PhishTank

PhishTank went live this week:

PhishTank is a collaborative clearing house for data and information about phishing on the Internet. Also, PhishTank provides an open API for developers and researchers to integrate anti-phishing data into their applications at no charge.

It's run by OpenDNS.

Posted on October 5, 2006 at 6:40 AM • 13 Comments

Comments

PaeniteoOctober 5, 2006 7:07 AM

We'll see how this develops.
The latest submission for example is "http://www.w3.org/1999/xhtml" which does not appear really phishy to me ;-/

derfOctober 5, 2006 9:58 AM

Phishtank with a 760 phish database (460 verified), or this one with 4462 in its database: http://www.millersmiles.co.uk/

I'm sure it won't take long for some "vigilant" youth to copy the data from one to the other in order to claim the top spot. Good old plagerized, "user created" content.

David UlevitchOctober 5, 2006 10:13 AM

Bruce Schneier just linked to PhishTank!

Awesome!

Paeniteo -- You may find yourself surprised. The "Wisdom of the crowds" accomplishes two critical goals:

1: It brings in a wide breadth of coverage of phishing samples meaning we get the most popular phishes submitted (too new, nothing is 100%, etc).
2: It involves a trust and accuracy metric so the more accurate and longer you've been on the site the more your vote counts for. That helps prevent gaming of the system.

While I'm hesitant to say it's been 100% accurate in determining what has been submitted I've yet to see or hear about a false positive. Even http://www.customeruser@bankofamerica.com/ was marked as NOT A PHISH (which it isn't) but I think someone did it as a test to see if it was marked as a false positive.

Derf -- The systems are nothing alike -- PhishTank is all user contributed, feedback-loop-based and with an open API and platform that is quickly expanding in features based on requests from developers. As for the numbers, Phishtank has been around for three days. Chill. :-)

Greg (other)October 5, 2006 3:14 PM

If it works, it will be a good way for phishers to tell when its time pull up their anchors and move on.

Whether it works or not, it will be a good excuse for the careless to continue being careless.

derfOctober 5, 2006 4:39 PM

@David Ulevitch

Heh - forgive me. With Microsoft releasing 11 new patches this month, I'm getting to be a cranky old security guy. This probably means only 5 new exploits will be released Oct. 11.

The API is a neat idea. Someone should set up a URI based blocklist similiar to the surbl.org spam DNSRBL.

Stefan WagnerOctober 5, 2006 5:12 PM

I visit my bank and ebay through some kind of bookmarks - not the browsers bookmarks, but my startpage is an 2D array of bookmarks, not primarly used for security reasons, but comfort.

I don't see any benefit in this webpage.
Correct me, if I 'm wrong.

MilesOctober 6, 2006 12:37 AM

@derf:
Surbl does have a have a phish uri list -- though it's only domain based. Of course, that's the only format that SpamAssassin can take. Most of the phish reports systems Castlecop's PIRT, Symantec's PRN, the phishtank...) are using xml.

Most of the phish systems have the same flaws:
- only exact full urls are reported, making it easy for the phisher to send
http://$randomdubdomain.badguy/$randomfolder/...
and requiring all the system volunteer to pick up infinite exact matches.
- report the open redirects with the full url. Pretty much the same problem as above. Many open redirects have ways of inserting random data.

I honestly can't tell the difference between what castlecops is doing v phishtank. If there are really novel features, why not enhance the existing project -- having more feeds makes each feed less valuable:
- email/IM systems are less likely to be able to listen to each and every one (too much work)
- the workers duplicate effort (I'm sure there will be significant overlap in reported sites between the services)
- less focus for interested developers -- some will enhance one; some will enhance another.

Paul LaudanskiOctober 10, 2006 7:21 AM

@Miles,

"I honestly can't tell the difference between what castlecops is doing v phishtank."

PIRT is a central hub for phish reporting. We maintain detailed historical info/analysis on phish which permits for later research/triage and link analysis connecting coordinated phishing attacks.

Everything about a phish is collected and preserved for law enforcement and researchers (email, phish URLs, logs, drop emails, kits, etc). We have over 50 partners that receive our feed via XML and email. We'll soon have an API for access to the data.

You can see our partners listed here:

http://www.castlecops.com/pirt

No other organization approaches phish the way we do. We believe in free cooperative sharing.

Our phish data has been used to open/assist in several law enforcement investigations. There is far more which I'm open to discussing at conferences (I'm at one right now).

RoustemOctober 10, 2006 8:54 PM

It is sad that so few internet users know that there is an easy solution that protects from 100% of phishing attacks.

The solution is to never memorize the password and to never enter it manually.

Tools like RoboForm (for Windows) and 1Passwd (for Mac) will do that for you and protect you from phishing. The problem is solved.

MilesOctober 17, 2006 12:17 PM

@Paul-
I think we're agreeing -- I don't see why phishtank didn't build on top of castlecops. IMHO the more consolidation in public phish sources the better.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..