Comments on: PhishTank numbers skyrocket in April

by: Mads Dam

Sun, 24 Jun 2007 11:36:28 +0000

I agree, that verification could be speeded up.

As it is now, phishers can create a single page, and present it as a dozen different sites by shifting one of the subdomains (or similar). That’s highly efficient if the purpose is to confuse. We need something similar to counter that. How about wildcards..?

by: John Roberts

Fri, 25 May 2007 16:54:07 +0000

@Ilgaz - One of the submitters is the Anti-Phishing Working Group, and they link to PhishTank as a research partner now on their website.

by: Ilgaz

Mon, 21 May 2007 10:37:14 +0000

I don’t want to sound negative or not appreciating but if you submit 8000 phishes to entirely user based site, you are expected to find army of users to validate them. I advertise Phishtank on every occasion I can find on topic of course.

I have found very very evil phishes lately and submitted them, all went offline before they would even get verified by single user.

I am expecting the hidden submitters to at least advertise phishtank via a gif or something on their technical user oriented pages.

by: Light Blue Touchpaper » How quickly are phishing websites taken down?

Wed, 16 May 2007 18:21:10 +0000

[…] We believe that one important advance would be to reduce the information asymmetry for the defenders. Phishers obfuscate their behaviour and make sites appear independent and thereby phishing appears to many to be an intractable problem. Security vendors are happy to accept inflated (and ever-increasing) statistics to make the problem seem more important and even PhishTank trumpets the increase in the number of reports rather than their true uniqueness. Law enforcement will not prioritise investigations if there appear to be hundreds of small-scale phishing attacks, whereas their response would be different if there were just a handful of people involved. Hence, improving the measurement systems, and better identifying patterns of similar behaviour, will give defenders the opportunity to focus their response upon a smaller number of unique phishing gangs. […]

by: John Roberts

Fri, 11 May 2007 16:49:26 +0000

Mark, Shashank, and Esa:

PhishTank is not ineffective. But you are all correct that we must improve in two areas: handling of wildcard phishes & overall performance. There’s been more discussion of the former, and repeated work on the latter. More is needed, on both counts.

If you are developers, and want to contribute directly on either front, please let me know.

first name at opendns com

Thanks,

John

by: Esa Laitinen

Fri, 11 May 2007 08:19:13 +0000

Currently rock phish entries form at least 90% of the total mass of the ‘tank. Most/all of these could currently be autoapproved with 0 false positives using ONE regex only slightly more complicated than what ChamPro mentioned. There are other telltale signs that could checked for extra protection.

The current situation where voters have to shift thru masses of identical entries creates real problems. Timeliness of the information is one.
Another is that the numbing routine will create false positives (last night I found 3 or 4 FPs in 53.com domain, all approved by very experienced contributors).
The third is that having to shift thru masses of identical entries will cause volunteers dropping out. This is a voluntary contribution for most of us, and the clock starts ticking when it stops being fun.

by: Shashank Tripathi

Wed, 09 May 2007 03:21:32 +0000

Fully agree with Mark. PhishTank is a noble effort but highly ineffective as it stands today. In the last two days I have tried about 10 queries of URLs that were already identified within Firefox as phished (Firefox 2 uses Google’s Safe Browsing thingie). Some were not even in the PhishTank database, while others were listed but not yet qualified as phishes. This is not a scalable model. Instead of gloating posts reporting growing usage numbers, I’d like to see the team come up with the kind of algorithms that make Google’s or Netcraft’s system to on-the-ball and thus effective. Keep up the effort!

by: Mark Freedman

Wed, 02 May 2007 17:37:03 +0000

While the longer median time to verify can be attributed simply to a much greater pool of phishes to verify, it also means the utility of Phishtank is seriously impaired as the phish is doing it’s dirty business during the unaccepatbly long periods it takes to get the verifications done. I can tell you with just a few exceptions, every valid Phish I’ve submitted was already identified as a Phish by Netcraft.

The methodology for verification must be changed to ensure timely verification of the larger pool of phishes, or you must have a far larger pool of volunteers to do the verifications. As it is, with a small group of volunteers, they’re going to burn out and/or make false positive mistakes as they make short-cut assumptions in order to get through the avalanche of submissions.

What’s the plan to fix the broken process?

by: ChamPro

Wed, 02 May 2007 13:03:23 +0000

With all the recent influx of mass phish reports, I’d like to present a controversial topic and method to help us get through the back log. I know you don’t do auto-approval filters on this site, but adding a couple would greatly increase productivity in the amount of phishes that could be verified by actual people.

These phishes (and all the bajillion others like if that I’ve clicked on) could be eliminated with a pretty simple wildcard filter.

#209606 http://www.53.com.wps08926q-portal84765.skonhome.at/verify/busupdate
#208582 http://businessbanking.53.com.session8993708724.itfrent.cn/clientbase/form.asp
#218965 http://business-eb.client8013512-form.bbt.com.sruycci.info/clients/form/b_form.jsp
#216138 http://business-eb.ibanking-services8606329x.bbt.com.wrabret.biz/confirm/business/sb_verify.jsp

Use a filter like http://businessbanking.53.com.session*.*.*/clientbase/form.asp with * being a wildcard of any number of characters. Yes, that is really vague but you could make it more specific by specifying whether the wildcard represents a number or a letter.

Clearly, the phishers are using their own scripts to generate the site names. You could even eliminate them one server at a time:
http://businessbanking.53.com.session*.rixtip.vg/clientbase/form.asp

To prevent filters from being generated willy nilly, you could have an approval process where so many PhishTankers or a percentage of PhishTankers have to approve the filters. I would say filters would cut the amount of submissions people have to go through in half. Especially all the phishes reported by the new “member” antiphishing. As the postmaster for our domain at work, I get emails that concern the same phishes I mentioned above on a weekly basis.

I hope this post fosters some discussion. If it was better suited for the mailing list, I apologize.