It’s the first of the month again and you know what that means….

PhishTank April statistics were posted on the Web site today and the differences between April and previous months are hard not to notice. PhishTank caught 77,709 unique phishes last month and tallied a grand total of 243,500 votes. That’s impressive!

You might notice, too, that new members “antiphishing” and “PhishReporter” came in No. 1 and No. 2, respectively, in the Top Submitters list. Both members represent organizations that did more than their share of submitting in April. The longer median time to verify can be attributed simply to a much greater pool of phishes to verify.

If you’re interested, check out the press release here. Keep it up, phish fighters!

As posted to the user mailing list, the Virginia Tech tragedy has prompted some unscrupulous folks to set up fake donation sites. Several of these possible scams and phishes have been submitted to the Tank by edgester, who also helps on the technology side of PhishTank.

Judge them carefully. Scams are not necessarily phish, so apply your judgment appropriately.

VTFamilies.org is a site doing the right thing. I’ve checked it out personally, after an appeal by one of the site administrators. If you want to help, or simply remember, you should visit.

I wouldn’t normally call attention to tragedies: there are simply too many. But the (possible) intersection of phishing and this story called for an exception.

Fantastic news: Yahoo! Mail, the world’s largest Web mail service, uses PhishTank data to help protect its 250 million users.

Here is the press release on the OpenDNS site, or read the official release on PRWeb. One quote:

“By combining the data received from PhishTank.com with other anti-phishing resources, we are currently protecting Yahoo! Mail users from nearly 14 million phishing email messages per day. Listening to the community, developing enhanced technologies and collaborating with security leaders continue to be priorities as we work to protect email users from the industry-wide problem of phishing,” said Miles Libbey, Yahoo! anti-spam product manager.

Our thanks to Miles, Carlo Catajan, and others on the Yahoo! Mail team for taking this step and doing even more to protect their customers. I’ll share one more quote, which sums up our feelings here at OpenDNS:

“OpenDNS is thrilled Yahoo! Mail has chosen phishing protection powered by PhishTank,” said David Ulevitch, CEO of OpenDNS. “PhishTank is firmly rooted in the belief that the fight against phishing is a collaborative effort and we encourage other organizations to follow Yahoo! Mail’s lead.”

To the entire community: Thank you!

“Tax time means fraud time,” writes Washington Post security blogger Brian Krebs. I know you agree with Brian because you voted “is a phish” on submission #130719, a phishing site posing as the U.S. Internal Revenue Service and offering visitors their tax refund credited to their Visa or Mastercard.

PhishTank caught five IRS phishes this tax season and prevented who knows how many people from readily handing over their personal information.

Now what are you doing reading this blog? Don’t you have taxes to do?

By now, most of the PhishTank community has seen the dramatic surge in submissions. It’s not malicious, but it is quite noticeable.

In the last few days, two different organizations decided, independently, to start submitting the suspicious URLs they receive to PhishTank. They benefit because the data is further validated and distributed far and wide. PhishTank benefits from some high-quality submissions, and broader coverage in its free data distribution.

Clearly, though, the new volume is dramatic.

And it didn’t help that one of the feeds went awry. The submissions were still phish (or possible phish), but the filter wasn’t tight enough. Those have been removed. Still, lots to verify at the moment.

The community has some work to do in catching up. Thank you for your patience. We are digging on small, immediate steps we can take to speed things up and make the volume manageable. Also, we’re revisiting the thorny problem of how to judge a domain.TLD combination (example.com) as a phish, so that all the wildcarded submissions which match that domain.TLD combo gets the same designation. We know this would help dramatically.

This is not simple, but it has been discussed before, so we’re not starting from scratch. The community’s time and attention is valuable; we do not want to waste it. We also don’t want to lose the collaborative human judgment that makes PhishTank so useful to the Internet at large.

Please don’t stop telling us where we can get better, and don’t stop voting/submitting/flagging. I’d remind you all about the mailing lists, especially the user list.

Please do invite your friends to join this fight. We can always use some more help.

---

Note: the organizations in question would like to remain discreet for now; that’s fine with us, although we like to share where possible. If your organization would like to submit suspected phishing URLs/emails to PhishTank at a higher volume, please let us know.

Matt Horning of NMGI wrote to share their use of the PhishTank data. NMGI focuses on managed services, consulting, and its DoubleCheck product, an email appliance that provides anti-spam, anti-virus, and anti-phishing services.

We use SpamAssassin for a majority of our spam accuracy. We also use URI blacklists like URIBL and SURBL. We use Clamscan for our phishing protection up until recently. Now that we’ve combined the predictive accuracy from Clamscan and the known phishing links from the PhishTank data on SURBL, we’re offering our customers superior protection.

---

It’s fun to see where PhishTank data is used. If your organization, company, product or service is using PhishTank data and is willing to tell the world, we’d like to hear about it.

We’ve got more good news to share.

Andrey Nikishin, the Director of Hosted Security Services at Kaspersky Lab, wrote:

I would like to inform you that Kaspersky Lab uses PhishTank database to detect phishing messages passing through the Kaspersky Hosted Security : mailDefend service. The PhishTank database allowed us to increase the accuracy of detection. Thank you very much for the excellent job you are doing.

Excellent! Nice to see the global PhishTank community helping out an international information security company. It’s also great of Andrey and Kaspersky to let us know.

I would also like to thank one of our moderators, Micha, both for individual contributions (check the stats page!) and for educating Kaspersky about PhishTank.

---

Is your organization using PhishTank data? We’d love to hear about it.

Everyone in the PhishTank community should enjoy the March 2007 statistics, in case you didn’t catch the press release. The median time to verify was down to a shade over 6 hours, from more than 15 hours in February. Pretty speedy!

Click the map for a larger version. The United States widened its “lead” in March as the country hosting the most phishes.

Two notes:

• The spike in verifications on March 9th represents the “unsticking” of a backlogged process, so those verifications actually happened across March 7-9.
• Folks were slowed a bit in both submitting and verifying for a few days due to a domain glitch on March 24.

While PhishTank currently is presented in English, phishing is worldwide. The submissions reflect that global scale, and the stats tell the same global story.

From Germany, Michael Schindler was kind enough to point out his company’s program, Officer Blue. This Windows program, offered in German and English, incorporates PhishTank data (via the XML file) as a key element in its ratings for sites. Michael noted that Officer Blue always makes a point of referencing PhishTank. That’s helped get PhishTank some German press, too. Danke schön!

My understanding of the product is courtesy of the English version of their site, which may be useful for others as well.

Companies and organizations of all sizes find the PhishTank data useful. I love telling you about them all!

St. Bernard is on the larger side, with thousands of customers using their software on millions of computers. I don’t know everything St. Bernard’s software and services do, but phishing prevention is part of their solution.

So I enjoyed receiving the following note from Morgan Christian, the iGuard Development Manager.

As a global provider of comprehensive security and hosted office solutions for small and midsize businesses, St. Bernard uses PhishTank to augment its phishing site listings.

When PhishTank is part of the solution, we’re all doing our part.

---

Reminder: the high-quality data created by the PhishTank community is free for all, and available in multiple ways.