Whos the phishiest hosting service on the Internet? According to Netcraft, an Internet security research and consulting firm, its Inktomi, part of Yahoo.
That last link is a dynamic page, but Ive been following it a little while, and it hasnt changed much. Most of the other players are a United Nations subcommittee of countries youd stereotype for Internet abuse: Russia, Korea, Taiwan, Brazil, etc. Big enough to have sophisticated Internet infrastructures, loosely run enough to allow illicit operations to run rampant. (Who are the phishiest countries in the world? Netcraft monitors them too.)
So whats Yahoos excuse? Yahoos deserved place in this hall of shame (along with ThePlanet.com, another large U.S. hosting service) should be humbling to boastful Americans like me. Were the biggest part of the Internet, and were the biggest part of the problems with it.
A Yahoo spokesperson said, “Phishing is an industrywide issue and one that Yahoo takes very seriously. Yahoo employs a multifaceted approach to protect consumers against phishing scams, including the use of enhanced technologies, industry collaboration efforts, legislation and litigation efforts, and increasing consumer awareness. When we learn about phishing sites, we remove them as quickly as possible. Additionally, we worked with other companies to create and implement an expedited takedown process.”
The main reason all this caught my attention lately is that I have received several phishing e-mails in recent weeks, all of them targeting Paypal and all hosted on Yahoo. I have attempted to report them to Yahoo through its standard abuse reporting facilities, but these facilities are behind the times and are monitored by employees who dont get the point.
Theres another part of this thats bothered me since it began, and thats the role of Melbourne IT, the Australian company for whom Yahoo resells domain registration services. The first of the phishing attempts I saw, later described in embarrassing detail by the Anti-Phishing Working Group, involved a domain named paypal-cgi.us. Obviously, domain registration is an automated process, but this is a pretty obvious infringement of a red-flag name.
Should Yahoo or Melbourne IT not have allowed a registration including the name “paypal” in it? Nutty as it may be, depending on your point of view, the law appears to be unsettled. There are cases where the incorporation of anothers trademark is a matter of free speech, like MicrosoftSucks.com. But nobody with a brain in his or her head would argue that using someone elses trademark to fool its customers into using the site is a legitimate use.
There is a process, ICANNs Uniform Domain-Name Dispute-Resolution Policy, for resolving disputes involving domain names, especially with trademark implications. If you read the policy its clear that it was devised before phishing came about. This may explain why the site for paypal-cgi.us may be down, but the domain is still registered to the (probably phony) person who created it.
This is why hosting and registration services need to have their own strict policies and be diligent about monitoring abuse reports. “Diligent” is the last word to describe Yahoo in this regard. Phishers seem to have figured out that Yahoo can be played. I have personally received e-mail hooks for three Paypal phishes in the last couple of months (see two of them here and here). All three Web sites stayed up for a while—as much as a week—even though I reported them to Yahoos abuse group.
About Yahoos abuse reporting facilities, like ICANNs policies they seem to date from a time before phishing. The first thing you notice is there is no Yahoo product or service in the list to which phishing might apply, so you click “Other.” This brings you to the “Yahoo! Terms of Service > Member Conduct” page, which says, “Please use this form only to report Yahoo! members who may be abusing our services.” Hmmm … not exactly appropriate, but lets humor the page in the hopes that we can still get our point across. The second item you are asked for is “the Yahoo! ID of the person you wish to report.” OK, I can see well have a problem here, since this is a required element.
The bottom line is that Yahoos abuse reporting page has no way to report a phishing site. After realizing this, I tried forwarding the e-mail that hooked for the phish to [email protected], only to have a report back (several days later) that I hadnt included mail headers and that Yahoo would therefore drop the matter.
The point of my report, of course, was not the e-mail but the site to which it referred. I dont have hard data on it—yet—but I suspect that Yahoos real lead in phishing isnt the number of sites but their longevity, the amount of time they stay up before Yahoo gets around to taking them down.
Yahoo said it will soon be adding a link to report hosting/phishing issues at http://help.yahoo.com/help/abuse.
Unfortunately, ISPs and hosting services and registrars dont want to monitor abuse reports. Not only does it make them no money, it often ends up booting off a paying customer, albeit the kind of customer you dont really want. But the good ones do a better job of it, or employ third-party services like Netcraft and others that monitor for it. The really big and sloppy ones, like Yahoo, will only learn when the market tells them to.
Editors Note: This story was updated to include comments from Yahoo.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
More from Larry Seltzer