With a full twelve months under our belt, today OpenDNS published the first-ever PhishTank annual report.

The report looks at the more than 300,000 phishes you’ve submitted and helped verify over the course of one year. While some of the report’s findings come as no surprise (e.g., PayPal and eBay round out the top of the list of most spoofed brands), some are alarming. Perhaps the most important finding, and the one that drove us to come up with a fix, is that U.S. telecoms are hosting more phishes than telecoms in any other country.

I think lots of American organizations are led to believe that phishing is something they can do nothing about, aside from simply educating themselves and their people on how to identify phoney emails. Not the case. Starting today we invite all telecoms and other organizations to search PhishTank by their ASN (Autonomous System Number) or brand name. We’ll even deliver information about phishes hosted on their network via a RSS feed. As a hosting provider, once you know about phishes on your network it’s easy to stop them.

Here’s a list of the U.S. telecoms hosting the most phishes, according to PhishTank:

1. SBC - 53,666
2. Comcast - 28,016
3. Roadrunner - 25,925
4. Charter - 12,544
5. Internet Services - 10,332
6. Inktomi Corporation - 9,293
7. XO Communications - 8,511
8. Bresnan Communications - 8,408
9. Advanced Internet Technologies - 8,274
10. Park Region Mutual Telephone Co. - 7,566

Other interesting report findings include:

18 percent of all verified phishing Web sites were hosted on just three IP addresses.

Web sites ending in “.cn” - the Top Level Domain (TLD) assigned to China - account for four of the top five Web sites with the most valid phishes.

One unique phishing scam is launched every two minutes.

You can read the full press releases about the annual report findings here and the new ASN and brand search here.

Thanks to everyone who contributed to what Brian Krebs of the Washington Post today called “one of the most comprehensive data sets ever published on [phishing], offering fascinating insights on the scope and increasing sophistication of phishing attacks.”

The press spotlight is shining squarely on PhishTank.

Computing, a high-profile tech magazine in the UK, covered the recent findings of Cambridge University researchers, who used PhishTank data to analyze Rock Phish. PhishTank is referred to as “the largest online clearing house of phishing data.”

Back State-side, Brian Krebs of the Washington Post does his own piece on Rock Phish and uses a nifty screenshot from PhishTank to demonstrate Rock Phish submissions.

Congrats to the entire community on all the great attention.

Credit card fraud keeps growing on the Net is the headline in the May 11, 2007 version of the International Herald Tribune. PhishTank’s April 2007 statistics earned a mention.

Statistics from Phishtank, an antiphishing network, found that last month alone some 77,709 phishes were sent out, with 19 percent originating in the United States, 15 percent in France, 14 percent in Turkey and 10 percent from South Korea.

“This is a global problem,” said David Ulevitch, the founder of Phishtank, whose data is now being used by Yahoo to help make the Internet safer.

Note: the printer-friendly version has everything on one page. The PhishTank reference is page 2 of the article, otherwise.

“Tax time means fraud time,” writes Washington Post security blogger Brian Krebs. I know you agree with Brian because you voted “is a phish” on submission #130719, a phishing site posing as the U.S. Internal Revenue Service and offering visitors their tax refund credited to their Visa or Mastercard.

PhishTank caught five IRS phishes this tax season and prevented who knows how many people from readily handing over their personal information.

Now what are you doing reading this blog? Don’t you have taxes to do?

Via Stéphane Degor, I found an interesting article in a French publication, Journal du Net, about PhishTank. Four people were asked to comment on PhishTank for “Avis de managers: PhishTank.” (That’s “Opinion of the Managers: PhishTank.”)

The preface, my translation:

A community project in the fight against phishing, PhishTank relies on the reactions and the contribution of Net surfers. Free and effective. However, will it survive in the long term? The opinion of four managers.

The group:

• Stephan Roux, of Sophos (security company)
• Christophe Canonne, of Cyber Networks (security company)
• Guillaume Brossard, of HoaxBuster.com (site for debunking scams)
• Laurent Dupuy, of Freesecurity (security consultancy)

My French is rusty, so I combined my lingering language skills with one of the free online translation tools to get a sense of what each person in the group says. I hesitate to give my own interpretations of what they’ve written, given the language uncertainty. Still, I welcome their comments and attention. And I encourage you to take a look.

Overall, they share kudos and concerns. The former are appreciated, and the latter are something all of us have to consider and address. We are making PhishTank better… and by “we” I mean moderators, developers, administrators, and the active members of the community.

There is no simple declaration of victory, of course. We build tools for the community to efficiently express its judgment through PhishTank. We make sure the data is freely available to the larger Internet community needs. And we keep improving. That’s how PhishTank thrives in the short and long term.

I would encourage these managers (especially at the security companies) to use the data and consider how they can contribute to the community, too.

Kelly Jackson-Higgins, the always-informed writer at Dark Reading, caught David’s blog post yesterday and wrote an article about PhishTank’s new direction. The gist: Your opportunity is here. If you want to be a part of the PhishTank team, act now.

Take it from me, there is very cool stuff going on at the Tank. This is the first opportunity extended for people to join the team. Look over David’s criteria and if you meet them, send an email to support [at] PhishTank.com. Tell us what you’ve done and why PhishTank would be better with you at the helm.

If you haven’t yet heard, Opera and OpenDNS announced this morning that the latest version of Opera has built-in phishing protection powered by PhishTank. That’s right, the phishing sites you submit to PhishTank, that are then verified as real phishes, are blocked for users of Opera 9.1.

Opera’s community manager, Espen Overdahl, blogged about the addition of PhishTank intelligence to 9.1.

Welcome to PhishTank, Opera community.

According to an article I just read on HeiseSecurity.co.uk, PhishTank has been used by another group to test phish blocking effectiveness in anti-phishing browser toolbars. This time it was Pittsburg, PA, USA’s Carnegie Mellon University doing the testing. If you’re interested, read the full PDF report here.

I read the SecurityProNews article “Sites Want To Hook And Gut Phishers” with interest this morning. The article’s summary:

A trio of websites offer people the opportunity to report the phish emails they receive in order to thwart the various scams and their perpetrators.

Three different sites are included in the round-up: PhishTank, CastleCops, and Symantec’s Phish Report Network.

At OpenDNS (operators of PhishTank), we’re fans of CastleCops. Their work is excellent, and their efforts in the broader anti-abuse community are notable. We shared our gratitude in July.

However, I don’t think the Phish Report Network site belongs in the same category, for two key reasons: the lack of information about submissions and the hefty price of their data.

Submitting to a black hole

Submitting phish to the Phish Report Network is dumping your submissions into a black hole. (And they didn’t even accept submissions from individuals until October 2006… wonder if PhishTank’s launch had something to do with that?)

I just took a live phish site from PhishTank and submitted it, after agreeing to a license and filling out a Captcha. Those hoops are not necessarily a bad idea to weed out spurious submissions, but here’s all I was told after the submission was received.

CONFIRMATION

Your submission has been sent Tue Nov 14 09:46:06 PST 2006. To make another submission, click here.

Sincerely,

Symantec Security Response

Couldn’t the page at least say thanks?

Outside of the lack of human touch, there is no insight into what the final judgment might be, when such judgment will be rendered, and by whom. There is literally no way to follow up.

PhishTank shows you your activity, and gives you email updates (if you want them) and an RSS feed to track your submissions. Go to your My Account page to learn how your contributions are being judged.

The price of data

The data gathered and verified by Symantec’s site is only available if you pay for it. How much? US$50,000 per year.

On behalf of OpenDNS, I inquired about a license to the data on July 12, 2006. On August 8, 2006, I got an apologetic response for the delay. On August 9, 2006, I got a copy of the contract, with its US$50,000 price tag for the year. I declined to go any further.

I have nothing against businesses charging for a service, and perhaps Symantec is finding customers who find this a valuable source of data. It’s hard to know, since they give out little information about who’s using the data and how much data there is. PhishTank statistics are wide open.

PhishTank was set up to help the Internet at large and solve a business problem for OpenDNS (the common need for better data about phishing sites). The reason PhishTank works is because the data is freely available to all, from the free, open API to the XML data file or the lightweight method.

My suggestion to Symantec? Add data from PhishTank to your Phish Report Network. It’s free. And if you’d like to share your submissions with PhishTank, we’re happy to help make it work.

Mozilla found the data worth testing with, at least.

Why were the OpenDNS offices empty by 4:45 yesterday? Because we were hurrying to a neighborhood haunt to watch PhishTank on TV!

Our very own John Roberts was interviewed for a segment called “ConsumerWatch: How To Fight Back Against Phishing” on KPIX, the local CBS affiliate in San Francisco. The segment came out awesome. You can watch it here. Note that submission #19362 got its 5 seconds of fame. Bet billwake didn’t think it would end up on TV when he submitted it. Thanks to billwake for submitting and Simurgh, krellis, alanjshea, hawk82, jbrunette, polymorp, IntrepidEddie, jkrieger3, irixman, someone1234, miowpurr, bastardblaster, clubjuggle, dr1, Sierran52, lyagushka and jpohl for verifying.

Some of us (not mentioning any names) never made it back to the office, which might explain why this post is just going up now, halfway through the day.