It would be interesting to use the enchash data instead. It's been updated twice as often (1.15609 vs 1.7793) and is quite a bit bigger (1200K vs 58K, 11276 lines vs 2855 lines). The statistics could change considerably.

brillant artical, thanks for the research. amazing yahoo cant do something about the use of there servers by phishers

did anyone send those sites into yahoo yet - im going to...

There is one point about your conclusions: The list containing mostly rather simple phishings scams does not indicate that very high-profile scams don't exist. It just means that they're not identified by the google list.

And, in fact, this makes the list quite dangerous (as has been pointed out before): If a (sophisticated) site is not on the list, it ought to be secure.

Your work is much appreciated. Re the couple of solutions you're alluding to - I'd suggest that's a case of chasing your tail or shutting the gate after the horse has bolted. It seems to me that Yahoo preventing suspicious sites, or GoDaddy restricting funny looking domain registrations, is shooting at a moving target. It might prevent some of the new sites from appearing, but it wont catch them all, and there will always be existing sites or new ways of getting them out there. Instead, and I know I'm probably asking the impossible, but wouldn't user education be a massive stake in the heart of the phishing industry?

Lesson 1: If you're entering personal information, make sure the web address you're actually at is the one you want the information to go to.

Lesson 2: There is no Lesson 2. If you don't understand that, disconnect your Internet connection or expect some dramas.

Michael

A well thought out and well researched article indeed.

Nice research ;-)

I wonder if Google generates the blacklist dependent on the location of the requester, since I am from Germany and I see all the big banks of Germany but they did not show up in your ranking.

> grep volksbank update@version=goog-black-url%3A1%3A1 | wc

   336     672   26552

> grep bankofamerica update@version=goog-black-url%3A1%3A1 | wc

   203     406   18142

> wc update@version=goog-black-url%3A1%3A1

 2461   4920 184275 update@version=goog-black-url%3A1%3A1

Where 84 of the 336 “volksbank” sites were still active.

Robert.

Did anyone notice that google is on it's own blacklist?  Interesting.

+https://www.google.com/tools/firefox/safebrowsing/phish-o-rama.html c

Good stuff, it's interesting to see how some of this works. Phishing has gone big-time and Google clearly has their work cut out for themselves trying to keep up.

Mike

http://quicktrivia.com

Heath, you hit the nail on the head.

tesll us about the false positives!

Nice article.  It's good to see people helping to chase the phishing problem.  It's a shame that companies like Yahoo! are clueless when it comes to dealing with phishing.  I can't tell you how many times I've sent email to them giving them a Yahoo! email address I found on a phishing site being used to collect the phishing data, and most of the time I just get back "Please include the headers of the email you received..." stock answer.  Even after I reply and explain to them that the email address I sent them is being used by a phishing site to collect personal account information, they continue to ask for email headers!?!  Not to mention how often Yahoo! themselves are hosting the phishing sites and that the bogus domain was registered via Yahoo! with a stolen credit card.  Maybe they're not so clueless - maybe they just get greater financial benefit from hosting the phishers than from spending resources to shut them down??  I know many credit card companies who seem to prefer SELLING THE CONSUMER "Identity Theft Insurance" rather than preventing Identity Theft in the first place.  Why fix a problem when you can get your customers to pay you to insure against when the problem happens?!?  It's simple economics.

I like Heath's "Lesson 2", but until everyone is educated enough not to fall for these scams (I've talked to doctors and lawyers, so noone should feel stupid),  this problem has to be attacked from all angles.

People can send thier phishing emails to submit@phishcop.net to let us help get sites shut down and victims notified.

Nice.  Thanks for looking at this.

How did you measure false positives?  Did you use the blacklists outside of the Firefox/toolbar framework (from standalone scripts, for instance), or simply surf around a bunch of known-good sites by hand? ;)

Also, if you figured out how to use the enchash list, I'd be curious as to what the hash algorithm they're using is...

Great work. It's amazing what some people will fall for, but it's equally amazing the lengths some people will go to to make sites that convincing.

You mentioned that "The pages are generally exact replicas of the original web page and generally pull graphics (*.jpg, *.gif, etc.) from the legitimate web site." which is something that I've also noticed as I've looked at phishing sites.  

Isn't an easy solution for the phishing target (ebay, paypal, etc) to just look at the HTTP_REFERRER field to identify those phishing sites.  (I blogged about this on my blog at http://www.brandonchecketts.com/)

Nice work on the article.

@Heath Raftery: I agree with you that user education of not only phishing sites in general but Trojans as well is of prime importance to reduce the amount of victims of such schemes. There are other things that could be done but I don't see them working as feasibly or effectively:

1. The folks creating the phishing pages are hunted down and punished for what they've done. (Which is not likely it is hard to track them down, and even harder to get foreign law enforcement to take action.)

2. ISPs take steps to verify that the credit card payment they are receiving to host the site is really from the person who owns the account. (Most phishing sites that aren't hack-jobs are paid for via stolen credit card accounts.)

3. Folks beef up their network security so it's not so easy to get hacked into.

4. People not surfing the web with a vulnerable browser and not install software from sources they don't know.

In addition, what do you do if there exists an ISP hosting these phishing schemes that is run by a relatively untouchable criminal organization in a country with inadequate law? I.E. Rbnnetwork in Russia, one IP being 81.95.146.37 that acts as a trojan drop off point.

User education definitely seems to be the way to go at this point in time.

Just my $0.02

Thanks for the interesting review.  However, it is surprising that some of the newer forms of phishing (image, etc) were not identified.

Cheers.

<i>A single domain is commonly be used for multiple phishing scams targeting different companies as noted below:

Domain - mujweb.cz

Targets:

eBay

PayPal

Wachovia</i>

Mujweb.cz is a Czech free webhosting service.

Nice article!  I produce extra ClamAV signatures for phishing... some of these signatures use the common tricks that the google url list show are being used

Brandon Checketts raised the issue of commonly-phished sites checking the HTTP Referer header. This makes him about the 387,274th "expert" to make this stunning suggestion.

Given so many folk have made this earth-shatteringly obvious suggestion, also usually pairing it with a claim for the profound efficacy it should be expected to have in reducing the effectiveness of phishing, sane people would have to wonder why, in fact, so few of the heavily phished sites actually bother doing it.

Perhaps it is because the folk who would actually face the cost of re-designing their websites to accomodate this, plus bear the cost of the extra server-side processing, etc recognize that it is an almost totally worthless idea?

First, a lot of phishers already host all their own images on their phishing servers -- at least all the "big" ones do. This does not cost the phishers a dime, as they are almost universally only using stolen bandwidth and other hosting services, either paid for with stollen CC's, etc, or better (for them; "worse" for most of us) paid for with real money they aveobtained illegally, either from phishing or the multiple other illegal activities they and/or their "business associates" are involved in. The latter is a perfect result for organized crime, as it is a great form of money laundering, "re-investing" ill-gotten gains, no-questions-asked and largely untraceably, in furthering the income earning capacity of other of their illegal activities.

Second, those phishers that don't already host all their own images will quickly change their habits to do so if/when all their common targets start to implement the suggested strategy. The common targets of phishing know this and hence are not at all likely to rush out and re-design their web-presence just to implement this very ineffective "protection".

For example, one of the very few sites I recall hearing of (well, actually noting myself) implementing this, and the only heavily-phished site I'm aware of that has done so, is e-gold.com. I think they did this sometime in August 2006 -- at least I noticed it late that month when investigating the phish at the heart of this:

http://blog.washingtonpost.com/securityfix/2006/08/using_images_to_fight_phishing.html

Within two days, the same phish kit as was on that phishing site was turning up on other sites BUT it had been updated to take account of e-gold.com's "new" referer-checking, including the necessary image files and removing the phishers from any reliance on content dynamically sourced from e-gold.com. I don't have any contacts at e-gold.com, but you can be sure that it took e-gold.com a darn site longer than two days to conceive, feasability check, design, implement, test and finally roll-out, the referer-checking "anti-phishing" fixes on its site.

Sure, Brandon Checketts can do it in a few hours on his "toy" web-site (as per his blog entry), but that just shows how little grip Brandon has on what "scaling in a real-world, multi-national, cross-provider, multiple-business-partner, online business presence scenario" really means...

please don't tell any more people my business plan. shhh

Michael: Thanks for the analysis of Google's phishing data.  We are looking into filtering and incorporating it into our SURBL phishing list:

 http://www.surbl.org/lists.html#ph

phishcop: While answerbots can be annoying and misused, isnt' it possible that Yahoo may want to see message headers in order to more closely analyze the phish?   If someone gave you a phish without the headers, wouldn't you wonder where it came from, when it was sent, etc.  Headers can be very useful.

In his "Conclusions", Michael closes with (and I wholeheartedly concur) "When domain name registrars permit cybersquatting and popular websites allow open URL redirection, it is clear that we have a long way to go."

Ironically, Michael -- a self-described (below) "Security Evangelist" and "expert in web application security" -- makes this claim in his blog hosted on his employer's servers.

The irony?

A bad case of beholding the mote that is in thy brother's eye, but considering not the beam that is in thine own.  Look at the URLs for the links back to the commentators' web pages and what do you find?

An open redirector...

Whoops!

very neat.....i was wondering where google's blocklist was downloaded from :P

But yea, I've been just using opendns.com (they partner with phishtank.com), and they got a lot of the phishing sites blocklisted there ;)

Dear Michael,

For someone who might be a novice to the web, would you recommend they add the Google Blocklist IPs & domains to say their firewall software blocks?

Whoa there Nick.  I never claimed that I was an expert.  I'm a simple web programmer asking a question on a blog.  I'd never seen any discussion about it, and now I have.

In fact, after reading the Washington Post article, I think that the targets may have more to gain by letting the phishers continue to link to their images.   At least that way they can identify the 'unprofessional' phishers and work to shut them down.

Since most phishing attacks end up sending the user back to the legitimate site, I think the idea of checking the referrer at that point against a list of known phishing sites still has some merit.  Even if the referrer is a known redirector, it could still raise some suspicion.

actually gives the target reason to let phishers link to their images directly.  

Phishers would host the images themselves:  Of course they would.  That doesn't mean that the target institutions shouldn't take some measures to protect against it.  

Adding load to their web servers:  These institutions claim to have customer security as a top priority.  

Hello Michael !

The excellent analysis! Excellent clause!  

About phising much is already told, but people again become victims of swindlers. I think will kill phising difficultly!

If you are interested in this theme on my blog it is possible see review about 20 000 stolen passwords <a href=http://shizgara.blogspot.com/2007/01/myspace-20000-passwords.html>MySpace</a>

I hope you find on my blog something useful and intresting.

Chao.

> phishcop: While answerbots can be annoying and

> misused, isnt' it possible that Yahoo may want to

> see message headers in order to more closely

> analyze the phish?   If someone gave you a phish

> without the headers, wouldn't you wonder where

> it came from, when it was sent, etc. Headers can

> be very useful.

I must not have made myself clear.  I was reporting a Yahoo! email address found in the PHP scripts of the phishing site itself.  I sent THAT email address to Yahoo! for them to investigate.  If someone sent me a report that the email address 'joeblow@phishcop.net' was being used to collect phishing data, as owner of the domain, I would simply take a peek at the mailbox for joeblow and easily determine if more investigation were warranted?  If the headers (i.e. subject and amount of email) suggested that the mailbox was likely being used for illegal activity, I would go further into checking the contents of the mail to verify the claim.

The thing is that Yahoo! Customer Support only has so many "canned answers" for replying to complaints, and noone smart enough to actually READ the complaint and try to comprehend it!

I asked Yahoo to address Michael's point: "Why Yahoo! can't catch phishing pages which they host is beyond me."

Here's what the company had to say for itself:

http://www.networkworld.com/community/?q=node/10314  

Hi Mike:

Great info and blog! Very interesting information with some great questions.

One thing that is clear is that Phishing is not going away and we will see much more of it happen in 2007...... It is my prediction that the social engineering behind Phishing is going to become much more complicated and the URL's/Domains will be even harder to detect in "real time"  and shut down moving forward!

That said this is a NEVER ENDING fight as Phishing and Pharming will never go away --- it will be a continous "war against crime" and we all need to work together to try and solve it!

That will mean, that while APWG will continue to work on trying to solve this problem, it is unclear if they can really help solve it and, more importantly, are not focusing on trying to "catch" the folks that are doing this --- in the US or overseas! Doing that will have a better and larger impact on the folks that engage in such activities.

Best,

Kevin

I find Paul's networkworld explanation of yahoo's response rather silly.  Of course this is about money.  Every hoster, registrar, antispam vendor etc in the world *could* hire millions of people to make a phishing/nonphishing determination of every page it hosts, URL it sees, etc.  Obviously, that would be prohibitively expensive.  Most vendors will try to build automated tools to fight.  This becomes the cat and mouse spammer v antispammer technology game.

There are at least 2 big misses in the article:

1) the blog talks about geocities -- a free hosting service.  The article talks about domain registration, which is not free and has extra information to use (domain name, credit card, subdomain name), and thus should likely have more controls in place. Apples, meet oranges.

2) The pages target yahoo users, thus yahoo will incur more expense in dealing with the compromised users (which has to be expensive).  Yahoo's incentive is to protect their brand the most -- which suggests that this just may be a semi-hard problem. (were the pages written in javascript? Did they have content hidden to the naked eye, but computer parsable? any http://www.jgc.org/tsc/ like tricks?)  

BTW, anyone note when the geo sites were taken down? (see someone said they would notify on Jan 5, and the article did say they were down as of Jan 8, but I don't see any data in between.

After publishing last week&#39;s blog entitled &lsquo;A Tour of the Google Blacklist&#39; , I received

Nice research !

btw, i find this issue first reported in Full Disclosure mailing list by Rajesh Sethumadhavan of xdisclose.com in Jan 02, 2007.

Here is the link,

http://lists.grok.org.uk/pipermail/full-disclosure/2007-January/051549.html

The Google technology filters both phishing sites and malware sites.  Some of the apparent false positives may contain malware hosted in a non-obvious fashion and thus be true positives.

I recently blogged about the phishing pages that I found during a Tour of the Google Blacklist . In that

Unfortunately there is a section of the less well informed who are leaving directories open on servers to allow the easy hosting of such Phishing sites - how do I know? I did it about 6months ago - most embarrassing and super inconvenient when that particular site was temporarily closed

Everyone wants to have easy access to the net.

For example cash loan payday till advance cash day loan pay

Possibly free pcs ringtones sprint ringtones for verizon wireless phone

It also got me to wondering what it is that people get from these things. Do people really draw motivation from this stuff? I have been reading Darren Brown’ s Tricks of the Mind , or at least re- reading sections of it, this week. He points out that