I tested several anti-phishing toolbars for Windows a few months ago. The more sophisticated ones all work basically the same, using a number of techniques that seem obvious (although Im sure the vendors are all busy patenting all of them). My favorite is the Netcraft toolbar, which has a distinctly expert-oriented slant, but there are other good ones.
Not too long from now, Internet Explorer 7 will be released, incorporating a "phishing filter" using more or less the same capabilities as the Netcraft, Cloudmark and some others. An entry in Microsofts IEBlog explains much of their anti-phishing strategy. Here are some of the techniques:
• whitelists: The product contains a list of known-good sites, probably stored locally and periodically refreshed. When the user visits one of these sites, the tool just lets it go.
• blacklists: The product contains a list of known-bad sites, and the tool can block the user and report that a known-bad site was accessed.
• heuristics: The page exhibits "phishy" behavior. This is cool stuff: phishing sites typically do a lot of things that are not illegal but indicative of misleading behavior. For example, multiple accesses to graphics on other domains, especially those on a short list of phishing victims like Paypal; also, using anchor tags in which the body of the anchor is in the form of a URL, and the actual target of the link doesnt match the URL in the body.
Many tools also have added techie tools; Netcrafts for example, shows you the actual provider and country of hosting of the site, and how long they have been tracking it. This in itself can be a clue to whether its a real site or a phish.
So what differentiates the good tools/services from the not-so-good ones? Assuming there are no outright bugs in the programs, I see two main issues: speed and breadth. All of the tools let you report a new phishing site that the tool didnt recognize. I myself have been the first to report about 30 sites to Netcraft. The vendors themselves probably seek out phishing sites however they can. The vendor with the largest collection of sites is a better one. The vendor who investigates reports and updates their database fastest is also better. The vendor who does both is best.
I specifically hope that some central repository of known phishing sites can be set up and maintained securely. This is a tricky thing to do for a number of reasons. First, the vendors may see their database of phishing sites as a competitive advantage and not want to share it. Not being in the business, its easy for me to say they should all share their data. I therefore declare it to be the right thing to do. (So let it be written, so let it be done.)
But even more exciting, I think that once very large numbers of users are running this software, and especially with aggressive heuristics, phishing sites wont be able to stay up very long without being detected. The numbers of unprotected and oblivious users subject to attack will decrease, and by a lot, I think.
Around years end when the predictions for future issues came out, vast increases in phishing were a common prediction. Im not so sure anymore. I think that anti-phishing could make a real dent in the problem.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer