Where the Phish Are

Opinion: Once you look at what networks host phishing attacks and how many are there, it's clear who the big problem is.

Data like that in the Phishtank Annual Report is always good fun for those interested in security threats. You can learn a lot from such raw data.

PhishTank is a project of OpenDNS, a free DNS service worth considering for other reasons. PhishTank is a database of phishing URLs submitted by the public and voted on by the PhishTank community. The good part of this idea is that humans can examine the submission and their votes should assure a very low number of false positives, since experienced humans can tell a phish just by looking at it.

Ive been suspicious of the quality of the PhishTank data for some time because it seemed to me that a volunteer effort like this couldnt compare to a "professional" effort. The PhishTank stats page lists 303,682 total submissions and 1,497,511 votes, or just under five votes per submission.

I guess thats good enough; even just one vote could be meaningful. Im sure most of the votes are unanimous (though I dont see data on it). And over 300,000 submissions may not be most of the phishes out there, but its a pretty good sample. And plenty of organizations believe enough in PhishTank data to use it in their own services.

Because its a good sample, it should be instructive to look at aggregate data from these phishing sites, and thats what the Annual Report is about.

The first part of the report, about brands phished, yields no big surprises. First PayPal and eBay, then a bunch of banks, and then every now and then a large merchant or the IRS. Just what anyone would have predicted.

The more interesting part follows on where the phish are (i.e. whose networks). The top network charts are consolidated measures of the number of phishing sites based on their ASN (Autonomous System Number), which is a unique identifier for a physical network. No. 1 in the United States on this list is SBC, which really means AT&T.

Several of the names are almost pseudonymous, bearing the names of acquisitions from long ago. For instance, Inktomi Corporation may be the name on the ASN, but its really Yahoo Domains that is hosting the phishing sites.

Im still looking into it, but I suspect the PhishTank people didnt do the best possible job in consolidation. Many larger networks, especially those built through acquisition, own several ASNs, and PhishTank generally tries to bundle them up into one number. For instance, No. 12 "WorldNet Services" is almost certainly part of AT&T; perhaps it should have been consolidated with No. 1 SBC, or perhaps this draws a distinction between consumer and business networks.

You can see many of the ASNs owned by the larger, dirtier networks in Trend Micros Network Reputation - Estimated Spam Volume by ISP report. >

Heres something funny and instructive. U.S.-based systems are listed as the largest source of phishing attacks (just over 30 percent), but the three IP addresses with the most attacks—responsible among them for 18 percent of all verified phishing Web sites—are located in Korea, Turkey and Chile.

/zimages/4/28571.gifBlue Coat Systems Web filter uses an opt-in, not opt-out, approach to its list of safe sites. Click here to read more.

This tells me, first and foremost, that abuse enforcement on those networks is non-existent. Second, perhaps enforcement on U.S. networks is better than I thought, but perhaps only by comparison to that of networks abroad.

Im also very curious about the absence of Verizon from this list. Verizon is a very large ISP both for businesses and consumers and, as the Trend Micro spam reputation report always shows, is a network with more than its share of bots. Perhaps this is a consolidation error on PhishTanks part. Verizon owns quite a few ASNs, including these:

Clearly, prompt reporting of phishing sites isnt enough to take them down. You need the cooperation of the ISP and, in some cases, the domain registrar. The PhishTank report makes it clear that were a long way from the sort of cooperation that will be necessary to marginalize phishers.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

/zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers blog Cheap Hack