PhishTank numbers skyrocket in April
posted by Allison on May 1st, 2007 in PhishTank, Statistics
It’s the first of the month again and you know what that means….
PhishTank April statistics were posted on the Web site today and the differences between April and previous months are hard not to notice. PhishTank caught 77,709 unique phishes last month and tallied a grand total of 243,500 votes. That’s impressive!
You might notice, too, that new members “antiphishing” and “PhishReporter” came in No. 1 and No. 2, respectively, in the Top Submitters list. Both members represent organizations that did more than their share of submitting in April. The longer median time to verify can be attributed simply to a much greater pool of phishes to verify.
If you’re interested, check out the press release here. Keep it up, phish fighters!
Leave a response below, or send a trackback from your own site.
ChamPro
With all the recent influx of mass phish reports, I’d like to present a controversial topic and method to help us get through the back log. I know you don’t do auto-approval filters on this site, but adding a couple would greatly increase productivity in the amount of phishes that could be verified by actual people.
These phishes (and all the bajillion others like if that I’ve clicked on) could be eliminated with a pretty simple wildcard filter.
#209606 http://www.53.com.wps08926q-portal84765.skonhome.at/verify/busupdate
#208582 http://businessbanking.53.com.session8993708724.itfrent.cn/clientbase/form.asp
#218965 http://business-eb.client8013512-form.bbt.com.sruycci.info/clients/form/b_form.jsp
#216138 http://business-eb.ibanking-services8606329x.bbt.com.wrabret.biz/confirm/business/sb_verify.jsp
Use a filter like http://businessbanking.53.com.session*.*.*/clientbase/form.asp with * being a wildcard of any number of characters. Yes, that is really vague but you could make it more specific by specifying whether the wildcard represents a number or a letter.
Clearly, the phishers are using their own scripts to generate the site names. You could even eliminate them one server at a time:
http://businessbanking.53.com.session*.rixtip.vg/clientbase/form.asp
To prevent filters from being generated willy nilly, you could have an approval process where so many PhishTankers or a percentage of PhishTankers have to approve the filters. I would say filters would cut the amount of submissions people have to go through in half. Especially all the phishes reported by the new “member” antiphishing. As the postmaster for our domain at work, I get emails that concern the same phishes I mentioned above on a weekly basis.
I hope this post fosters some discussion. If it was better suited for the mailing list, I apologize.
— posted by ChamPro on May 2nd, 2007 at 1:03 pm
Mark Freedman
While the longer median time to verify can be attributed simply to a much greater pool of phishes to verify, it also means the utility of Phishtank is seriously impaired as the phish is doing it’s dirty business during the unaccepatbly long periods it takes to get the verifications done. I can tell you with just a few exceptions, every valid Phish I’ve submitted was already identified as a Phish by Netcraft.
The methodology for verification must be changed to ensure timely verification of the larger pool of phishes, or you must have a far larger pool of volunteers to do the verifications. As it is, with a small group of volunteers, they’re going to burn out and/or make false positive mistakes as they make short-cut assumptions in order to get through the avalanche of submissions.
What’s the plan to fix the broken process?
— posted by Mark Freedman on May 2nd, 2007 at 5:37 pm
Shashank Tripathi
Fully agree with Mark. PhishTank is a noble effort but highly ineffective as it stands today. In the last two days I have tried about 10 queries of URLs that were already identified within Firefox as phished (Firefox 2 uses Google’s Safe Browsing thingie). Some were not even in the PhishTank database, while others were listed but not yet qualified as phishes. This is not a scalable model. Instead of gloating posts reporting growing usage numbers, I’d like to see the team come up with the kind of algorithms that make Google’s or Netcraft’s system to on-the-ball and thus effective. Keep up the effort!
— posted by Shashank Tripathi on May 9th, 2007 at 3:21 am
Esa Laitinen
Currently rock phish entries form at least 90% of the total mass of the ‘tank. Most/all of these could currently be autoapproved with 0 false positives using ONE regex only slightly more complicated than what ChamPro mentioned. There are other telltale signs that could checked for extra protection.
The current situation where voters have to shift thru masses of identical entries creates real problems. Timeliness of the information is one.
Another is that the numbing routine will create false positives (last night I found 3 or 4 FPs in 53.com domain, all approved by very experienced contributors).
The third is that having to shift thru masses of identical entries will cause volunteers dropping out. This is a voluntary contribution for most of us, and the clock starts ticking when it stops being fun.
— posted by Esa Laitinen on May 11th, 2007 at 8:19 am
John Roberts
Mark, Shashank, and Esa:
PhishTank is not ineffective. But you are all correct that we must improve in two areas: handling of wildcard phishes & overall performance. There’s been more discussion of the former, and repeated work on the latter. More is needed, on both counts.
If you are developers, and want to contribute directly on either front, please let me know.
first name at opendns com
Thanks,
John
— posted by John Roberts on May 11th, 2007 at 4:49 pm
Light Blue Touchpaper » How quickly are phishing websites taken down?
[…] We believe that one important advance would be to reduce the information asymmetry for the defenders. Phishers obfuscate their behaviour and make sites appear independent and thereby phishing appears to many to be an intractable problem. Security vendors are happy to accept inflated (and ever-increasing) statistics to make the problem seem more important and even PhishTank trumpets the increase in the number of reports rather than their true uniqueness. Law enforcement will not prioritise investigations if there appear to be hundreds of small-scale phishing attacks, whereas their response would be different if there were just a handful of people involved. Hence, improving the measurement systems, and better identifying patterns of similar behaviour, will give defenders the opportunity to focus their response upon a smaller number of unique phishing gangs. […]
— posted by Light Blue Touchpaper » How quickly are phishing websites taken down? on May 16th, 2007 at 6:21 pm
Ilgaz
I don’t want to sound negative or not appreciating but if you submit 8000 phishes to entirely user based site, you are expected to find army of users to validate them. I advertise Phishtank on every occasion I can find on topic of course.
I have found very very evil phishes lately and submitted them, all went offline before they would even get verified by single user.
I am expecting the hidden submitters to at least advertise phishtank via a gif or something on their technical user oriented pages.
— posted by Ilgaz on May 21st, 2007 at 10:37 am
John Roberts
@Ilgaz - One of the submitters is the Anti-Phishing Working Group, and they link to PhishTank as a research partner now on their website.
— posted by John Roberts on May 25th, 2007 at 4:54 pm
Mads Dam
I agree, that verification could be speeded up.
As it is now, phishers can create a single page, and present it as a dozen different sites by shifting one of the subdomains (or similar). That’s highly efficient if the purpose is to confuse. We need something similar to counter that. How about wildcards..?
— posted by Mads Dam on June 24th, 2007 at 11:36 am