PhishTank Annual Report: U.S. telecoms hosting phishes; OpenDNS offering a solution
posted by Allison on October 9th, 2007 in Community, Data, Hosts, PhishTank, PhishTank in the news, Statistics
With a full twelve months under our belt, today OpenDNS published the first-ever PhishTank annual report.
The report looks at the more than 300,000 phishes you’ve submitted and helped verify over the course of one year. While some of the report’s findings come as no surprise (e.g., PayPal and eBay round out the top of the list of most spoofed brands), some are alarming. Perhaps the most important finding, and the one that drove us to come up with a fix, is that U.S. telecoms are hosting more phishes than telecoms in any other country.
I think lots of American organizations are led to believe that phishing is something they can do nothing about, aside from simply educating themselves and their people on how to identify phoney emails. Not the case. Starting today we invite all telecoms and other organizations to search PhishTank by their ASN (Autonomous System Number) or brand name. We’ll even deliver information about phishes hosted on their network via a RSS feed. As a hosting provider, once you know about phishes on your network it’s easy to stop them.
Here’s a list of the U.S. telecoms hosting the most phishes, according to PhishTank:
1. SBC – 53,666
2. Comcast – 28,016
3. Roadrunner – 25,925
4. Charter – 12,544
5. Internet Services – 10,332
6. Inktomi Corporation – 9,293
7. XO Communications – 8,511
8. Bresnan Communications – 8,408
9. Advanced Internet Technologies – 8,274
10. Park Region Mutual Telephone Co. – 7,566
Other interesting report findings include:
18 percent of all verified phishing Web sites were hosted on just three IP addresses.
Web sites ending in “.cn” – the Top Level Domain (TLD) assigned to China – account for four of the top five Web sites with the most valid phishes.
One unique phishing scam is launched every two minutes.
You can read the full press releases about the annual report findings here and the new ASN and brand search here.
Thanks to everyone who contributed to what Brian Krebs of the Washington Post today called “one of the most comprehensive data sets ever published on [phishing], offering fascinating insights on the scope and increasing sophistication of phishing attacks.” 
Leave a response below, or send a trackback from your own site.
[...] PhishTank Annual Report: U.S. telecoms hosting phishes http://www.phishtank.com/blog/2007/10/09/phishtank-annual-report/ [...]
I am hoping the banks, financial organisations are using the FREE DATA we (you and community) using.
Seeing some phishing sites stay up for 3 days, I have serious questions about it.
The ONE ongoing issue that I want OpenDNS and PhishTank to address within their automated
method of submission is to ensure that obfuscated URL’s, in particular those utilizing the
Decimal method (ex: http://2130700433/ ) that a means for flagging that entry be made or
that it may be automatically calculated into its IP equivalent and automatically resubmitted
so it doesn’t fall through the cracks. I’ve personally calculated these IP’s and have submitted
several of them as separate entries through PhishTank so the phish itself can be targeted
and resolved.
Security issues with unpatched computers is likely one of the causes. The Society is
noticing more and more mail and ftp servers becoming compromised, especially in the
last six months or so. These scum won’t stop, and we shouldn’t either! Let’s keep the
heat on the phishes until they’re well done and ready for eating.
MM of the London Antiphishing Society (near Arkansas Nuclear One)
now in Little Rock.
It’s interesting seeing those statistics.
Did “miowpurr” really verify 221042 phishes? That’s one every 32 seconds for a working year. Are they being paid?
We now generate a report every three hours showing major domains currently exploited by phishing attacks:
http://www.sitetruth.com/reports/phishes.html
This is based on PhishTank, DMOZ, and SiteTruth data. There are only 169 major domains (ones notable enough to be in the Open Directory, which has 1.6 million domains) hosting or redirecting to active phishes. So solving this problem is within reach. Most of the problem sites are either ISPs or have an open redirector; a few are clearly break-in situations.
We’re seeing some problems with old phishes not being removed from PhishTank. If you click on the “PhishTank Example” button for each entry in our list, you’ll see a PhishTank entry marked “valid and online”. But if you follow the link to the actual page, most of the time, the page will no longer be available. And, almost always, PhishTank will report “No Screenshot Yet”, even for entries that are months old.
[...] To be sure, phishing is a real and serious problem. OpenDNS’s report says that one unique phishing scam is launched every two minutes. Even intelligent people can be bamboozled by email claiming to be from a bank or Paypal, and criminals have proven to be innovative and relentless. [...]