It’s been a full two years since we launched PhishTank. In that time more than 1 million unique, suspected phishing scams have been reported to this Web site. They’ve come from folks all over the world, and they’ve been all kinds of phishes.

Predictably, we’ve seen phishers keep up with trends and events and take advantage of unsuspecting people. When U.S. tax season rolled around, we saw an influx of I.R.S. phishes. When MySpace and Facebook reached a critical level of popularity, we saw phishes using those brands. Most recently, we’ve seen phishes exploiting the global financial crisis. (”Your bank is shutting its doors. But we now offer you the option to have your account moved on our servers abroad. This will prevent any financial loss from your account in case the U.S. financial system collapses. Please give us your info so we can move your account.”)

The 1 million number is certainly impressive, but perhaps a more important number is 350,000: that’s the number of verified phishing attacks PhishTank has blocked for users of OpenDNS and all the many other services that use PhishTank data. That’s 350,000 phishes, each one with potentially devastating outcomes for thousands of recipients.

When PhishTank was launched in 2006, it was because OpenDNS had set out to find a source of phishing data that was accurate and reliable. That didn’t happen. All of the phishing feeds available were ridden with false-positives and way too expensive. We were convinced there was a better way. And after two years of resounding success with PhishTank, it turns out there was.

Congratulations to everyone involved in the PhishTank community, from the people who’ve submitted just one phish to the moderators who spend hours and hours working to clean up the Internet of phishing and keep others safe. Here’s to another 2 years.

Word came today that PhishTank wins the PC World award for Top Product of 2008. Cheers to the entire PhishTank community for being awesome enough to make the award happen.

Regardless of whether you’re new here, or have been submitting and verifiying since the beginning, you should head on over to OpenDNS.com to get the benefit of the community’s hard work. Turning on OpenDNS means all PhishTank-verified phishing sites are blocked on your network. It’s free and takes just a few minutes.

We at OpenDNS couldn’t be more excited about the Top Products honor. Here’s how PC World describes the award and selection process:

The respected 100 Best Products Awards honor products that meld practical features with innovation and reflect the rapidly changing technology marketplace. To select the winners, PC World’s editors examined hundreds of products, including those that have appeared in the magazine over the past 12 months. The 100 winning products and services were selected for their exemplary design and usability, features, performance and innovation.

The Tank’s come a long way in less than two years, having verified and effectively disabled more than a quarter-million individual phishing scams. Congrats everyone!

We just posted PhishTank statistics for April 2008. No major surprises: The United States is, for the thirteenth straight month, hosting more phishes than any other country; A group of large banks, eBay, and PayPal round out the top most spoofed brands; And the PhishTank community of submitters and verifiers continues to have an impressively high accuracy rate.

The headlines tell us the phishers are not giving up. Seemingly every week we see reports of a new type of phishing scam. This week it’s Google AdWords phishing, where AdWords account holders are sent emails alerting them their account needs updating. The account holder logs into the spoofed AdWords interface and hands over their credit card information.

The AdWords phishing scam is interesting to me largely because, in lots of cases, it’s targeting businesses. People understand identity theft. But what happens when a business’s identity is stolen? There’s no easier or more efficient avenue to get reimbursed for a business than for an individual. Basically, whether you represent yourself or your company, you have to go to your credit card company and beg for forgiveness. (Whether or not it should be the banks — some of the most commonly spoofed brands — that are responsible for reimbursing money stolen through phishing is part of a separate debate.)

And the spoofed AdWords account interfaces, at least the ones I’ve seen, are good. I can easily understand how the marketing person tasked with managing AdWords for their company could be fooled. I know plenty of small and mid-size companies that rely on online advertising to drive traffic to their site, and see huge dents in revenue when something goes wrong and the traffic doesn’t come. That marketing person has plenty of incentive to make sure their account information isn’t wrong and nothing is preventing potential customers from seeing their ads.

Experts repeat the same warning about AdWords phishing that we’ve all heard about phishing in general for years: Educate yourself about phishing and look skeptically at URLs. Remember that as a general rule, you won’t be warned via e-mail that your account has been compromised, so if you are ever encouraged via e-mail to login to an account and update information, proceed with caution and look closely at the URL you’re encouraged to click.

Take for example, one of the AdWords phishes someone submitted to PhishTank. See the “d0l9i.cn” in the middle of the URL? If you open a new window and load http://adwords.google.com/select/login, you’ll see the real site’s URL doesn’t include that series of characters. That should be a red flag.

[NOTE: This is a known, verified phishing site. We recommend you do NOT visit it.]

OpenDNS users and users of other services leveraging PhishTank data — McAfee, Opera, Yahoo! Mail, Kaspersky Labs, to name a few — have an extra line of defense when it comes to phishing — they benefit from PhishTank and the wisdom of the community. But it’s abolsutely a good idea to learn to look for inconsistencies in URLs and think twice before providing sensitive information online, whether it’s your own or your company’s.

Whatever your motivation, we salute you.

Some Carnegie Mellon University researchers would like to know more, as part of ongoing work at their CyLab on phishing in general.

We’re conducting a survey of anti-phishing volunteers, as part of ongoing
research in Human Computer Interaction regarding phishing. The survey will ask
you questions regarding how volunteers spend their time, motivations, and what
tools are important for the task. The survey should take 5-10 minutes to
complete.

Those who are willing may volunteer at the end of a survey to be interviewed.
Interviews will be held over the telephone, and we will offer a $10 gift certificate
as a token of our appreciation for those who participate in the interview. We
expect interviews will take from 30 minutes to an hour.

All personal information collected in the course of this research will be
anonymized before publication.

http://www.surveymonkey.com/s.aspx?sm=35TJTRQ4Niem30Zehbh_2fQg_3d_3d

Take a few minutes and let them know your thoughts. It’s useful when the good guys help each other.

With a full twelve months under our belt, today OpenDNS published the first-ever PhishTank annual report.

The report looks at the more than 300,000 phishes you’ve submitted and helped verify over the course of one year. While some of the report’s findings come as no surprise (e.g., PayPal and eBay round out the top of the list of most spoofed brands), some are alarming. Perhaps the most important finding, and the one that drove us to come up with a fix, is that U.S. telecoms are hosting more phishes than telecoms in any other country.

I think lots of American organizations are led to believe that phishing is something they can do nothing about, aside from simply educating themselves and their people on how to identify phoney emails. Not the case. Starting today we invite all telecoms and other organizations to search PhishTank by their ASN (Autonomous System Number) or brand name. We’ll even deliver information about phishes hosted on their network via a RSS feed. As a hosting provider, once you know about phishes on your network it’s easy to stop them.

Here’s a list of the U.S. telecoms hosting the most phishes, according to PhishTank:

1. SBC – 53,666
2. Comcast – 28,016
3. Roadrunner – 25,925
4. Charter – 12,544
5. Internet Services – 10,332
6. Inktomi Corporation – 9,293
7. XO Communications – 8,511
8. Bresnan Communications – 8,408
9. Advanced Internet Technologies – 8,274
10. Park Region Mutual Telephone Co. – 7,566

Other interesting report findings include:

18 percent of all verified phishing Web sites were hosted on just three IP addresses.

Web sites ending in “.cn” – the Top Level Domain (TLD) assigned to China – account for four of the top five Web sites with the most valid phishes.

One unique phishing scam is launched every two minutes.

You can read the full press releases about the annual report findings here and the new ASN and brand search here.

Thanks to everyone who contributed to what Brian Krebs of the Washington Post today called “one of the most comprehensive data sets ever published on [phishing], offering fascinating insights on the scope and increasing sophistication of phishing attacks.”

Banks, credit unions, PayPal, eBay, Amazon, the IRS… all of these organizations suffer from phishing attacks on a regular basis. (Sad, but true.)

Yesterday morning, I personally received an example of a new (to me) category of phish: someone trying to get me to provide Yahoo credentials. Not my personal Yahoo credentials, but my “Sponsored Search” account, where I’d control my advertising spend with Yahoo Search Marketing…if I had an account!

I suppose the purpose was to steal my credentials and then have “me” schedule and pay for pay-per-click advertising on behalf of the criminal. Phishers keep following the money, even via more indirect routes.

• The phish: http://yahincmarketing.com/Login.html (purposefully not linked)
• PhishTank submission: http://www.phishtank.com/phish_detail.php?phish_id=316499
• Real URL: https://login.marketingsolutions.yahoo.com/ (redirects to another Yahoo.com URL, but totally legitimate!)

The phisher even copied the Javascript popup from the legitimate site encouraging me to bookmark this new location!

Note: Besides the community’s vote (thank you!), I’ve notified someone at Yahoo Search Marketing, so I would expect and hope this site will be taken offline rapidly. It’s already blocked for OpenDNS customers, of course.

whois info:

Domain name: yahincmarketing.com

Registrant:
   Jim Johnson  (SROW-615849)
   mdumi82u@aol.com
   5 rue de Thorigny
   PAris   PARIS
   75003   FR
   +33 42719715

The press spotlight is shining squarely on PhishTank.

Computing, a high-profile tech magazine in the UK, covered the recent findings of Cambridge University researchers, who used PhishTank data to analyze Rock Phish. PhishTank is referred to as “the largest online clearing house of phishing data.”

Back State-side, Brian Krebs of the Washington Post does his own piece on Rock Phish and uses a nifty screenshot from PhishTank to demonstrate Rock Phish submissions.

Congrats to the entire community on all the great attention.

May stats are live. Check ‘em out here.

A few things popped out at me. First off, median time to submission dropped by 11 hours down to just 19. And the total number of invalid phishes is only 739 out of more than 53,000. Not only is the community getting faster, it’s also getting more diligent about submitting.

It just keeps getting better and better. Thanks, guys. Keep it up!

And starting today, it is, between Anti-Phishing Working Group and OpenDNS.

This is a big day for us, folks, and for all of you who have worked to make PhishTank the most authoritative source of phishing data on the Web.

Anti-Phishing Working Group is big, and has a member list boasting companies like eBay, Microsoft, Yahoo!, Verisign and Cisco. They’ve been at phish-fighting since 2003 and have made great progress in raising awareness about the seriousness of Internet crime.

We’re young, but growing at lightning speed. The human approach OpenDNS and PhishTank bring to the table is an incredibly important element to combatting the problem.

Anti-Phishing Working Group and OpenDNS make a great team and we’re excited about what we can accomplish together.

[Cross-posted to PhishTank and OpenDNS blogs.]

Credit card fraud keeps growing on the Net is the headline in the May 11, 2007 version of the International Herald Tribune. PhishTank’s April 2007 statistics earned a mention.

Statistics from Phishtank, an antiphishing network, found that last month alone some 77,709 phishes were sent out, with 19 percent originating in the United States, 15 percent in France, 14 percent in Turkey and 10 percent from South Korea.

“This is a global problem,” said David Ulevitch, the founder of Phishtank, whose data is now being used by Yahoo to help make the Internet safer.

Note: the printer-friendly version has everything on one page. The PhishTank reference is page 2 of the article, otherwise.