Where the Phish Are

By Larry Seltzer  |  Posted 2007-10-10 Print this article Print

Opinion: Once you look at what networks host phishing attacks and how many are there, it's clear who the big problem is.

Data like that in the Phishtank Annual Report is always good fun for those interested in security threats. You can learn a lot from such raw data.

PhishTank is a project of OpenDNS, a free DNS service worth considering for other reasons. PhishTank is a database of phishing URLs submitted by the public and voted on by the PhishTank community. The good part of this idea is that humans can examine the submission and their votes should assure a very low number of false positives, since experienced humans can tell a phish just by looking at it.
Ive been suspicious of the quality of the PhishTank data for some time because it seemed to me that a volunteer effort like this couldnt compare to a "professional" effort. The PhishTank stats page lists 303,682 total submissions and 1,497,511 votes, or just under five votes per submission.
I guess thats good enough; even just one vote could be meaningful. Im sure most of the votes are unanimous (though I dont see data on it). And over 300,000 submissions may not be most of the phishes out there, but its a pretty good sample. And plenty of organizations believe enough in PhishTank data to use it in their own services. Because its a good sample, it should be instructive to look at aggregate data from these phishing sites, and thats what the Annual Report is about.

The first part of the report, about brands phished, yields no big surprises. First PayPal and eBay, then a bunch of banks, and then every now and then a large merchant or the IRS. Just what anyone would have predicted. The more interesting part follows on where the phish are (i.e. whose networks). The top network charts are consolidated measures of the number of phishing sites based on their ASN (Autonomous System Number), which is a unique identifier for a physical network. No. 1 in the United States on this list is SBC, which really means AT&T. Several of the names are almost pseudonymous, bearing the names of acquisitions from long ago. For instance, Inktomi Corporation may be the name on the ASN, but its really Yahoo Domains that is hosting the phishing sites. Im still looking into it, but I suspect the PhishTank people didnt do the best possible job in consolidation. Many larger networks, especially those built through acquisition, own several ASNs, and PhishTank generally tries to bundle them up into one number. For instance, No. 12 "WorldNet Services" is almost certainly part of AT&T perhaps it should have been consolidated with No. 1 SBC, or perhaps this draws a distinction between consumer and business networks. You can see many of the ASNs owned by the larger, dirtier networks in Trend Micros Network Reputation - Estimated Spam Volume by ISP report. > Heres something funny and instructive. U.S.-based systems are listed as the largest source of phishing attacks (just over 30 percent), but the three IP addresses with the most attacks—responsible among them for 18 percent of all verified phishing Web sites—are located in Korea, Turkey and Chile. Blue Coat Systems Web filter uses an opt-in, not opt-out, approach to its list of safe sites. Click here to read more.

Im also very curious about the absence of Verizon from this list. Verizon is a very large ISP both for businesses and consumers and, as the Trend Micro spam reputation report always shows, is a network with more than its share of bots. Perhaps this is a consolidation error on PhishTanks part. Verizon owns quite a few ASNs, including these: Clearly, prompt reporting of phishing sites isnt enough to take them down. You need the cooperation of the ISP and, in some cases, the domain registrar. The PhishTank report makes it clear that were a long way from the sort of cooperation that will be necessary to marginalize phishers.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers blog Cheap Hack
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel