Data like that in the Phishtank Annual Report is always good fun for those interested in security threats. You can learn a lot from such raw data.
PhishTank is a project of OpenDNS, a free DNS service worth considering for other reasons. PhishTank is a database of phishing URLs submitted by the public and voted on by the PhishTank community. The good part of this idea is that humans can examine the submission and their votes should assure a very low number of false positives, since experienced humans can tell a phish just by looking at it.
Ive been suspicious of the quality of the PhishTank data for some time because it seemed to me that a volunteer effort like this couldnt compare to a "professional" effort. The PhishTank stats page lists 303,682 total submissions and 1,497,511 votes, or just under five votes per submission.
I guess thats good enough; even just one vote could be meaningful. Im sure most of the votes are unanimous (though I dont see data on it). And over 300,000 submissions may not be most of the phishes out there, but its a pretty good sample. And plenty of organizations believe enough in PhishTank data to use it in their own services.
Because its a good sample, it should be instructive to look at aggregate data from these phishing sites, and thats what the Annual Report is about.
The first part of the report, about brands phished, yields no big surprises. First PayPal and eBay, then a bunch of banks, and then every now and then a large merchant or the IRS. Just what anyone would have predicted.
The more interesting part follows on where the phish are (i.e. whose networks). The top network charts are consolidated measures of the number of phishing sites based on their ASN (Autonomous System Number), which is a unique identifier for a physical network. No. 1 in the United States on this list is SBC, which really means AT&T.
Several of the names are almost pseudonymous, bearing the names of acquisitions from long ago. For instance, Inktomi Corporation may be the name on the ASN, but its really Yahoo Domains that is hosting the phishing sites.
Im still looking into it, but I suspect the PhishTank people didnt do the best possible job in consolidation. Many larger networks, especially those built through acquisition, own several ASNs, and PhishTank generally tries to bundle them up into one number. For instance, No. 12 "WorldNet Services" is almost certainly part of AT&T; perhaps it should have been consolidated with No. 1 SBC, or perhaps this draws a distinction between consumer and business networks.
You can see many of the ASNs owned by the larger, dirtier networks in Trend Micros Network Reputation - Estimated Spam Volume by ISP report. >
Heres something funny and instructive. U.S.-based systems are listed as the largest source of phishing attacks (just over 30 percent), but the three IP addresses with the most attacks—responsible among them for 18 percent of all verified phishing Web sites—are located in Korea, Turkey and Chile.
Im also very curious about the absence of Verizon from this list. Verizon is a very large ISP both for businesses and consumers and, as the Trend Micro spam reputation report always shows, is a network with more than its share of bots. Perhaps this is a consolidation error on PhishTanks part. Verizon owns quite a few ASNs, including these:
- AS19262: VZGNI-TRANSIT - Verizon Internet Services
- AS701: UUNET - MCI Communications Services d/b/a Verizon Business
- AS702: Verizon Business EMEA - Commercial IP service provider in Europe
- AS7046: UUNET-CUSTOMER - MCI Communications Services d/b/a Verizon Business
- AS813: UUNET-CANADA - MCI Communications Services d/b/a Verizon Business
Clearly, prompt reporting of phishing sites isnt enough to take them down. You need the cooperation of the ISP and, in some cases, the domain registrar. The PhishTank report makes it clear that were a long way from the sort of cooperation that will be necessary to marginalize phishers.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.