The Future of Phish Fighting

By Larry Seltzer  |  Posted 2006-04-17 Print this article Print

Opinion: Since e-mail standards won't be of much help, we'll have to deal with phishing through private, complementary services. Which will be the big guns?

This weeks E-mail Authentication Summit in Chicago on April 19 reminds me of the Internet communitys failure to agree on an authentication standard. Efforts such as this meeting notwithstanding, the whole authentication movement has been a flop, and thats a shame. Nothing would have made a bigger dent in malware, spam and phishing than a widely respected standard for authentication.
Since authentication wont be universal enough to help, well be left using private industry products and services to fill in the gaps.
There are probably a couple dozen products one can use, such the Netcraft Toolbar, and they take a variety of approaches. There are two main approaches to anti-phishing: blacklists/whitelists and heuristics. A good service would begin with extensive lists of both types, especially a whitelist, and both (especially the blacklist) would grow as users reported in. Click here to read about an online registry that attempts to fight phishing attempts. Heuristics look at Web pages and perhaps the e-mails that link to them and attempt to determine whether they are, or are likely to be, false. There are a number of fairly obvious techniques. Blacklists are the best way to deal with most phishing sites because, assuming the service is competent, they can say for sure that a site is not what it appears to be. But in the early minutes of a phishing attack its possible for software to make a pretty good guess that an e-mail is a phishing invitation, or that a Web site is acting "phishy." For me, the most common and obvious sign of a phishing attack, and the one easiest to detect, is when an e-mail contains an HTML link where the text in the body of the link is a URL, but a different one from the target of the link. Heres the classic example:
    <a href="http://1234567/">
There are many variations on it, but this is still extremely common in phishing attacks. Other common techniques susceptible to heuristic analysis are when an e-mail or Web site links directly to images on Web sites that are common targets of phishing, such as PayPal; the use of links with IP addresses, especially ones in decimal form (such as in the example above); and any Web form asking for what appears to be sensitive information (such as credit card numbers) without using HTTPS (HTTP Secure). For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub. But all of the individual products operate as islands with their own lists. The real salvation will come when one product and one black/whitelist gains substantial market share. At that point, the odds that a new phish will be reported quickly and quickly blacklisted will be high. Its not a good solution, but its probably the best we can hope for. And from where will this market-dominant blacklist come? I dont like it any more than you do, but the only product with a shot at it is Internet Explorer 7. IE7s phishing filter, in beta along with the rest of the browser, will use both heuristics and blacklists. The company has specifically said that heuristics would be used, but avoided discussing exactly what they would be. My guess is that the heuristics will be relatively unaggressive, since the company needs to minimize the number of complaints it receives from false positives, and even from true positives that the user misinterprets as false. And you can bet that IE7 will have a huge market share. All versions of IE since Version 3 have had huge market shares, and this one could be bigger than them all. And that huge market share will make the IE7 blacklist the key tool in fighting phishing. Will Internet Explorer actually be the big gun that takes out phishing? Its too ironic to be true, but its a tempting thought. Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. He can be reached at Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel