Data about phishers at the right cost (free)
posted by John Roberts on November 14th, 2006 in PhishTank, API, Community, PhishTank in the news, Data, XML
I read the SecurityProNews article “Sites Want To Hook And Gut Phishers” with interest this morning. The article’s summary:
A trio of websites offer people the opportunity to report the phish emails they receive in order to thwart the various scams and their perpetrators.
Three different sites are included in the round-up: PhishTank, CastleCops, and Symantec’s Phish Report Network.
At OpenDNS (operators of PhishTank), we’re fans of CastleCops. Their work is excellent, and their efforts in the broader anti-abuse community are notable. We shared our gratitude in July.
However, I don’t think the Phish Report Network site belongs in the same category, for two key reasons: the lack of information about submissions and the hefty price of their data.
Submitting to a black hole
Submitting phish to the Phish Report Network is dumping your submissions into a black hole. (And they didn’t even accept submissions from individuals until October 2006… wonder if PhishTank’s launch had something to do with that?)
I just took a live phish site from PhishTank and submitted it, after agreeing to a license and filling out a Captcha. Those hoops are not necessarily a bad idea to weed out spurious submissions, but here’s all I was told after the submission was received.
CONFIRMATIONYour submission has been sent Tue Nov 14 09:46:06 PST 2006. To make another submission, click here.
Sincerely,
Symantec Security Response
Couldn’t the page at least say thanks?
Outside of the lack of human touch, there is no insight into what the final judgment might be, when such judgment will be rendered, and by whom. There is literally no way to follow up.
PhishTank shows you your activity, and gives you email updates (if you want them) and an RSS feed to track your submissions. Go to your My Account page to learn how your contributions are being judged.
The price of data
The data gathered and verified by Symantec’s site is only available if you pay for it. How much? US$50,000 per year.
On behalf of OpenDNS, I inquired about a license to the data on July 12, 2006. On August 8, 2006, I got an apologetic response for the delay. On August 9, 2006, I got a copy of the contract, with its US$50,000 price tag for the year. I declined to go any further.
I have nothing against businesses charging for a service, and perhaps Symantec is finding customers who find this a valuable source of data. It’s hard to know, since they give out little information about who’s using the data and how much data there is. PhishTank statistics are wide open.
PhishTank was set up to help the Internet at large and solve a business problem for OpenDNS (the common need for better data about phishing sites). The reason PhishTank works is because the data is freely available to all, from the free, open API to the XML data file or the lightweight method.
My suggestion to Symantec? Add data from PhishTank to your Phish Report Network. It’s free. And if you’d like to share your submissions with PhishTank, we’re happy to help make it work.
Mozilla found the data worth testing with, at least.
Leave a response below, or send a trackback from your own site.
Ilgaz
Well here is what happened just 2 months ago with Symantec.
I check my bulk mail for reporting native language spams (via spamcop.net) and notice there is a perfect message,without any phish URL having 8kb attachment coming from (!) Mastercard/Visa.
8kb exe attachment downloaded fine to my Macintosh undetected by Antivirus “powered by Symantec”. Not forgetting how many yahoo mail users trusting to it, I got alerted and submitted file to Kaspersky online scanner. “Trojan” (of course!). I tried to be nice and submitted file to Symantec as undetected, their online scanner doesn’t detect too.
6-7 hours passed making me anxious enough to find some of Yahoo admins on IRC by guessing channels.
7 hours later Symantec replied “Already in database” bragging about their products , of course other vendors still being nice to them (in fact,their users)must have shared the signature.
Same trojan, changed a bit came 1 month later to my yahoo INBOX, again undetected. This time, I contacted yahoo people directly and alerted them even saving the horrible “No virus detected” as PDF file.
I wonder if they ask $50.000 for phish urls, how much $$$ Yahoo must have paid for that pathetic antivirus?
I am not feeling sorry for them, I am not CEO of Yahoo or shareholder but the money comes back to Yahoo users as overpriced Pop3, undetected pure asm (8kb) trojans etc.
They could support Clam project , a perfect tool for mail scanning fit to their setup or.. they could use a real working antivirus such as Kaspersky.
— posted by Ilgaz on November 15th, 2006 at 9:32 am
Steve Basford
ClamAV engine is also good for creating your own phishing signatures, like I’ve done for free here:
http://sanesecurity.com/clamav
:)
— posted by Steve Basford on November 15th, 2006 at 4:28 pm
MASA
Your feeds stopped updating since the 14 of this month
— posted by MASA on November 25th, 2006 at 8:41 pm