Predictably, we’ve seen phishers keep up with trends and events and take advantage of unsuspecting people. When U.S. tax season rolled around, we saw an influx of I.R.S. phishes. When MySpace and Facebook reached a critical level of popularity, we saw phishes using those brands. Most recently, we’ve seen phishes exploiting the global financial crisis. (”Your bank is shutting its doors. But we now offer you the option to have your account moved on our servers abroad. This will prevent any financial loss from your account in case the U.S. financial system collapses. Please give us your info so we can move your account.”)

The 1 million number is certainly impressive, but perhaps a more important number is 350,000: that’s the number of verified phishing attacks PhishTank has blocked for users of OpenDNS and all the many other services that use PhishTank data. That’s 350,000 phishes, each one with potentially devastating outcomes for thousands of recipients.

When PhishTank was launched in 2006, it was because OpenDNS had set out to find a source of phishing data that was accurate and reliable. That didn’t happen. All of the phishing feeds available were ridden with false-positives and way too expensive. We were convinced there was a better way. And after two years of resounding success with PhishTank, it turns out there was.

Congratulations to everyone involved in the PhishTank community, from the people who’ve submitted just one phish to the moderators who spend hours and hours working to clean up the Internet of phishing and keep others safe. Here’s to another 2 years.

The report looks at the more than 300,000 phishes you’ve submitted and helped verify over the course of one year. While some of the report’s findings come as no surprise (e.g., PayPal and eBay round out the top of the list of most spoofed brands), some are alarming. Perhaps the most important finding, and the one that drove us to come up with a fix, is that U.S. telecoms are hosting more phishes than telecoms in any other country.

I think lots of American organizations are led to believe that phishing is something they can do nothing about, aside from simply educating themselves and their people on how to identify phoney emails. Not the case. Starting today we invite all telecoms and other organizations to search PhishTank by their ASN (Autonomous System Number) or brand name. We’ll even deliver information about phishes hosted on their network via a RSS feed. As a hosting provider, once you know about phishes on your network it’s easy to stop them.

Here’s a list of the U.S. telecoms hosting the most phishes, according to PhishTank:

1. SBC – 53,666
2. Comcast – 28,016
3. Roadrunner – 25,925
4. Charter – 12,544
5. Internet Services – 10,332
6. Inktomi Corporation – 9,293
7. XO Communications – 8,511
8. Bresnan Communications – 8,408
9. Advanced Internet Technologies – 8,274
10. Park Region Mutual Telephone Co. – 7,566

Other interesting report findings include:

18 percent of all verified phishing Web sites were hosted on just three IP addresses.

Web sites ending in “.cn” – the Top Level Domain (TLD) assigned to China – account for four of the top five Web sites with the most valid phishes.

One unique phishing scam is launched every two minutes.

You can read the full press releases about the annual report findings here and the new ASN and brand search here.

Thanks to everyone who contributed to what Brian Krebs of the Washington Post today called “one of the most comprehensive data sets ever published on [phishing], offering fascinating insights on the scope and increasing sophistication of phishing attacks.”

Andrey Nikishin, the Director of Hosted Security Services at Kaspersky Lab, wrote:

I would like to inform you that Kaspersky Lab uses PhishTank database to detect phishing messages passing through the Kaspersky Hosted Security : mailDefend service. The PhishTank database allowed us to increase the accuracy of detection. Thank you very much for the excellent job you are doing.

Excellent! Nice to see the global PhishTank community helping out an international information security company. It’s also great of Andrey and Kaspersky to let us know.

I would also like to thank one of our moderators, Micha, both for individual contributions (check the stats page!) and for educating Kaspersky about PhishTank.

From Germany, Michael Schindler was kind enough to point out his company’s program, Officer Blue. This Windows program, offered in German and English, incorporates PhishTank data (via the XML file) as a key element in its ratings for sites. Michael noted that Officer Blue always makes a point of referencing PhishTank. That’s helped get PhishTank some German press, too. Danke schön!

My understanding of the product is courtesy of the English version of their site, which may be useful for others as well.

St. Bernard is on the larger side, with thousands of customers using their software on millions of computers. I don’t know everything St. Bernard’s software and services do, but phishing prevention is part of their solution.

So I enjoyed receiving the following note from Morgan Christian, the iGuard Development Manager.

As a global provider of comprehensive security and hosted office solutions for small and midsize businesses, St. Bernard uses PhishTank to augment its phishing site listings.

When PhishTank is part of the solution, we’re all doing our part.

Chris Gleason of Firetrust shared some good news yesterday. Sitehound, their browser toolbar product for warning you about all kinds of malicious websites (not just phishing) is now utilizing PhishTank data as one of their sources.

Sitehound is now able to provide much more accurate and timely detection and protection from phishing websites. In addition to our own sources and users who report sites to us, SiteHound now plugs into PhishTank’s live XML feed of known phishing websites.

As a reminder, here’s all the info about the XML data file, including its location and format. Kudos to Firetrust for taking another step to protect its customers.

Thanks (again) to the PhishTank community for creating a free, high-quality resource for use all over the world.

In response to my request on Friday for a PhishTank bookmarklet, two folks stepped up already, bouncing blog posts and comments back and forth.

Amit Chakradeo started by creating a Firefox 2.0 bookmarklet. Till saw Amit’s comment, and then went to work on his own PhishTank bookmarklet, which works in Firefox, Safari, and Opera (at least). Till also commented on Amit’s blog, pointing out his extra step.

Nice collaboration!

ps – On a semi-related note, I should point out that the Firefox extension PhishTank SiteChecker has a new home due to some bandwidth issues on MASA’s site.

A trio of websites offer people the opportunity to report the phish emails they receive in order to thwart the various scams and their perpetrators.

Three different sites are included in the round-up: PhishTank, CastleCops, and Symantec’s Phish Report Network.

At OpenDNS (operators of PhishTank), we’re fans of CastleCops. Their work is excellent, and their efforts in the broader anti-abuse community are notable. We shared our gratitude in July.

However, I don’t think the Phish Report Network site belongs in the same category, for two key reasons: the lack of information about submissions and the hefty price of their data.

Submitting to a black hole

Submitting phish to the Phish Report Network is dumping your submissions into a black hole. (And they didn’t even accept submissions from individuals until October 2006… wonder if PhishTank’s launch had something to do with that?)

I just took a live phish site from PhishTank and submitted it, after agreeing to a license and filling out a Captcha. Those hoops are not necessarily a bad idea to weed out spurious submissions, but here’s all I was told after the submission was received.

CONFIRMATION

Your submission has been sent Tue Nov 14 09:46:06 PST 2006. To make another submission, click here.

Sincerely,

Symantec Security Response

Couldn’t the page at least say thanks?

Outside of the lack of human touch, there is no insight into what the final judgment might be, when such judgment will be rendered, and by whom. There is literally no way to follow up.

PhishTank shows you your activity, and gives you email updates (if you want them) and an RSS feed to track your submissions. Go to your My Account page to learn how your contributions are being judged.

The price of data

The data gathered and verified by Symantec’s site is only available if you pay for it. How much? US$50,000 per year.

On behalf of OpenDNS, I inquired about a license to the data on July 12, 2006. On August 8, 2006, I got an apologetic response for the delay. On August 9, 2006, I got a copy of the contract, with its US$50,000 price tag for the year. I declined to go any further.

I have nothing against businesses charging for a service, and perhaps Symantec is finding customers who find this a valuable source of data. It’s hard to know, since they give out little information about who’s using the data and how much data there is. PhishTank statistics are wide open.

PhishTank was set up to help the Internet at large and solve a business problem for OpenDNS (the common need for better data about phishing sites). The reason PhishTank works is because the data is freely available to all, from the free, open API to the XML data file or the lightweight method.

My suggestion to Symantec? Add data from PhishTank to your Phish Report Network. It’s free. And if you’d like to share your submissions with PhishTank, we’re happy to help make it work.

Mozilla found the data worth testing with, at least.

Everyone who has ever submitted a phish to or verified a phish for PhishTank deserves a pat on the back today. Congrats to all of you for contributing to the phishing data source chosen by Mozilla to compare phishing protection in Firefox 2.0 to Internet Explorer 7.

That’s right. You read correctly. Mozilla chose PhishTank over all of the other phishing data source sources available to test the effectiveness of new phishing protection features in the two browsers.

The way the testing worked is this: Mozilla contracted third-party evaluator Smartware to track Firefox 2.0 and IE7’s respective accuracy rates in identifying phishing scams. The same scams that were originally netted and verified by you.

In the end, Firefox 2.0 found and blocked 243 phishing Web sites that IE7 failed to identify, and was deemed the better of the two at keeping you safe from phishing.

Brian Krebs of Washington Post went into greater detail about the testing, and mentioned PhishTank SiteChecker, a Firefox extension.

Though we admittedly have Firefox and Internet Explorer on the brain today, we urge everyone making a browser to use PhishTank data (API, Data File, Check URL Method).