Whatever your motivation, we salute you.

Some Carnegie Mellon University researchers would like to know more, as part of ongoing work at their CyLab on phishing in general.

We’re conducting a survey of anti-phishing volunteers, as part of ongoing
research in Human Computer Interaction regarding phishing. The survey will ask
you questions regarding how volunteers spend their time, motivations, and what
tools are important for the task. The survey should take 5-10 minutes to
complete.

Those who are willing may volunteer at the end of a survey to be interviewed.
Interviews will be held over the telephone, and we will offer a $10 gift certificate
as a token of our appreciation for those who participate in the interview. We
expect interviews will take from 30 minutes to an hour.

All personal information collected in the course of this research will be
anonymized before publication.

http://www.surveymonkey.com/s.aspx?sm=35TJTRQ4Niem30Zehbh_2fQg_3d_3d

Take a few minutes and let them know your thoughts. It’s useful when the good guys help each other.

With a full twelve months under our belt, today OpenDNS published the first-ever PhishTank annual report.

The report looks at the more than 300,000 phishes you’ve submitted and helped verify over the course of one year. While some of the report’s findings come as no surprise (e.g., PayPal and eBay round out the top of the list of most spoofed brands), some are alarming. Perhaps the most important finding, and the one that drove us to come up with a fix, is that U.S. telecoms are hosting more phishes than telecoms in any other country.

I think lots of American organizations are led to believe that phishing is something they can do nothing about, aside from simply educating themselves and their people on how to identify phoney emails. Not the case. Starting today we invite all telecoms and other organizations to search PhishTank by their ASN (Autonomous System Number) or brand name. We’ll even deliver information about phishes hosted on their network via a RSS feed. As a hosting provider, once you know about phishes on your network it’s easy to stop them.

Here’s a list of the U.S. telecoms hosting the most phishes, according to PhishTank:

1. SBC - 53,666
2. Comcast - 28,016
3. Roadrunner - 25,925
4. Charter - 12,544
5. Internet Services - 10,332
6. Inktomi Corporation - 9,293
7. XO Communications - 8,511
8. Bresnan Communications - 8,408
9. Advanced Internet Technologies - 8,274
10. Park Region Mutual Telephone Co. - 7,566

Other interesting report findings include:

18 percent of all verified phishing Web sites were hosted on just three IP addresses.

Web sites ending in “.cn” - the Top Level Domain (TLD) assigned to China - account for four of the top five Web sites with the most valid phishes.

One unique phishing scam is launched every two minutes.

You can read the full press releases about the annual report findings here and the new ASN and brand search here.

Thanks to everyone who contributed to what Brian Krebs of the Washington Post today called “one of the most comprehensive data sets ever published on [phishing], offering fascinating insights on the scope and increasing sophistication of phishing attacks.”

The press spotlight is shining squarely on PhishTank.

Computing, a high-profile tech magazine in the UK, covered the recent findings of Cambridge University researchers, who used PhishTank data to analyze Rock Phish. PhishTank is referred to as “the largest online clearing house of phishing data.”

Back State-side, Brian Krebs of the Washington Post does his own piece on Rock Phish and uses a nifty screenshot from PhishTank to demonstrate Rock Phish submissions.

Congrats to the entire community on all the great attention.

May stats are live. Check ‘em out here.

A few things popped out at me. First off, median time to submission dropped by 11 hours down to just 19. And the total number of invalid phishes is only 739 out of more than 53,000. Not only is the community getting faster, it’s also getting more diligent about submitting.

It just keeps getting better and better. Thanks, guys. Keep it up!

And starting today, it is, between Anti-Phishing Working Group and OpenDNS.

This is a big day for us, folks, and for all of you who have worked to make PhishTank the most authoritative source of phishing data on the Web.

Anti-Phishing Working Group is big, and has a member list boasting companies like eBay, Microsoft, Yahoo!, Verisign and Cisco. They’ve been at phish-fighting since 2003 and have made great progress in raising awareness about the seriousness of Internet crime.

We’re young, but growing at lightning speed. The human approach OpenDNS and PhishTank bring to the table is an incredibly important element to combatting the problem.

Anti-Phishing Working Group and OpenDNS make a great team and we’re excited about what we can accomplish together.

[Cross-posted to PhishTank and OpenDNS blogs.]

As posted to the user mailing list, the Virginia Tech tragedy has prompted some unscrupulous folks to set up fake donation sites. Several of these possible scams and phishes have been submitted to the Tank by edgester, who also helps on the technology side of PhishTank.

Judge them carefully. Scams are not necessarily phish, so apply your judgment appropriately.

VTFamilies.org is a site doing the right thing. I’ve checked it out personally, after an appeal by one of the site administrators. If you want to help, or simply remember, you should visit.

I wouldn’t normally call attention to tragedies: there are simply too many. But the (possible) intersection of phishing and this story called for an exception.

“Tax time means fraud time,” writes Washington Post security blogger Brian Krebs. I know you agree with Brian because you voted “is a phish” on submission #130719, a phishing site posing as the U.S. Internal Revenue Service and offering visitors their tax refund credited to their Visa or Mastercard.

PhishTank caught five IRS phishes this tax season and prevented who knows how many people from readily handing over their personal information.

Now what are you doing reading this blog? Don’t you have taxes to do?

By now, most of the PhishTank community has seen the dramatic surge in submissions. It’s not malicious, but it is quite noticeable.

In the last few days, two different organizations decided, independently, to start submitting the suspicious URLs they receive to PhishTank. They benefit because the data is further validated and distributed far and wide. PhishTank benefits from some high-quality submissions, and broader coverage in its free data distribution.

Clearly, though, the new volume is dramatic.

And it didn’t help that one of the feeds went awry. The submissions were still phish (or possible phish), but the filter wasn’t tight enough. Those have been removed. Still, lots to verify at the moment.

The community has some work to do in catching up. Thank you for your patience. We are digging on small, immediate steps we can take to speed things up and make the volume manageable. Also, we’re revisiting the thorny problem of how to judge a domain.TLD combination (example.com) as a phish, so that all the wildcarded submissions which match that domain.TLD combo gets the same designation. We know this would help dramatically.

This is not simple, but it has been discussed before, so we’re not starting from scratch. The community’s time and attention is valuable; we do not want to waste it. We also don’t want to lose the collaborative human judgment that makes PhishTank so useful to the Internet at large.

Please don’t stop telling us where we can get better, and don’t stop voting/submitting/flagging. I’d remind you all about the mailing lists, especially the user list.

Please do invite your friends to join this fight. We can always use some more help.

Note: the organizations in question would like to remain discreet for now; that’s fine with us, although we like to share where possible. If your organization would like to submit suspected phishing URLs/emails to PhishTank at a higher volume, please let us know.

The following post was written by funchords . If you don’t recognize the username, check the stats page. Without further ado…

Question: What do the following web addresses have in common?

1. http://66.135.40.79/
2. http://1116153935/
3. http://0×42.0207.10319/
4. http://0102.8857679/

Answer: Don’t look here — try them out and see! (Caveat: In most browsers and operating systems — all four URLs will work. If your computer had trouble with a link, see “Something Not Working” below to understand why.)

So why did that happen?

We websurfers are trained to think of Internet sites as Double-U, Double-U, Double-U, Dot, Google, Dot, Com — because that is easier to remember than http://1208941928/. The network translates those names into numbers, so we don’t have to. But, every computer accessible on the Internet has a long and unique number as an address. It’s like a telephone number — uniquely yours.

The hostnames in the four web addresses at the top of this page are all different ways of expressing the same Internet address number.

Just as websurfers use a method that is easy to remember, programmers do, too. If they’re working in a system or programming language that prefers base-16 or hexadecimal numbers, they’re likely to express a 3 like 0×3 and a 12 like 0xC. An octal system would likely replace those with base-8 numbers, expressed as 03 and 014.

Why do this, when the rest of the world speaks in base-10 (decimal)? You’ll see in a moment — multiplication and division are much easier when you’re speaking the same language as the system.

The third example at the top of the page begins with 0×42, which is a hexadecimal number (66 in decimal). The next segment of example 3 is 0207, an octal number equal to 135. But what about that third number?

The “dots” in the address are meant for organization. Twenty-five years ago, our internet founders segmented the IP space into 255 (0xFF) segments. Those segments were split between five address types — large, medium, small, private, and special-use/future. The number before the first dot indicates this segment.

Knowing this, you can begin to do the math to make the above conversions.

If there is a first dot, the number before it is multiplied by 0×1000000 (or 16777216 to us Base-10 users). The number after it is not multiplied. This would work just fine for a very large organization, they would have their unique organizational number and over 16 million IP addresses that they could use on the Internet.

A second dot would help mid-size organizations — the first two segments would be assigned to the business and the final segment was theirs to divide as they pleased. And so on, for smaller businesses and the fourth segment. That sounded good back in the early 1980s, and it worked for a while. But, more importantly for our topic, it set the stage for how IP addressing works.

Let’s untwist our 4th example. 0102 is the octal equal to 66. This means that http://66.8857679/ should work? Does it? So we multiply that 66 by 16777216, and we get 1107296256. We add the last half of example 4 to that. 1107296256 plus 8857679 is 1116153935. That number is hard to remember, but it is the same number we tried in Example 2, above! So, the unique network address to PhishTank is 1116153935!

If there are two or three dots, the first number is multiplied by 0×1000000, the second by 0×10000, and the last is not multiplied. If there are four segments, the third segment is multiplied by 0×100.

Remember that the dots are there for organization — for human convenience. Computers do not need them (as we have shown here).

Now you can turn any dotted decimal (what most would call “normal”) IP address into its actual single-integer address, and back again! Reverse the process using division…

… and that leaves us back at 66.135.40.79, the dotted-decimal IP address that we used in Example 1.

Something not working, or working differently? In twenty-five years, programmers and administrators have grown accustomed to the four-segment dotted-decimal IP addresses, even in the largest organizations. While most network software still accepts these other forms of an address, some do not.

Although these forms of addressing are valid, almost nobody is used to them. Spammers and Phishing Fraudsters are taking advantage of this. They attempt to get around detection by changing the IP address into something other than a dotted-decimal form. It also tends to make a Phishing URL more legitimate. Here are some examples:

• Submission #44124: http://0×4231ddb2/www.amazon.com/login/exec.php?cmd=sign-in
• Submission #48434: http://0xd2.0xf3.0xe9.0×22/www.paypal.com/
• Submission #91296: http://3630742891/cgi-bin/webscr_cmd_login-submit/

So when you see such an address, don’t panic. Know that the address is a number, and not a name that can be resolved in DNS. Submit the Phishing Site to the PhishTank “As-Is,” using the same style address that the Phisher put in his spam email. Then, if you want, deconstruct the dotted decimal IP address and submit the site using the more “normal” form. Doing this will help remove some of the confusion for verifiers, down-stream users, and others who aren’t as smart as you!

Isn’t that cool?

Like to write a post for PhishTank? Let us know.

Back in November, I welcomed the first group of PhishTank moderators.

That first group (Simurgh, clubjuggle, funchords, micha, Sedna, spamfighter, Chris1948) was joined by Char shortly afterwards, and MASA a couple of weeks later.

Last week, a bunch of stalwarts — quite recognizable from the stats page — joined the moderator crew. Please join me in greeting the new moderators: JustaPerson, cleanmx, ruralnetcop, milky, bowlby4, miowpurr, buaya, thelionheart, DougieLawson, polymorp, tetak, and pscs.

This expanded team has helped take charge of site activities, and there are lots of ideas percolating for improvements. On a related note, the users mailing list is quite active, too, with lots of good ideas. Many of the moderators are there, too.

As I type, the first outside developers (still room for more) are getting their development environments set up .

All over, 2007 is going to be a good year for the ‘Tank.