Network News

X My Profile
View More Activity

Got Phish? Drop 'Em in the 'Phishtank'

Chances are that you regularly receive "phish" in your inbox -- e-mail messages that try to lure you into giving away your personal and financial data at fake bank or e-commerce Web sites. If you're at all like me, you probably long ago stopped alerting the banks or companies being impersonated in the fake e-mails after time and again receiving the same impersonal and automated reply: "Yeah, thanks, we're on it."

This week, however, saw the launch of Phishtank, a free, community-based service that puts the "phun" back into phish reporting. The service was created by OpenDNS, a start-up that hopes to offer consumers and businesses a safer and speedier domain name system (DNS) resolution service (DNS is what translates Web site names into numeric addresses that are easier for machines to process).

Sure, OpenDNS is using the data to black hole phishing sites for people who use its DNS service. But it also is giving away a free API, or "application programming interface," that lets third-party Web sites, Internet service providers and software engineers tap into Phishtank's reservoir of suspicious e-mails and Web sites.

Check out Phishtank's homepage and you'll see some of the more recent submissions, along with links to screenshots of the phishing site, as well as a form you can use to see whether a phish you've received has already been submitted. I submitted a couple that I'd received over the past two days; turns out they'd already been sent in.

But even if someone has already claimed your phish, you can still vote on, or "verify," submissions in the hopper -- provided you register a nickname with a valid e-mail address. The neat thing about this system is that you can track the progress of any phish you've submitted, either by visiting your account at Phishtank.com or by signing up for an RSS feed that tracks your submissions and can notify you once those sites are taken down.

"We've had ISPs call us and ask for our data, and we say sure, we'll even build you an RSS feed that gives you a real time look at all of the phishing sites that resolve to addresses on your network," said David Ulevitch, OpenDNS's founder and chief executive.

I thought I was pretty good at spotting phishing attacks, but it's hard sometimes when you don't have the benefit of seeing the e-mail led the user to the suspicious site, as is the case with Phishtank -- at least for now. For instance, I voted on whether this one Bank of America site someone submitted was in fact a phishing site. The screenshot of the site looked just like the real thing, and Phishtank also has an option to load the site into a frame that pulls up the actual live site under discussion (more on this later). That site also defaulted to Bank of America's default login page, "https://www.bankofamerica.com/index.jsp". So, not having any more information on this site, I voted against as listing it as a phishing site. Turns out 47 percent of voters agreed with me, while 53 percent called it phishy.

Ulevitch said the company is still working on some Phishtank's finer details, such as how and whether to display e-mails as well as the number of people who voted on each potential phishing site. But in order to prevent gaming the system, Phishtank is reputation-based, in that greater weight will be given to submitters and voters who consistently pick true phishing sites. Ulevitch said Phishtank developers also are toying with a feature that would allow users to reverse their votes. "It's complicated, because once we show you votes of everyone else, you are biased."

One final note: It's not unheard of for a phishing site to also try to exploit browser flaws and monkey with visitors' machines, so take care if you browse any of these live phishing sites. At the very minimum, you will want to disable Javascript and jack up the security settings on your browser. Ulevitch said that as a security precaution, the company also is considering stripping any Javascript or malicious looking code that might render in Phishtank's preview pane.

By Brian Krebs  |  October 5, 2006; 5:16 PM ET
Categories:  Fraud  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: The Truth About a Claimed Firefox Exploit
Next: Microsoft to Issue 11 Patches Next Week

Comments

From Thomas Jones:

PhishTank back to the drawing board. This is an interesting concept in which users look at a screenshot of a Web site, indentified only by the URL. Alas, the whole idea of phishing is that the user is sent to a carefully designed fraudulent mockup of a bank Web site or eBay.com. There is usually no way to identify the fraudulent Web site by its appearance. Instead, one needs to look at the (fraudulent) e-mail. If it says to click on a hyperlink and enter sensitive information like passwords, both the e-mail and the site are fraudulent. There is no way to identify a fraudulent e-mail without looking at the e-mail. (In fairness, sometimes the hyperlink is suspicious if it has an IP address rather than a URL.)

Tom Jones

Posted by: Thomas L. Jones, Ph.D. | October 5, 2006 10:41 PM | Report abuse

From Thomas Jones:

PhishTank back to the drawing board. This is an interesting concept in which users look at a screenshot of a Web site, indentified only by the URL. Alas, the whole idea of phishing is that the user is sent to a carefully designed fraudulent mockup of a bank Web site or eBay.com. There is usually no way to identify the fraudulent Web site by its appearance. Instead, one needs to look at the (fraudulent) e-mail. If it says to click on a hyperlink and enter sensitive information like passwords, both the e-mail and the site are fraudulent. There is no way to identify a fraudulent e-mail without looking at the e-mail. (In fairness, sometimes the hyperlink is suspicious if it has an IP address rather than a URL.)

Tom Jones

Posted by: Thomas L. Jones, Ph.D. | October 5, 2006 10:43 PM | Report abuse

Have you looked at Internet Defence's Phishery?

http://phishery.internetdefence.net/

It displays copies of phishing emails, list the URLs used, and states whether the sites are still active or not; the Realtime Fake Site Monitor displays copies of fraudulent sites.

Posted by: Jay George | October 6, 2006 8:57 AM | Report abuse

Here's a thought - stop clicking on links in e-mail. If, for example, you receive an e-mail offer claiming to be from E-TRADE BANK that seems interesting - open a browser and type in "e - t r a d e . c o m" (less spaces of course). If the offer is NOT on the main screen it may well have been phishing. Don't go to all these referenced sites - just to look around - as you may well wind up on a real phishing site. This is not a game folks. ALSO, Brian - any update on the Symantec issue of their turning off AV and Internet Security because their "activation" process was broken? I still get weekly "NOT ACTIVATED" notices (though it now discover I'm good once I click "Activate Now").

Posted by: Sadler | October 6, 2006 10:37 AM | Report abuse

I have an email supposedly from USPS. Where can I send a copy of the email to verify it is a Phishing Expedition or a way to get into my computer.

Posted by: ajune Dennis | October 6, 2006 6:28 PM | Report abuse

We are alike the cat around hot milk, trigged but never to touch it.
Better to talk business!

How do we handle our spyware infected PC when logging into the bank to pay bills?
I have often brought this issue up in this forum and have had no comments or good solutions no a discussion. Well, no reader knows how to do it, so the loud silence is easily explained.

But let's taste the hot milk.

Who are in fact purchasing antispyware protections? Of course those purchasers are the already savvy consumers absolutely not part of the group to be lured by either phishers or spywares. Those people in fact don't need protection as they won't be lured...
Firewalls, routers, patchings, updated and antispyware won't impress on the 90% victimized group as they won't pay a dime for it and the sole people protected will be the 10% of more or less techies.
"Frauds don't happen to me" .. Have we heard that before. Yeah, we have and it's the mantra of the remaining 90% causing the $3bn online bank losses, US only.

Pls recall the so called Vulnerability Gap. 80% told Forrester Research they were sure of no infections at all and 90 of their computers were infected. That talks, doesn't it.

So let us seriously discuss better ways to protect the 90% unprotected than giving them a false security by toothless "Precaution & Recommendations" and powerless solutions that nobody in the victimized group of individual never consider to purchase, or we will go on participating in this and other forums to be personally shown in the air, solely.

The only "Recommendation" I'm able to give is: Turn this the Discussion sonn down to the Bottom line" It's urgently needed to bring this issue up to Policy Makers or we will lose "War Against Org. Crime and Terror". Clocks are ticking against us.

Posted by: William Palmborg, SecuraSystem.com | October 6, 2006 9:02 PM | Report abuse

CUTE! I like it, but here is some stuff to think about ...

Phishing Rules 101:

1. You get an email message from Timbuktu bank where you don't have a bank account with a link in it? PHISH!

2. A link has just an IP address rather than a proper host name when you mouse over it. Shame on the phisher! Don't they know about the mouse over command to replace the IP address with what seems to be like the real site? PHISH! Well, I at least warned you about HOW they conceal the IP address.
Just because the browser / email program says it is such and such does NOT mean it is always what it says it is. That is even true for links that come up in Google, not just for email messages.

3. If you have multiple email addresses, and the one about your PayPal account is not delivered to the proper email address and it has a link in it? PHISH!

4. A message is delivered to your correct email address for the account you have but it has a link in the message and that site never had links in their email messages before? It is most likely a PHISH. I don't depend on any email program or browser when it comes to these. I save them out to a file and edit with the VIM editor and then clamscan them. You can see EVERTHING with VIM. Windows users can use the NotePad editor. I can NOT vouch for whether you will see everything until I have a proper PHISH to look at in that editor but I would be surprised if I can't see it just as well there as in VIM. Do NOT edit it in Microsoft Word! Use NotePad.

I don't tell people to go open up the browser and leave the email program running, I have caught one phisher that was so clever that they messaged my email program from a webmail account ON LINUX! I hope they were happy with my empty email address book that went out the door. To be extra generous I sent it to them again about 20 more times! I was also trying to figure out a way to automate it so I could fill up their email box! My email addresses are in a privately STRONGLY encrypted file separate from everything else - thanks GnuPG! Instead, close all email and browser programs. Start your favorite browser up, then clean out all cookies, your history, and the downloaded files (cache). THEN go to the web site in question. NEVER click on the links in the email if it looks, er, PHISHY.

I would be amiss if I didn't say that the ClamAV anti-virus program is one of the best Phish detectors out there. I have yet to see one Phish recently that it hasn't caught. That doesn't mean everybody should rush out and put ClamAV on their system because it is the best AntiVirus program in the world. There is no such thing. On the other, hand, they aren't all that bad either so pick your own anti-poison! But ClamAV may be a good first step for PhishTank to scan sumbissions once that trickle turns into a torrent.

The banks are the WORST at ignoring you when you contact them. So William Palmborg, I partially agree with you. I have finally concluded that banks think this is a part of doing business. But if you intend doing it from Windows we will never get anywhere. Registry problems on Linux and Macintosh? None! There is no registry. Windows spy programs? They don't run on Linux or Macs, even if they do have the same processor. The ability to write files willy nilly all over the disk? NO can do - you can write only in your own area and some temporary areas.

Also, use some commen sense. Don't go to porn sites. Don't go to gambling sites. Use the rules above for PHISH, because only that and common sense will protect you. William, did you have something else specific in mind to combat the PHISH problem that doesn't funnel billions of more dollars into Microsoft coffers? We are all ears for anything that works!

This idea is neat. I hope that PhishTank and OpenDNS succeed and am looking into them in great detail. Thanks for this article. I will gladly stock their phishtank with all the phish that come my way. I will also look into using their DNS servers.

Posted by: Henry Hertz Hobbit | October 12, 2006 1:13 AM | Report abuse

To William Palmborg: This IS one of the best solutions to the phish problem. In fact it will do far more than people would ever suspect. What we have now is NOTHING.

To Chase Manhattan Bank: I spent over three hours and two fruitless phone calls trying to get in information to you about a very good phish. I got no place. So please consider it just the cost of doing business to give some of your profits to this worthy endeaver by providing funds to PhishTank and OpenDNS. That advice isn't just for you. It also applies to the entire financial sector (that includes PayPal). I am asking you to support these people.

To PhishTank and OpenDNS: How many phish must we submit as payment for your services? Even more importantly, I would love to work with you. This is one of the best enterprises I have seen in years! It is the real deal people.

PS If I had been thinking I should have packed up my mail folder, created a new one, and populated it with 100+ bogus email addresses and gone to that one site over and over and over and ...

Posted by: Henry Hertz Hobbit | October 12, 2006 2:43 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company