This weeks E-mail Authentication Summit in Chicago on April 19 reminds me of the Internet communitys failure to agree on an authentication standard.
Efforts such as this meeting notwithstanding, the whole authentication movement has been a flop, and thats a shame.
Nothing would have made a bigger dent in malware, spam and phishing than a widely respected standard for authentication.
Since authentication wont be universal enough to help, well be left using private industry products and services to fill in the gaps.
There are probably a couple dozen products one can use, such the Netcraft Toolbar, and they take a variety of approaches.
There are two main approaches to anti-phishing: blacklists/whitelists and heuristics. A good service would begin with extensive lists of both types, especially a whitelist, and both (especially the blacklist) would grow as users reported in.
Heuristics look at Web pages and perhaps the e-mails that link to them and attempt to determine whether they are, or are likely to be, false. There are a number of fairly obvious techniques.
Blacklists are the best way to deal with most phishing sites because, assuming the service is competent, they can say for sure that a site is not what it appears to be.
But in the early minutes of a phishing attack its possible for software to make a pretty good guess that an e-mail is a phishing invitation, or that a Web site is acting “phishy.”
For me, the most common and obvious sign of a phishing attack, and the one easiest to detect, is when an e-mail contains an HTML link where the text in the body of the link is a URL, but a different one from the target of the link.
Heres the classic example:
There are many variations on it, but this is still extremely common in phishing attacks.
Other common techniques susceptible to heuristic analysis are when an e-mail or Web site links directly to images on Web sites that are common targets of phishing, such as PayPal; the use of links with IP addresses, especially ones in decimal form (such as in the example above); and any Web form asking for what appears to be sensitive information (such as credit card numbers) without using HTTPS (HTTP Secure).
But all of the individual products operate as islands with their own lists. The real salvation will come when one product and one black/whitelist gains substantial market share. At that point, the odds that a new phish will be reported quickly and quickly blacklisted will be high. Its not a good solution, but its probably the best we can hope for.
And from where will this market-dominant blacklist come? I dont like it any more than you do, but the only product with a shot at it is Internet Explorer 7. IE7s phishing filter, in beta along with the rest of the browser, will use both heuristics and blacklists. The company has specifically said that heuristics would be used, but avoided discussing exactly what they would be.
My guess is that the heuristics will be relatively unaggressive, since the company needs to minimize the number of complaints it receives from false positives, and even from true positives that the user misinterprets as false.
And you can bet that IE7 will have a huge market share. All versions of IE since Version 3 have had huge market shares, and this one could be bigger than them all. And that huge market share will make the IE7 blacklist the key tool in fighting phishing.
Will Internet Explorer actually be the big gun that takes out phishing? Its too ironic to be true, but its a tempting thought.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. He can be reached at [email protected]