A Year's Worth of Phish Facts
Phishtank.com, a volunteer effort to identify phishing e-mails and associated Web sites, released its first annual report today, providing one of the most comprehensive data sets ever published on the subject and offering fascinating insights on the scope and increasing sophistication of phishing attacks.
Anyone who goes through the site's free signup can submit suspected phishing sites and e-mails to the Phishtank community, with each member free to vote on whether he or she thinks a given submission is the legitimate or the work of scammers. Out of nearly 300,000 sites submitted as suspect, the community verified some 220,000 as phishing scams (more than 70,000 went unverified.)
Overall, the United States was far and away the country that played host to the largest number of phishing sites in the past year, accounting for slightly more than 30 percent of the verified sites. SBC's network hosted the most phishing scams of all American ISPs, well out ahead of the rest with 53,666 scam sites over the past 12 months. Comcast and Road Runner rounded out the No. 2 and No. 3 slots, with 28,000 and 25,000 phishing sites, respectively.
It's important to mention the ISPs because most phishing sites these days are hosted on personal computers that have been hacked by criminals. Those PCs are typically home-user machines hooked up to consumer broadband networks. But Phishtank is not only calling those ISPs out, they're giving them a free new tool to more quickly identify customer systems that are hosting phishing sites. Beginning today, Phishtank is connecting its database to an RSS feed so that ISPs can get instant notification when a new phish pops up on their network.
One set of data from the report I found particularly interesting was the number of phishing sites and e-mails that members thought were scammy but were later determined to be legitimate -- or vice versa. Out of nearly 300,000 sites submitted as suspect, the Phishtank community misidentified 8,760 sites.
This seems to suggest two things: The more obvious being that phishing has completely ruined e-mail as a means of trusted communications between businesses and customers. Some smart people and big targets are starting to take some positive steps that -- if more widely adopted -- should help minimize the success of phishing scams. But even if everyone adopted these measures overnight, it would take years for people to begin trusting e-mail again.
More importantly, the report seems to explain why phishing remains such a prevalent problem. In this case, you have a large group of self-selected "experts" on phishing who, in about 4 percent of cases, can't tell a phishing site or e-mail from a legitimate one.
A copy of the report is available here (PDF).
Posted by: Rick | October 9, 2007 8:16 AM | Report abuse
Posted by: Patrick Huss | October 9, 2007 9:24 AM | Report abuse
Posted by: anon | October 9, 2007 9:26 AM | Report abuse
Posted by: Anonymous | October 9, 2007 9:28 AM | Report abuse
Posted by: Chris | October 9, 2007 10:55 AM | Report abuse
Posted by: anon | October 10, 2007 10:45 AM | Report abuse
Posted by: Steve Ballmer | October 11, 2007 4:41 PM | Report abuse
The comments to this entry are closed.