Imagine Widespread Anti-Phishing Use

By Larry Seltzer  |  Posted 2005-09-18 Print this article Print

Opinion: There are many anti-phishing tools for Windows, but they're all small-timers. That all changes with Internet Explorer 7.

Jaded old jerks like me who are skeptical of everything dont need anti-phishing software. I dont trust anyone, let alone some vendor sending me an e-mail. But anti-phishing software is definitely a good thing, and I have high hopes for it. I tested several anti-phishing toolbars for Windows a few months ago. The more sophisticated ones all work basically the same, using a number of techniques that seem obvious (although Im sure the vendors are all busy patenting all of them). My favorite is the Netcraft toolbar, which has a distinctly expert-oriented slant, but there are other good ones.

Not too long from now, Internet Explorer 7 will be released, incorporating a "phishing filter" using more or less the same capabilities as the Netcraft, Cloudmark and some others. An entry in Microsofts IEBlog explains much of their anti-phishing strategy. Here are some of the techniques:

whitelists: The product contains a list of known-good sites, probably stored locally and periodically refreshed. When the user visits one of these sites, the tool just lets it go.
blacklists: The product contains a list of known-bad sites, and the tool can block the user and report that a known-bad site was accessed. • heuristics: The page exhibits "phishy" behavior. This is cool stuff: phishing sites typically do a lot of things that are not illegal but indicative of misleading behavior. For example, multiple accesses to graphics on other domains, especially those on a short list of phishing victims like Paypal; also, using anchor tags in which the body of the anchor is in the form of a URL, and the actual target of the link doesnt match the URL in the body. Many tools also have added techie tools; Netcrafts for example, shows you the actual provider and country of hosting of the site, and how long they have been tracking it. This in itself can be a clue to whether its a real site or a phish.

So what differentiates the good tools/services from the not-so-good ones? Assuming there are no outright bugs in the programs, I see two main issues: speed and breadth. All of the tools let you report a new phishing site that the tool didnt recognize. I myself have been the first to report about 30 sites to Netcraft. The vendors themselves probably seek out phishing sites however they can. The vendor with the largest collection of sites is a better one. The vendor who investigates reports and updates their database fastest is also better. The vendor who does both is best. Can Microsoft be a security trendsetter? Click here to read more. I specifically hope that some central repository of known phishing sites can be set up and maintained securely. This is a tricky thing to do for a number of reasons. First, the vendors may see their database of phishing sites as a competitive advantage and not want to share it. Not being in the business, its easy for me to say they should all share their data. I therefore declare it to be the right thing to do. (So let it be written, so let it be done.)

But even more exciting, I think that once very large numbers of users are running this software, and especially with aggressive heuristics, phishing sites wont be able to stay up very long without being detected. The numbers of unprotected and oblivious users subject to attack will decrease, and by a lot, I think.

Around years end when the predictions for future issues came out, vast increases in phishing were a common prediction. Im not so sure anymore. I think that anti-phishing could make a real dent in the problem.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog. More from Larry Seltzer
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel