to an article I just read on HeiseSecurity.co.uk, PhishTank has been used by another group to test phish blocking effectiveness in anti-phishing browser toolbars. This time it was Pittsburg, PA, USA’s Carnegie Mellon University doing the testing. If you’re interested, read the full PDF report here.

You may have noticed that problem submissions are getting resolved and addressed faster than ever. The credit goes, in large part, to a volunteer team which has been quietly contributing for a few weeks now: the PhishTank moderators. I’ve been remiss in calling attention to their additional efforts, so I wanted to wish every member of the community an American “Happy Thanksgiving” and give a public shout out to these moderators. They’ve made our job (as PhishTank administrators) much, much easier.

The first PhishTank moderators

Simurgh, clubjuggle, funchords, micha, Sedna, spamfighter, and Chris1948 are all on the job.

Moderators are noted as such on their public user page.

More information

All of the PhishTank moderators are volunteers. In fact, all of them were asked to participate, and they kindly agreed. There is no set commitment of time or energy, just a sense of stewardship and a willingness to help make the site and community work better.

Moderators have the following extra actions available to them on the site:

• Ability to mark a submission ONLINE or Offline.
• Ability to change the selected phish URL being voted on for a submission.
• Ability to see and resolve the “flags” that any community members can set, whether for ONLINE/Offline status or screenshots or other concerns.
• Ability to scan an admin page to see which submissions have the most “flags.”

These functions are to complement and correct where software is led astray, mostly.

Problems with PhishTank are not the fault of moderators. Keep speaking up about how we can improve… the moderators certainly are, and we welcome the feedback and the energy. Note: We’re not seeking out extra moderators, but we don’t have a limit or a quota.

Be sure that we won’t stop asking for help!

ps – Added Char on November 29, 2006.

Bookmarklets are browser bookmarks with a bit of extra functionality mixed in, usually via Javascript.

In response to my request on Friday for a PhishTank bookmarklet, two folks stepped up already, bouncing blog posts and comments back and forth.

Amit Chakradeo started by creating a Firefox 2.0 bookmarklet. Till saw Amit’s comment, and then went to work on his own PhishTank bookmarklet, which works in Firefox, Safari, and Opera (at least). Till also commented on Amit’s blog, pointing out his extra step.

Nice collaboration!

ps – On a semi-related note, I should point out that the Firefox extension PhishTank SiteChecker has a new home due to some bandwidth issues on MASA’s site.

A couple of weeks ago, Mike introduced a simple developer method for checking individual URLs for “phishiness” outside of the API. There have been edge cases where the submitted URL was too long, going beyond the legal limit of a GET request.

So, the method has been updated, and you should read the details. The original method will be supported, but it’s being deprecated in favor of a POST-based method.

We’ve had a request for a PhishTank bookmarklet… anyone out there want to write one? We’ll promote it. I think this POST method is probably a nice, lightweight way to implement it, but I’m not a developer.

I read the SecurityProNews article “Sites Want To Hook And Gut Phishers” with interest this morning. The article’s summary:

A trio of websites offer people the opportunity to report the phish emails they receive in order to thwart the various scams and their perpetrators.

Three different sites are included in the round-up: PhishTank, CastleCops, and Symantec’s Phish Report Network.

At OpenDNS (operators of PhishTank), we’re fans of CastleCops. Their work is excellent, and their efforts in the broader anti-abuse community are notable. We shared our gratitude in July.

However, I don’t think the Phish Report Network site belongs in the same category, for two key reasons: the lack of information about submissions and the hefty price of their data.

Submitting to a black hole

Submitting phish to the Phish Report Network is dumping your submissions into a black hole. (And they didn’t even accept submissions from individuals until October 2006… wonder if PhishTank’s launch had something to do with that?)

I just took a live phish site from PhishTank and submitted it, after agreeing to a license and filling out a Captcha. Those hoops are not necessarily a bad idea to weed out spurious submissions, but here’s all I was told after the submission was received.

CONFIRMATION

Your submission has been sent Tue Nov 14 09:46:06 PST 2006. To make another submission, click here.

Sincerely,

Symantec Security Response

Couldn’t the page at least say thanks?

Outside of the lack of human touch, there is no insight into what the final judgment might be, when such judgment will be rendered, and by whom. There is literally no way to follow up.

PhishTank shows you your activity, and gives you email updates (if you want them) and an RSS feed to track your submissions. Go to your My Account page to learn how your contributions are being judged.

The price of data

The data gathered and verified by Symantec’s site is only available if you pay for it. How much? US$50,000 per year.

On behalf of OpenDNS, I inquired about a license to the data on July 12, 2006. On August 8, 2006, I got an apologetic response for the delay. On August 9, 2006, I got a copy of the contract, with its US$50,000 price tag for the year. I declined to go any further.

I have nothing against businesses charging for a service, and perhaps Symantec is finding customers who find this a valuable source of data. It’s hard to know, since they give out little information about who’s using the data and how much data there is. PhishTank statistics are wide open.

PhishTank was set up to help the Internet at large and solve a business problem for OpenDNS (the common need for better data about phishing sites). The reason PhishTank works is because the data is freely available to all, from the free, open API to the XML data file or the lightweight method.

My suggestion to Symantec? Add data from PhishTank to your Phish Report Network. It’s free. And if you’d like to share your submissions with PhishTank, we’re happy to help make it work.

Mozilla found the data worth testing with, at least.

Everyone who has ever submitted a phish to or verified a phish for PhishTank deserves a pat on the back today. Congrats to all of you for contributing to the phishing data source chosen by Mozilla to compare phishing protection in Firefox 2.0 to Internet Explorer 7.

That’s right. You read correctly. Mozilla chose PhishTank over all of the other phishing data source sources available to test the effectiveness of new phishing protection features in the two browsers.

The way the testing worked is this: Mozilla contracted third-party evaluator Smartware to track Firefox 2.0 and IE7’s respective accuracy rates in identifying phishing scams. The same scams that were originally netted and verified by you.

In the end, Firefox 2.0 found and blocked 243 phishing Web sites that IE7 failed to identify, and was deemed the better of the two at keeping you safe from phishing.

Brian Krebs of Washington Post went into greater detail about the testing, and mentioned PhishTank SiteChecker, a Firefox extension.

Though we admittedly have Firefox and Internet Explorer on the brain today, we urge everyone making a browser to use PhishTank data (API, Data File, Check URL Method).

The team at WOT announced today that their website reputation service WOT is “Now with PhishTank.” WOT is a free service that provides website reputation information for users.

Sami from WOT wrote:

We would like to thank OpenDNS and the people at PhishTank for their contribution to web safety.

WOT uses data from lots of sources, including its users. PhishTank is now part of the mix, via the downloadable data file.

Thanks to the entire PhishTank community for participating: your work is being applied all over the place. I love seeing the ripples spread far and wide. We told as many people as possible about PhishTank at ISPCON. There was plenty of interest, and more services and products will incorporate PhishTank data in the near future.

The following post was written by PhishTank member funchords, a very active member of the community, and currently the top submitter to PhishTank.

Submission 22779 is such a professional-looking employment ad, one might even wonder why it was submitted as a suspected phish site. Most likely, redpriest realized that the ad was looking for a Money Mule — a person who launders phishy money through their personal accounts and moves it overseas.

It’s both illegal and risky — and most Money Mules end up getting burned as soon as the phish-site victims realize that their credit cards or identities have been compromised. In addition to possible trouble with the police, the Money Mule gets to pay back the banks and institutions that were involved in the fraud. Money Mules take all the heat while the real crooks disappear into anonymity.

So why was Submission 22779 marked “Verified: Is NOT a phish?” Because, even though it probably is related to phishing, it really is not a phish. It isn’t masquerading as an institution one already trusts in order to obtain financial information.

While PhishTank endeavors to quickly and accurately identify Phish, our friends at CastleCops.com specialize in working with government and internet concerns to shut these criminals down. CastleCops has an e-mail address to report suspected Money Mule advertisements: mules@castlecops.com.

Got a phish? As always, throw it in the PhishTank. But if the crooks are “fishing” for a Money Mule, then report it to mules@castlecops.com.

David Branco is working on a PHP class, which he calls PhishTank Runner. The goal of PhishTank Runner is to make working with the PhishTank API very easy in that language. We haven’t had time to take a look at the code ourselves, but we shouldn’t be the bottleneck. If you’re a PHP developer, or otherwise experienced, David is eager for feedback. His email address is in the code.

The PHP source code is here:
http://www.neoeliteusa.com/demo/phishtank.class.phps

We’re not “endorsing” this code, but I’m pleased that David is interested in helping out, and I think constructive criticism helps us all in this regard. This is a new step for us, but we want to continue to encourage developers to help us spread the PhishTank community’s work to as many places as possible. There won’t be one way, but many.

We know the PhishTank API documentation would benefit from code examples, so if there’s good stuff out there people are willing to share, please let us know.