With a full twelve months under our belt, today OpenDNS published the first-ever PhishTank annual report.

The report looks at the more than 300,000 phishes you’ve submitted and helped verify over the course of one year. While some of the report’s findings come as no surprise (e.g., PayPal and eBay round out the top of the list of most spoofed brands), some are alarming. Perhaps the most important finding, and the one that drove us to come up with a fix, is that U.S. telecoms are hosting more phishes than telecoms in any other country.

I think lots of American organizations are led to believe that phishing is something they can do nothing about, aside from simply educating themselves and their people on how to identify phoney emails. Not the case. Starting today we invite all telecoms and other organizations to search PhishTank by their ASN (Autonomous System Number) or brand name. We’ll even deliver information about phishes hosted on their network via a RSS feed. As a hosting provider, once you know about phishes on your network it’s easy to stop them.

Here’s a list of the U.S. telecoms hosting the most phishes, according to PhishTank:

1. SBC - 53,666
2. Comcast - 28,016
3. Roadrunner - 25,925
4. Charter - 12,544
5. Internet Services - 10,332
6. Inktomi Corporation - 9,293
7. XO Communications - 8,511
8. Bresnan Communications - 8,408
9. Advanced Internet Technologies - 8,274
10. Park Region Mutual Telephone Co. - 7,566

Other interesting report findings include:

18 percent of all verified phishing Web sites were hosted on just three IP addresses.

Web sites ending in “.cn” - the Top Level Domain (TLD) assigned to China - account for four of the top five Web sites with the most valid phishes.

One unique phishing scam is launched every two minutes.

You can read the full press releases about the annual report findings here and the new ASN and brand search here.

Thanks to everyone who contributed to what Brian Krebs of the Washington Post today called “one of the most comprehensive data sets ever published on [phishing], offering fascinating insights on the scope and increasing sophistication of phishing attacks.”

We’ve got more good news to share.

Andrey Nikishin, the Director of Hosted Security Services at Kaspersky Lab, wrote:

I would like to inform you that Kaspersky Lab uses PhishTank database to detect phishing messages passing through the Kaspersky Hosted Security : mailDefend service. The PhishTank database allowed us to increase the accuracy of detection. Thank you very much for the excellent job you are doing.

Excellent! Nice to see the global PhishTank community helping out an international information security company. It’s also great of Andrey and Kaspersky to let us know.

I would also like to thank one of our moderators, Micha, both for individual contributions (check the stats page!) and for educating Kaspersky about PhishTank.

While PhishTank currently is presented in English, phishing is worldwide. The submissions reflect that global scale, and the stats tell the same global story.

From Germany, Michael Schindler was kind enough to point out his company’s program, Officer Blue. This Windows program, offered in German and English, incorporates PhishTank data (via the XML file) as a key element in its ratings for sites. Michael noted that Officer Blue always makes a point of referencing PhishTank. That’s helped get PhishTank some German press, too. Danke schön!

My understanding of the product is courtesy of the English version of their site, which may be useful for others as well.

Companies and organizations of all sizes find the PhishTank data useful. I love telling you about them all!

St. Bernard is on the larger side, with thousands of customers using their software on millions of computers. I don’t know everything St. Bernard’s software and services do, but phishing prevention is part of their solution.

So I enjoyed receiving the following note from Morgan Christian, the iGuard Development Manager.

As a global provider of comprehensive security and hosted office solutions for small and midsize businesses, St. Bernard uses PhishTank to augment its phishing site listings.

When PhishTank is part of the solution, we’re all doing our part.

Chris Gleason of Firetrust shared some good news yesterday. Sitehound, their browser toolbar product for warning you about all kinds of malicious websites (not just phishing) is now utilizing PhishTank data as one of their sources.

Sitehound is now able to provide much more accurate and timely detection and protection from phishing websites. In addition to our own sources and users who report sites to us, SiteHound now plugs into PhishTank’s live XML feed of known phishing websites.

As a reminder, here’s all the info about the XML data file, including its location and format. Kudos to Firetrust for taking another step to protect its customers.

Thanks (again) to the PhishTank community for creating a free, high-quality resource for use all over the world.

According to an article I just read on HeiseSecurity.co.uk, PhishTank has been used by another group to test phish blocking effectiveness in anti-phishing browser toolbars. This time it was Pittsburg, PA, USA’s Carnegie Mellon University doing the testing. If you’re interested, read the full PDF report here.

Bookmarklets are browser bookmarks with a bit of extra functionality mixed in, usually via Javascript.

In response to my request on Friday for a PhishTank bookmarklet, two folks stepped up already, bouncing blog posts and comments back and forth.

Amit Chakradeo started by creating a Firefox 2.0 bookmarklet. Till saw Amit’s comment, and then went to work on his own PhishTank bookmarklet, which works in Firefox, Safari, and Opera (at least). Till also commented on Amit’s blog, pointing out his extra step.

Nice collaboration!

ps - On a semi-related note, I should point out that the Firefox extension PhishTank SiteChecker has a new home due to some bandwidth issues on MASA’s site.

I read the SecurityProNews article “Sites Want To Hook And Gut Phishers” with interest this morning. The article’s summary:

A trio of websites offer people the opportunity to report the phish emails they receive in order to thwart the various scams and their perpetrators.

Three different sites are included in the round-up: PhishTank, CastleCops, and Symantec’s Phish Report Network.

At OpenDNS (operators of PhishTank), we’re fans of CastleCops. Their work is excellent, and their efforts in the broader anti-abuse community are notable. We shared our gratitude in July.

However, I don’t think the Phish Report Network site belongs in the same category, for two key reasons: the lack of information about submissions and the hefty price of their data.

Submitting to a black hole

Submitting phish to the Phish Report Network is dumping your submissions into a black hole. (And they didn’t even accept submissions from individuals until October 2006… wonder if PhishTank’s launch had something to do with that?)

I just took a live phish site from PhishTank and submitted it, after agreeing to a license and filling out a Captcha. Those hoops are not necessarily a bad idea to weed out spurious submissions, but here’s all I was told after the submission was received.

CONFIRMATION

Your submission has been sent Tue Nov 14 09:46:06 PST 2006. To make another submission, click here.

Sincerely,

Symantec Security Response

Couldn’t the page at least say thanks?

Outside of the lack of human touch, there is no insight into what the final judgment might be, when such judgment will be rendered, and by whom. There is literally no way to follow up.

PhishTank shows you your activity, and gives you email updates (if you want them) and an RSS feed to track your submissions. Go to your My Account page to learn how your contributions are being judged.

The price of data

The data gathered and verified by Symantec’s site is only available if you pay for it. How much? US$50,000 per year.

On behalf of OpenDNS, I inquired about a license to the data on July 12, 2006. On August 8, 2006, I got an apologetic response for the delay. On August 9, 2006, I got a copy of the contract, with its US$50,000 price tag for the year. I declined to go any further.

I have nothing against businesses charging for a service, and perhaps Symantec is finding customers who find this a valuable source of data. It’s hard to know, since they give out little information about who’s using the data and how much data there is. PhishTank statistics are wide open.

PhishTank was set up to help the Internet at large and solve a business problem for OpenDNS (the common need for better data about phishing sites). The reason PhishTank works is because the data is freely available to all, from the free, open API to the XML data file or the lightweight method.

My suggestion to Symantec? Add data from PhishTank to your Phish Report Network. It’s free. And if you’d like to share your submissions with PhishTank, we’re happy to help make it work.

Mozilla found the data worth testing with, at least.

Everyone who has ever submitted a phish to or verified a phish for PhishTank deserves a pat on the back today. Congrats to all of you for contributing to the phishing data source chosen by Mozilla to compare phishing protection in Firefox 2.0 to Internet Explorer 7.

That’s right. You read correctly. Mozilla chose PhishTank over all of the other phishing data source sources available to test the effectiveness of new phishing protection features in the two browsers.

The way the testing worked is this: Mozilla contracted third-party evaluator Smartware to track Firefox 2.0 and IE7’s respective accuracy rates in identifying phishing scams. The same scams that were originally netted and verified by you.

In the end, Firefox 2.0 found and blocked 243 phishing Web sites that IE7 failed to identify, and was deemed the better of the two at keeping you safe from phishing.

Brian Krebs of Washington Post went into greater detail about the testing, and mentioned PhishTank SiteChecker, a Firefox extension.

Though we admittedly have Firefox and Internet Explorer on the brain today, we urge everyone making a browser to use PhishTank data (API, Data File, Check URL Method).

The team at WOT announced today that their website reputation service WOT is “Now with PhishTank.” WOT is a free service that provides website reputation information for users.

Sami from WOT wrote:

We would like to thank OpenDNS and the people at PhishTank for their contribution to web safety.

WOT uses data from lots of sources, including its users. PhishTank is now part of the mix, via the downloadable data file.

Thanks to the entire PhishTank community for participating: your work is being applied all over the place. I love seeing the ripples spread far and wide. We told as many people as possible about PhishTank at ISPCON. There was plenty of interest, and more services and products will incorporate PhishTank data in the near future.