Dive into the PhishTank

By Larry Seltzer  |  Print this article Print


Desktop-as-a-Service Designed for Any Cloud ? Nutanix Frame

Opinion: Finally someone is approaching the phishing problem the way it should be approached, but it may be too late to overcome the proprietary impulse of the big guys.

Everybody complains about phishing, but how many of us actually do something about it? Now everyone can.

PhishTank, a new service from the OpenDNS folks, is an open and public phishing database. It finds itself up against several large and wealthy commercial products and services. PhishTank may prove to be a quixotic endeavor, but someone's got to dream the impossible dream.

There have been phishing databases for years. For years my favorite, one of the oldest, was the Netcraft Toolbar which, like all of the other client agents for the databases, is free.

For now there is no client agent for PhishTank—you have to go to the Web site and enter information in a form. But before too long there will be agents in the form of plug-ins for Outlook, Firefox, Internet Explorer and other important browsers and e-mail clients.

This is because of what's really cool and important about PhishTank: It has an open Web services API for accessing the database. The API is young and, according to the PhishTank blog, not quite perfect yet, but it has some intriguing calls, such as a single call to test the contents of an e-mail for whether it's a phish (at least in part by scanning URLs in it to see if they are in the database).

A study indicates that Microsoft's anti-phishing software is the most effective. Click here to read more.

Of course the fact that a site is submitted as a phish doesn't make it a phish, so it isn't listed as a phish until enough users vote for it. The voting is Cloudmark-style, where users themselves develop a reputation and a better reputation gives greater weight to their votes. How do you get good reputation? To the extent that your votes coincide with the judgment of the community, your reputation grows, and vice versa.

The voting system is good because it's fair and effective, but it also makes it imperative that a large community be constantly examining the submissions and voting. The longer it takes for phishing samples to be judged by the community, the longer they are not useful to potential phishing victims. So if PhishTank remains a nonmainstream community, it will remain a nonmainstream community.

That would be a shame. It doesn't help users for the big players in this area to keep their systems closed. Symantec may have a business reason to treat their database as proprietary, but Microsoft doesn't. Microsoft simply has an interest in the best possible protection. They don't need to make money off of security products, they need for computing to be more carefree and secure.

So why shouldn't IE7's Phishing Filter submit phishing candidates into PhishTank and read from it as well? The only real problem with this scenario is that Microsoft has performance requirements that PhishTank is unlikely to meet, but that's the kind of problem you can basically throw money at.

And since IE7 uses heuristics for many judgments, the database would have to take some account of this. It should get some number of points in the evaluation process based on the specific characteristics that got it flagged.

If only big companies would be so civil and logical. But it's probably just a dream.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

More from Larry Seltzer

Check out eWEEK.com's for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...