Imagine if a Browser Could Stop Phishing at Your Company
Not too long from now, Internet Explorer 7 will be released, incorporating a "phishing filter" using more or less the same capabilities as the Netcraft, Cloudmark and some others. An entry in Microsoft's IEBlog explains much of their anti-phishing strategy. Here are some of the techniques:
• whitelists: The product contains a list of known-good sites, probably stored locally and periodically refreshed. When the user visits one of these sites, the tool just lets it go.
• blacklists: The product contains a list of known-bad sites, and the tool can block the user and report that a known-bad site was accessed.
• heuristics: The page exhibits "phishy" behavior. This is cool stuff: phishing sites typically do a lot of things that are not illegal but indicative of misleading behavior. For example, multiple accesses to graphics on other domains, especially those on a short list of phishing victims like Paypal; also, using anchor tags in which the body of the anchor is in the form of a URL, and the actual target of the link doesn't match the URL in the body.
Many tools also have added techie tools; Netcraft's for example, shows you the actual provider and country of hosting of the site, and how long they have been tracking it. This in itself can be a clue to whether it's a real site or a phish.
So what differentiates the good tools/services from the not-so-good ones? Assuming there are no outright bugs in the programs, I see two main issues: speed and breadth. All of the tools let you report a new phishing site that the tool didn't recognize. I myself have been the first to report about 30 sites to Netcraft. The vendors themselves probably seek out phishing sites however they can. The vendor with the largest collection of sites is a better one. The vendor who investigates reports and updates their database fastest is also better. The vendor who does both is best.
I specifically hope that some central repository of known phishing sites can be set up and maintained securely. This is a tricky thing to do for a number of reasons. First, the vendors may see their database of phishing sites as a competitive advantage and not want to share it. Not being in the business, it's easy for me to say they should all share their data. I therefore declare it to be the right thing to do. (So let it be written, so let it be done.)
But even more exciting, I think that once very large numbers of users are running this software, and especially with aggressive heuristics, phishing sites won't be able to stay up very long without being detected. The numbers of unprotected and oblivious users subject to attack will decrease, and by a lot, I think.
Around year's end when the predictions for future issues came out, vast increases in phishing were a common prediction. I'm not so sure anymore. I think that anti-phishing could make a real dent in the problem.