Slashdot Mirror

Yes, where did the editor get: accounts-google.com?

The only thing I could get in the phishtank was this from 2011: https://www.phishtank.com/phis...

One of the things our SiteTruth system does is report on major sites that host phishing scams. There are only 34 such sites today. As it has been for several years now, Google is at the top of the list.

Here's the list of all known phishing sites currently hosted by Google.. Scroll down through all that background data about the company to a big block of red "phishtank report (2013-02-01): Phony site reported via PhishTank." lines. Click on the links for a PhishTank report. The raw data comes mostly from PhishTank. Most exploitable hosting services (especially short-URL services) check PhishTank and the APWG list automatically, but not Google.

Google has several vulnerabilities. It's possible to host an attack page not only on Google Sites and Google Docs, but also on Google Spreadsheets. Recently, Google added a new attack vector; there's an open redirector at Google Accounts.

Amusingly, for some, but not all, of these phishing sites, Google's own anti-phishing warning pops up. But the part of Google that generates that blacklist clearly doesn't talk to the part of Google that does hosting.

Here's the oldest phishing site hosted by Google. On line since 2010-12-30. It's one of those "Habbo Coins" phishing pages, probably forgotten by the original attacker, since it forwards to a dead Hotmail account.

When we first started doing this analysis, Google wasn't on the list, because they didn't do hosting. There were about 150 sites listed in 2009. Through improved awareness, nagging and the Anti-Phishing Working Group, we're down to 34 - a few little sites with no clue, ones that just got hit by break-ins, and "bit.ly", which tries to keep up with their abuse problem but is falling behind. MSN, Yahoo, TinyURL, and most of the other big-time victims long ago solved their problems in this area. Google stands alone as a major service with an incompetent abuse department.

Now every script kiddie out there will be able to steal your bitcoins in addition to turning your website into a phishing page.

Do you have any idea how many phishing and malware links have wp-admin, wp-content, or wp-includes in the URL?

Take a look for yourself at Phishtank.com!

Here's our current list of major domains being exploited by active phishing scams. Notice who's at the top of the list. Google.

We've been generating that list for years. It's based on PhishTank data, updated every 3 hours, and uses Open Directory to decide if a site is "major". 46 domains are on the list today. 9 have been on the list since 2011 or earlier. One has been on the list since 2010 - Google. Google is the last free hosting service unable to clean up their phishing problem. MSN, Yahoo, and various free hosting services have been successful at aggressively cleaning up phishing problems, and haven't been on this list, other than briefly, for years.

Here's the oldest phishing attack hosted by Google, up since 2010: "Free Habbo Coins. Email your username and password to..."

For years, Google didn't realize that Google Spreadsheets could be used to host phishing sites. They finally caught on, and there's now a "report abuse" button on spreadsheets. Most, but not all, of the spreadsheet-hosted phishing sites have been taken down.

If anybody from Google is reading this, go over to your abuse department and apply a clue stick. It should embarrass someone that Google is the most clueless free hosting provider in the world about phishing.

shouldnt block gmail/yahoo/hotmail or other big mail servers.

It's useful to have a penalty in your spam filter for free email services. Google's inbound spam filtering is good. Outbound spam filtering, not so much.

Related to this, the use of free hosting services as spam targets continues. Google spreadsheets, of all things, are widely used to support phishing scams. Here's a Microsoft Webmail Activation Form" embedded in a Google spreadsheet. Because the related phishing emails contain a Google URL, they tend not to be tagged as spam by spam filters. The strange thing about that example (one of 124 such in PhishTank today) is that Google's spam blocking, as used by Firefox, knows that's a phishing page. The anti-phishing part of Google isn't talking to their own abuse department.

We've been tracking this at SiteTruth for years. The Google spreadsheet scam is less than a year old, and is now the most popular attack we see. Some free hosting services (mostly "t35.com", "piczo.com", "webs.com") still get hit, but Google is now #1.

Basic truth: if you offer free hosting or free URL redirection, you must have an automatic cross-check with phishing data sources like PhishTank and the APWG, or you will be pwned by phishers. Free hosting includes spreadsheets, forms, and polls. If the user can put HTML into it, it can be used for phishing.

I've been trying to get Google to fix this phishing page for months.

Someone discovered a neat hack - they can store a phishing page in Google Storage, and link to it from Google Sites. Google's abuse system doesn't comprehend that you can leverage an attack through Google Storage, so there's no way to get that phishing page taken down.

(The basic problem is that if you offer free hosting or URL redirection, and don't validate your users, you will be used to host attacks. "TinyURL" is good at catching this. "bit.ly", not so much. "t35.com" (free hosting) works hard to kick the phishers off manually, but their abuse guy gets a week or two behind at times. "piczo.com" (blog hosting for teenage girls) doesn't seem to try very hard, and phishing pages stay live there for months. We track this automatically, so we get to watch the major sites throw out the trash. Major sites that don't automate phishing and hostile code detection, constantly reading the PhishTank and APWG lists to see if one of their pages made the list, get pwned regularly.)

There's been considerable improvement. Google still has some holes in dealing with "malware", phishing, etc. But these are mostly obscure tricks used to get around Google's malware reporting. You can report the sites below over and over, but nothing happens, because Google's reporting system doesn't understand that these Google features are exploitable.

• Phony login site hosted on Google Spreadsheets. Yes, you can put a web page into a spreadsheet, and it doesn't seem to be checked for hostile code. Reported to PhishTank on February 19, 2010, and still up.
• Phony login site hosted on Google Groups. Try the "download" link there, and you'll get the phony login page, which seems to be hosted by Google Storage. Somebody figured out that they could store an HTML phishing page in Google Storage and make it publicly visible. Reported to PhishTank on February 13, 2020. and still up.

I'm pleased to notice that, at last, Google is no longer running ads for software for spamming Craigslist. Search for "craigslist auto poster tool". There used to be ads for programs for spamming Craigslist, and some of them even accepted payment through Google Checkout. (That last could lead to legal problems, since Google was not only advertising an legally questionable product, but taking a cut of the revenue.) That seems to have stopped. There are still ads for offshored services which manually spam Craigslist.

There's been considerable improvement. Google still has some holes in dealing with "malware", phishing, etc. But these are mostly obscure tricks used to get around Google's malware reporting. You can report the sites below over and over, but nothing happens, because Google's reporting system doesn't understand that these Google features are exploitable.

• Phony login site hosted on Google Spreadsheets. Yes, you can put a web page into a spreadsheet, and it doesn't seem to be checked for hostile code. Reported to PhishTank on February 19, 2010, and still up.
• Phony login site hosted on Google Groups. Try the "download" link there, and you'll get the phony login page, which seems to be hosted by Google Storage. Somebody figured out that they could store an HTML phishing page in Google Storage and make it publicly visible. Reported to PhishTank on February 13, 2020. and still up.

I'm pleased to notice that, at last, Google is no longer running ads for software for spamming Craigslist. Search for "craigslist auto poster tool". There used to be ads for programs for spamming Craigslist, and some of them even accepted payment through Google Checkout. (That last could lead to legal problems, since Google was not only advertising an legally questionable product, but taking a cut of the revenue.) That seems to have stopped. There are still ads for offshored services which manually spam Craigslist.

I try to be nice and keep on reporting phishes regarding WoW for weeks now, it has become kinda absurd as they are actually buying domains which contains their trademark and serving phishes for days.

Look at the live phishes (means, please don't go to them) right now, which are "online".

http://www.phishtank.com/target_search.php?target_id=88&valid=All&active=y&Search=Search

These are the WoW phishing pages. Some very known hosting companies (not some garage guys) are also being used. I think if Blizzard spends time/money to use one of them, admins will magically start caring.

BTW WoW is the only game which has its own category next to banks on phishtank, this seems to be a huge, organized thing. The pattern is always the same and some real advanced tricks are being used, it is not some "lets hack guys images directory and put a cgi to it" thing.

I wonder if Google Storage can be abused as a way to host phishing pages?

There's a phishing page that's been on Google Sites since February. Google is good about kicking off most phishing pages, but this one is different. Here's the phishing page as a web page. The actual hostile page (which is a bogus login page for Stickam) is on the "Click here to download your attachment". The actual url is http://2699962600425641406-a-1802744773732722657-s-sites.googlegroups.com/site/stickamcomlogindo/login.html?attachauth=ANoY7cpc6fembideFQyYULstnVDU-XMkgwzNLFkUv77Suh8bUq_LGrFRQ-RtLkw6pEPJb5Vk0XW4JMbOVQtqT_R6CjNCh5N2r29quoFkE5Cq1XQXUFhuegVtr4kQUMN9T3dT3yO1q-FthiahDl45UqMmFfD6gKSYwQP4bsgVoM-N5cQN0hHRvDZskuvmTdy0lqnQqUhmKFYP&attredirects=0. That's probably a page in Google Storage.

This raises the question of whether Google should be running hostile-code checks on publicly-accessible Google Storage pages.

It's hard getting the attention of some vendors. I see vulnerabilities in a slightly different context - hacked web sites hosting phishing pages. We distribute a list of major domains being exploited by active phishing scams. This is obtained by processing PhishTank data, and we do this because we want to reduce the collateral damage from a tough blacklist system. At any given time, there are about 30 to 80 domains on the list.

Some sites get themselves off the list quickly. By now, most of the better free hosting services and short-URL services are automatically checking PhishTank and the APWG blacklist to see when they've been hit. Today, if you run a service where anybody can put up a page that could be used for phishing (i.e. it's not full of your own headers and banners), you need automation to deal with attacks. I've been in contact with the abuse guy at "t35.com", which is a free hosting service. They've recently been hit by a flood of phishing attacks, with several hundred new reports in PhishTank per day. The attacks were coming in faster than the abuse guy could clean them out. They're now gaining on the problem, but haven't squashed it yet. Take-away lesson: automate this.

The ones near the top of the list have been there for a while. Note the dates, which are the date that the oldest phishing report still online and active appeared in PhishTank. Some just need help. Typically, these are small organizations like churches and nonprofits that have had a break-in and were partially taken over by a phishing site. I send them the Anti-Phishing Working Group's "What To Do if your Site Has Been Hacked". Sometimes I give them a phone call. They deserve sympathy.

Then there are the hard cases. These are sites with no visible contact address, or a clueless abuse department. At the moment, Google Sites and Google Spreadsheets are being used for phishing. Google is new to the free hosting business, and the phishers have discovered some tricks that Google can't yet handle. While Google puts a "report abuse" link on their site pages, it's possible to set up a file for downloading on Google Sites, and an HTML page can be served that way, without Google's abuse checking. There's also an exploit of Google Spreadsheets. That one is an example of Habbo Hotel phishing. We've reported these to Google several times, but they haven't been fixed yet.

We've been seeing a new type of attack recently - a phishing operation breaks into a shared hosting server and plants phishing pages on multiple domains on a single server. One of these hit one of the mysterious "*.websitewelcome.com" servers, which has "cloaked domain registration" and no useful default web page. These seem to be associated with "ThePlanet.com", but whether ThePlanet operates them, is providing wholesale hosting, is providing colocation, or is just the upstream connectivity provider is not clear.

Hiding the contact information of a hosting provider is legally unwise. The hosting provider may lose the "safe harbor" protection of the the DMCA. The "safe harbor" provision for "Information Residing on Systems or Networks At Direction of Users" only applies if "the service provider has designated an agent to receive notifications of claimed infringement... by making available through its service, including on its website in a location accessible to the public, and by providing to the Copyright Office, substantially the following information: the name, address, phone number, and electronic mail address of the agent." So when the RIAA or the MPAA come calling, a likely event for a hosting service, they get

It's hard getting the attention of some vendors. I see vulnerabilities in a slightly different context - hacked web sites hosting phishing pages. We distribute a list of major domains being exploited by active phishing scams. This is obtained by processing PhishTank data, and we do this because we want to reduce the collateral damage from a tough blacklist system. At any given time, there are about 30 to 80 domains on the list.

Some sites get themselves off the list quickly. By now, most of the better free hosting services and short-URL services are automatically checking PhishTank and the APWG blacklist to see when they've been hit. Today, if you run a service where anybody can put up a page that could be used for phishing (i.e. it's not full of your own headers and banners), you need automation to deal with attacks. I've been in contact with the abuse guy at "t35.com", which is a free hosting service. They've recently been hit by a flood of phishing attacks, with several hundred new reports in PhishTank per day. The attacks were coming in faster than the abuse guy could clean them out. They're now gaining on the problem, but haven't squashed it yet. Take-away lesson: automate this.

The ones near the top of the list have been there for a while. Note the dates, which are the date that the oldest phishing report still online and active appeared in PhishTank. Some just need help. Typically, these are small organizations like churches and nonprofits that have had a break-in and were partially taken over by a phishing site. I send them the Anti-Phishing Working Group's "What To Do if your Site Has Been Hacked". Sometimes I give them a phone call. They deserve sympathy.

Then there are the hard cases. These are sites with no visible contact address, or a clueless abuse department. At the moment, Google Sites and Google Spreadsheets are being used for phishing. Google is new to the free hosting business, and the phishers have discovered some tricks that Google can't yet handle. While Google puts a "report abuse" link on their site pages, it's possible to set up a file for downloading on Google Sites, and an HTML page can be served that way, without Google's abuse checking. There's also an exploit of Google Spreadsheets. That one is an example of Habbo Hotel phishing. We've reported these to Google several times, but they haven't been fixed yet.

We've been seeing a new type of attack recently - a phishing operation breaks into a shared hosting server and plants phishing pages on multiple domains on a single server. One of these hit one of the mysterious "*.websitewelcome.com" servers, which has "cloaked domain registration" and no useful default web page. These seem to be associated with "ThePlanet.com", but whether ThePlanet operates them, is providing wholesale hosting, is providing colocation, or is just the upstream connectivity provider is not clear.

Hiding the contact information of a hosting provider is legally unwise. The hosting provider may lose the "safe harbor" protection of the the DMCA. The "safe harbor" provision for "Information Residing on Systems or Networks At Direction of Users" only applies if "the service provider has designated an agent to receive notifications of claimed infringement... by making available through its service, including on its website in a location accessible to the public, and by providing to the Copyright Office, substantially the following information: the name, address, phone number, and electronic mail address of the agent." So when the RIAA or the MPAA come calling, a likely event for a hosting service, they get

On the phishing front, it's useful to stop blaming the end user, and blame the site that hosted the phishing page.

For some time, I've encouraged taking a harder line on phishing-friendly sites, sites that host phishing pages. I had a paper on this at the 2008 MIT Spam Conference. At SiteTruth, we take the position that one phishing page blacklists the whole second-level domain. Here's the current list of major domains being exploited by active phishing scams.

The free hosting sites and the "short URL" sites show up on the blacklist regularly. After much nagging and some press coverage, most of them are now very aggressive about kicking off phishing pages, and they don't stay on for long. The better ones now read PhishTank and the APWG blacklist automatically and kick off anything that shows up. Currently, Google is in the doghouse, because they've recently entered the "free hosting business" without adequate phishing defenses. See this abuse of Google Spreadsheets.

At the moment, "t35.com", a free hosting service, is the site most abused in this way, by a large margin. I've contacted their people. The problem is that they're being attacked by a program, and they're cleaning up by hand. Right now, they're hosting 545 known phishing pages. Nobody else is even in double digits. "piczo.com" (a social network/free hosting service for teenage girls) was the last big victim, but they're gradually getting the problem under control.

A Draconian blacklisting policy may seem harsh, but it encourages site operators of easily-exploited sites to be very aggressive about dealing with the problem. We're seeing more free hosting sites with a "click here if this is abuse" button on every page. The number of people who have to be educated to deal with the problem in this way is in the hundreds, not the hundreds of millions. So it's a solveable problem.

If you're going to blame the victim, this is the way to go at it.

I've added that specific page and domain to the Phishtank, causing the page to appear in the first place. ( http://www.phishtank.com/user.php?username=alexanderpas ) Probaly they used some kind of exploit to bypass the attack warning. The best way, is not to only rely on your browser for protection, but take a multilayered approach, for Example, Using OpenDNS ensuring the request doesn't even hit the DNS system.

I hate posting 2 line messages but if you look at http://www.phishtank.com/ which the data is community provided/validated and open, I have real bad feelings about the upcoming API. Hopefully they don't trust the general public to know what an API is while they keep clicking the links on spam mails they get.

Geocities was very popular with phishers who needed hosting on a domain too popular to blacklist. We maintain a list of major domains being exploited by active phishing scams, and Geocities is in the #2 position for length of time on the list. Over the last few months, the number of phishing sites hosted on Geocities has slowly declined. Today, on Geocities' last day, there is only one left.

With Geocities out of action, Piczo.com (hosting/social networking for teens) and Fortunecity.com (general-purpose free hosting) become the top hosting services favored by phishers. Most of the Piczo phishing sites seem to be aimed at getting Habbo login credentials. There is apparently a whole racket which breaks into Habbo accounts to steal virtual furniture.

(We finally have all the big players off that list. When we started, Yahoo, Microsoft, Google, and eBay were all on that list. They've all been fixed. The "short URL" sites are now all very aggressive about killing off phishing links; they don't want to get on spam blacklists. Most of the remaining sites on the list are modest sites run by people who have no idea what's going on with their site. The oldest entry on that list, hoseo.ac.kr, is a Korean university. Someone broke into their email system last year and put a phishing site on port 8080. Their webmaster mailbox is full, but we've tried to reach them by other means and may eventually reach someone with a clue.)

An ordinary scam (like the Habbo one listed above) is different from a phishing attack (which requires that the attacker impersonates another entity).

PhishTank calls it a phishing scam. We follow their data.

I followed the same steps as outlined in TFA: download the verified online phishing list, pick a few URLs and load each into MobileSafari.

The very first one on the list, citibanking.ru, was blocked by both Firefox and MobileSafari. Since it was at the top, I thought that perhaps it was too recent (reported Sept 10, 2009), so I went down the list a bit, and got colorear.org/ray/, also blocked on Firefox and MobileSafari (reported Aug 26, 2009). guildoftibia.w.interia.pl was also blocked on both (reported July 28, 2009). I also found a few that were blocked on neither, but none that were blocked only on one and not the other, suggesting that MobileSafari uses Google's list (further reinforced by the fact that the "about" link takes you to a help page on Google.

So, I call sloppy research on the part of this security researcher (who writes "In fact, I have yet to identify a single phishing page blocked on the iPhone", emphasis his), since I was quite easily able to find several pages which were blocked.

It is amazing that people started to think "It is Google or nobody else".

Here, OpenDNS operated, community powered and completely open/free: http://phishtanksitechecker.com/ http://www.phishtank.com/ (supports down to FF 1! and Seamonkey)

In fact, one can even plug phishtank to a terminal browser, the entire API is open.

Also the famous FreeBSD portal :) Netcraft's professional alternative (compared to pure community) http://toolbar.netcraft.com/ Netcraft toolbar.

On Windows, there are way more advanced, payware solutions available which will even do heuristical analysis rather than a simple database comparison. They don't even care which browser or thing you clicked the link on.

Already stolen but the data is already known to be stolen. A big difference.

A good way to let FBI come to your house in 10 minutes is using a documented/stolen credit card on a major online site. ;)

Law abiding citizens should use a browser/extension which alerts when they visit phishing site, cough $10 or free opt-in for a "pseudo-random password generator" which will totally make the entire concept of stealing passwords useless. Please check that http://www.phishtank.com/ , people spares their free time to verify and submit phishes for free. Look at those amazingly stupid URLs.

That is a professional oriented site and even technical users keep telling the law abiding citizens above, for thousand times. The problem is, they don't listen. So I think guy didn't bother.

SiteAdvisor is basically an anti-virus program connected to a web spider; it downloads pages and looks for hostile code. This is valuable as a firewall feature, but it doesn't say much about whether a domain is worth visiting.

PhishTank has a list of sites currently involved in phishing scams. Let's take a look at that. At SiteTruth, we have historical PhishTank data in a database, with 40997 phishing attacks recorded. So when we ask the right question (which is "SELECT SUBSTRING_INDEX(domain,".",-1) AS tld, COUNT(*) as cnt FROM domainnegatives GROUP BY SUBSTRING_INDEX(domain,".",-1) ORDER BY cnt DESC LIMIT 20;"), we get

1. "com",16284
2. "cn",3787
3. "net",2866
4. "tw",2715
5. "hk",2398
6. "ru",1065
7. "org",844
8. "fr",797
9. "uk",720
10. "ph",599
11. "kg",599
12. "info",497
13. "it",495
14. "de",463
15. "br",310
16. "ch",303
17. "us",282
18. "pl",282
19. "jp",279
20. "at",270

Here, "com" is by far the most popular TLD with phishers. This reflects the desires by phishers to have a plausible-looking domain name. Some phishers, the ones who register domains in bulk, do pick rather bogus-looking domains (like "0001fyg0.com" "00039cscsgrjc.com" "0003s6tw0wqf70l.com" "0003ureb.com" "0004ssen.com" "0004y1x9.com" "00062lku1ekaj.com"). Others have more plausible choices, (like "americaonllinebank.com").

Top-level domain statistics are more of a curiosity than anything else. They don't help you avoid or deal with attacks. We could generate many other similar statistics, and we've posted some on the SiteTruth blog.

I was just speaking with Mark Causa, a forums admin of his, this weekend in fact!

(Kevin Hazard's their "SUPER ADMIN" in fact).

(It was in regards to a "IPS Driver Error" I was CONSTANTLY seeing on a posting of mine there, in an attempt to update/edit it, on THEPLANET's forums (in regards to securing Windows))...

WoW! I was trying to point them to security issues too... & they were VERY helpful guys too, trying to help ME out (& going overboard imo in some ways)

I was also today, in fact, prior to seeing this - going to note they were being listed as a site that had problems with hacker/cracker types abusing them as well, per one of these sites:

http://www.castlecops.com/

http://mtc.sri.com/

http://www.spamhaus.org/sbl/latest.lasso

http://www.phishtank.com/

(or, one of the numerous others I look @ daily, like SANS, PacketStorm, etc.)

They were listing theplanet as being abused etc. the past few weeks now in fact, by hacker/cracker/spammer types.

APK

P.S.=> I doubt this is due to "hacker/crackers" though, personally... just bad setup in the server room! apk

Well here are facts. One of least popular (if popular at all) extensions for firefox is the EV certificate thing. They (Verisign) couldn't even make it work right. Phishing prevention is one thing, selling your soul to Google and send them every single URL (including the page part) you visit is another. There are Paypal phishing pages which are up for DAYS as you can see from http://www.phishtank.com/ which they (as they are mega corp) can call the countries police chief directly from his home phone and get site raided. If you get thousands of dollars stolen from your paypal recorded CC (never do it!) your support mail ends up in some typing/template monkey at Bangalore.

Also, another fact: Never, ever call a system default browser insecure if you are CTO of a high profile company like Paypal. Get the damned source from www.webkit.org , code and mail/call Apple "We think Safari would be better with EV certificate checking, here is the code you can review internally."

I invite you to check Macworld discussion at
http://forums.macworld.com/thread/98919?tstart=0

I have never seen a thing like that. Macintosh community hates them so much after that disastrous stupid statement that I STILL get new message alerts after 2 months as people keep commenting how stupid they are, Verisign bribed them, MS lapdog, eBay is scam.

This is a OS that loads ocsp on startup to check the SSL certs at core OS level:
Apr 22 09:07:29 quad /usr/sbin/ocspd[1735]: starting (system.log)

EV matters? How much it cost to a commercial site at size of Paypal? Does Paypal feel their consumers are insecure instead of using FREE data from community powered services like http://www.phishtank.com/ ?
Post a job listing for Cocoa/Carbon, Objective C developer. Cough some money and distribute your plugin. Don't use "No XUL" as excuse, it is easy to watch current URL on Safari. ICQ from 2003 can still read it.

I hope Google really does this. They need to, to restore their "don't be evil" reputation. Arguably, Google went over to the dark side when they started offering domain parking.. "Maximize revenue on your parked pages with Google AdSense for domains", they advertise. (Insert Darth Vader quote here.)

"Domain tasting" is a drain on the anti-fraud systems of the Internet. All those domain changes help conceal phishing attacks, many of which involve buying domains with stolen credit cards and exploiting them before the credit card transaction is reversed. Blacklist systems like McAfee SiteAdvisor and PhishTank are always running behind the domain changes.

We rate sites at SiteTruth, and all those domain changes are a headache for us. I'm considering taking the position that all domains less than 30 days old are junk, unless they have a good SSL certificate. Is that too severe, or a good idea? Comments?

Gartner sees no easy way out of this dilemma unless e-mail providers have incentives to invest in solutions to keep phishing e-mails from reaching consumers in the first place, and unless advertising networks and other "infection point" providers (which theoretically can be any legitimate Web site or service) have incentives to keep malware from being planted on their Web sites to reach unsuspecting consumers.

In practice, only a small minority of "legitimate Web sites or services" are "infection point providers". We have a little list. Right now, there are 166 major sites known to be providing material support to phishing attacks. There were 171 when The Register covered this last week, so publicity is having some effect. Most sites on the list only stay there for a few days, until somebody fixes the problem. A few sites stay on the list, and may need a clue stick applied.

These are exploits of open redirectors, DSL lines with zombies, sites that let hostile content be uploaded (uploading a hostile ".swf" file to Photobucket, for example), and out and out break-ins. These aren't sites that are cooperating with phishers; they're innocent, but often clueless, victims.

We blacklist the entire second-level domain if there's any phishing activity anywhere in the domain. This is far more effective than blacklisting by URL. Phishing sites change URLs and subdomains constantly now, so blacklisting by URL is as useless as virus scanning by signature. Yes, there's some collateral damage. It's all to sites on that list. We make the list public, and provide links to the actual phishing information (which is from PhishTank.), so major sites can fix their problems.

This part of the problem can be fixed. It just takes a hard-line approach.

McAfee's SiteAdvisor already looks for malware available from web pages, downloading everything that might be a threat and running it in a virtual Windows machine with Internet Explorer. SiteAdvisor does the work themselves; they're not trying to get people to work for them for free. Google already had something like that, although not as good. Allowing users to add to the machine-generated lists is useful, but not a big deal.

Besides, why work for Google for free? If you're going to report phishing sites, report them to PhishTank, where the list is open and free. Harmful software should be reported to StopBadware, which, again, has public data.

Remember Google's scheme for getting people to photograph businesses and send the pictures to Google? Whatever happened to that?

There are "open redirectors" on many major sites, including Google, AOL, eBay, and Microsoft Live. (Yahoo plugged their hole by giving their open redirector its own, easily blockable, domain.) We mentioned this on Slashdot a few days ago, and someone immediately followed up by using the Google exploit to get through Slashdot's filters.

These open redirectors are regularly exploited by phishing scams. People report them to PhishTank, and over at SiteTruth, we tie them back to the domain responsible and fix blame. PhishTank is too nice about this. They just blacklist the phishing URL. That stopped working a few months back, when phishers started generating random URLs and subdomains for each e-mail. We down-rate the whole base domain.

It's time to take a hard line on this. The Internet used to tolerate open mail relays, which were a nice feature until spammers started exploiting them. Now they're routinely blocked. Open redirectors now need similar treatment.

Beyond simple URL redirectors are exploits of JavaScript redirectors. Efforts are underway to detect and block those.

There's a related hole in Google Maps, an "open redirector", that allows this exploit. Here's an example:

Caution - hostile URL Close the page displayed; don't click on anything on it. .

Note that it fools Slashdot, and most link scanners in spam filters, into accepting the URL as leading to "google.com". But, in fact, it redirects to the "malware-scan.com" hostile site, which will try to install an Active-X control.

We've been finding attacks like this up with SiteTruth, by using PhishTank information to down-rate sites that have open redirectors. We've found open redirectors on Google and AOL. They're actively being exploited.

So we're currently down-rating Google, and AOL.. It may seem drastic to downrate an entire major site because they have a few "minor" exploits. PhishTank itself only blacklists specific hostile URLs. But that's no longer enough. Most modern phishing attacks use a unique URL, and often a unique subdomain, for each user attacked. SiteTruth thus takes a harder line. If a domain hosts something one of the data sources says is an attack, it downrates the whole domain automatically.

It's within the power of the site operator to close such security holes. We encourage them to do so.

Think about this: a human operator can generally tell spam from non-spam with 100% accuracy and zero false positives.

-1, wrong.

If humans could tell spam from ham, spam wouldn't be a problem because it wouldn't exist. Spam advertising wouldn't result in a single sale. No stock prices would change as a result of spam-based pump and dump schemes. Nobody would fall for phishing attacks. But because spam does sell products, and stock prices do change as a result of spam, and people constantly enter their PINs into 0wned servers because a phish speared them, we know that great numbers of human operators cannot successfully identify spam.

What is and isn't spam is not a machine based problem, it's a human categorization problem. And machines are still bad at it.

Cognitive pattern recognition is still definitely not a solved problem, despite many advances in the field. Look at the Department of Homeland Security facial recognition scanners they've been testing in airports: 30% accuracy in tests, no actual terrorists caught, high false positive rates, and fooled with little effort. Look at CAPTCHAs, which are quite effective at protecting low-value targets from automated attacks. Or look at Phishtank which has acknowledged that machine recognition doesn't work and is using volunteer humans to solve the problem.

Remember that spam is a numbers game: if 99% of people can identify spam, then it makes sense that filters that are as good as humans might be able to decrease 99% of the spam. But all a spammer has to do is identify the characteristics that allowed the 1% of spam to get through, and evolve the rest of their spam to use whatever worked at bypassing the filters. Any automated large-scale "solution" to spam is going to fail because of this evolution. At some point spam filters become too sensitive, incorrectly blocking valid email messages and causing user complaints. And we've already reached this point.

As I said in another post, personal spam filters can be quite effective, as long as they're not distributed widely. A spammer won't bother trying to get past your personal filter -- 99% of the people don't have spam filters, so his spam will reach his target audience. But if your filter is sold to ISPs, the "evolutionary pressure" of dodging the commercial filters will result in the spam dodging your own personal filters, making your filters less and less effective as time progresses.

The only 100% answer to spam is new email protocols with perfectly secured end-user machines that prevent zombies from sending spam. When both of those things are rolled out to every machine on the internet, spam will be a "solved" problem. Until then, everything that is proposed to "solve" the problem is at best a temporary stopgap that will not long endure.

1. As others have pointed out, there's nothing innately wrong with using Google for antiphishing. They have a large userbase, and can easily detect a mass of users flocking to a really sketchy site. Would it be a huge deal if they plugged into PhishTank?
2. The submission does reflect this, but the feature isn't on by default. Instead, Firefox appears to use a static master black list that it redownloads periodically.
3. I can't trigger it now, but I'm pretty sure that you're asked to confirm when you select Google that you're aware of the URL sending and other various privacy implications. The user will not be uninformed when they make this choice
4. The feature is already present in Firefox 2. It is not new to Firefox 3. It's been well publicized before, and there haven't been any major problems since.

How aggressive should systems be about downgrading ratings for web sites? We've been struggling with this for SiteTruth. In addition to SiteTruth's main function, checking business identity, we have some basic phishing checks. We download the PhishTank database every few hours. PhishTank has lists of bad URLs, but now that the smarter phishing sites change URL and even subdomain in each spam e-mail, blocking by URL is no longer effective. So we now flag the entire base domain.

This can have broad effects. Right now, we're blacklisting all of AOL (SiteTruth report) and all of "live.com" (SiteTruth report). Both AOL and Microsoft Live have redirectors which are being actively exploited by phishing sites. We can't tell their safe URLs from their unsafe URLs, so we have to blacklist the whole domain.

When a site with an open redirector plugs the hole, PhishTank will downgrade those "active phishes" to inactive. We'll then pick that up and rerate them within hours. But until they do, they're in the tank. The whole site.

Too harsh? Realistic? Evolution in action? Comments?

There was an explosion of Italian bank targeting phishing sites reported to http://phishtank.com/ which I remember contacting an admin friend to ask what the heck going on.

I wonder if it is related to this one.

Blacklists aren't really working any more. As with spam, where each spam message is now different, and as with viruses, where the smarter ones are different for each copy, the more advanced phishing sites now generate multiple sites, not just one site.

PhishTank is fooled by this. It assumes that a "phish site" is a unique URL. The phishing sites are now wise to that trick; many sites generate a new URL for each user, and some even generate a new domain. Current domains in PhishTank include "session-97701.nationalcity.com.userpro.io", "session-300962.nationalcity.com.userpro.io", "session-5489554.nationalcity.com.userpro.tw", "session-2721837.nationalcity.com.directories.io", etc. There are presumably many, many more that no user has reported yet. So the blacklist defense is failing.

It's thus too late for approaches based on manual detection. In the early days of spam, we all reported spam sites to SpamCop, which then blocked them. That stopped working years ago. The same has now happened for phishing sites.

The hard line approach is to implement something that prevents putting in credit card or bank information into forms unless the target page has a solid SSL certificate. (And not one those "Instant SSL - Domain Control Only Validated" cheapo certs that mean nothing, either.) It's getting harder to make even that work, with more and more Javascript processing going on in the browser. The browser may not be able to detect that the user is filling in a form.

We (SiteTruth), of course, are trying to promote the idea that you don't want to deal with a website unless the business behind the website can be clearly identified, so we do have a bias here. Nor do we have all the answers. But from the amount of activity in this area of security in the last month, it's becoming clear that some major tightening-up on business legitimacy on the web is needed.

"On the Internet, no one knows if you're a dog" just isn't good enough any more.

I posted "What's a bank?" previously, with some examples of ambiguous cases. If the criteria for some ".bank" domain are broadened to financial service businesses generally, it's even worse. That pulls in mortgage brokers, which range from major firms like Provident to the "Lenders compete from your business" spammer. Then there are the "offshore" operators, the "High Yield Investment Program" people, hedge funds of varying degrees of legitimacy, and armies of "affiliates" and "resellers". Expecting domain registrars, who have a terrible reputation as verification services, to sort this out is asking too much.

We've been struggling with this issue for SiteTruth, where we try to rate businesses for "legitimacy". Simply trying to associate the name and address of a legitimate business with a web site is enough to filter out a huge number of marginal web businesses. But it's not a solid protection against more determined fraud operations. We check against third-party sources for identity verification, which helps. We give the highest rating only to sites for which we have some source of third-party confirmation (a valid SSL cert with a name and address, a BBBOnline seal, etc.)

The Online Better Business Bureau is probably the best verification service right now. Their seal of approval actually means something. (But click on it to check that the BBB site says the seal is valid. We check that automatically with SiteTruth, and there are definitely sites out there using the BBBonline graphic that aren't entitled to do so.)

The PhishTank people have a user-reported list of "phishing sites", but it's always behind. Worse, it's by URL, not domain, so sites that generate a new URL for each spam escape that check.

There have been several previous attempts at "identify your business as legitimate by paying us money". This ".bank" scheme falls into that category. Before that, "High Assurance" certificates were touted as a similar scheme. There are several companies selling "seals of approval"; there's "ValidatedSite.com", the "International Bureau of Certified Website Merchants", "Guardian ECommerce", and the "International Chamber of E-Commerce". Most of the certificate authorities have some kind of seal program, too. This ".bank" thing is the same idea, at a higher price point.

I have read/commented on first story and after reading this one and comments, I'd say everyone to check http://www.phishtank.com/ and enjoy that mess they are defending.

Take a look at Phishtank. They have plenty of fresh phish you can sample to see if the web sites are still up. Some of the submitted links are for spamvertisements, and not just phish, so you can sample what's currently out there.

The other thing is that the merchants and the spammers don't always speak the same language, and the merchants are pretty stupid. They may send an email saying something like "Ill pay you too send a emale for sellign viagar?" The spammer simply pastes his request letter into his spam engine and charges the idiot's credit card $60. The rest of us get spammed with letters that read exactly this: "Ill pay you too send a emale for sellign viagar?", the spammer gets his $60, and Cletus wonders why he's not selling any viagra.

Here is the "banking" scene right now:

http://www.phishtank.com/phish_archive.php

I am sure F-Secure doesn't give a heck to validating sites. They just want a domain which banks would say "Never trust anything with your account data without ending in .safe domain".

Here are what happened to this date:
1) Never give your data to sites with IP address (fixed, everyone registers a domain now)
2) Never trust to anything without httpS: (Fixed, SSL hosts being cracked and hosting phish.html)
3) Watch the addressbar on your browser to make sure you are at right place (default windows theme addressbar gif plugged to page and toolbar removed from browser, fixed)

Idea seems to be every bank will get a .safe address via appointing financial regulator and unless HSBC stealing Citi customer accounts happens, the address based phishing will be over. At least for sane people with minimum safety precautions. The famous 53 will say "only use 53.safe and forward rest to police"

That is exactly why I pasted that blog entry. Kaspersky never tried to spread FUD, they tried to inform the IT community about a nightmare scenario where all AV companies fail to detect a perfectly coded virus and its impact on the planet in a professional conference.

As a side note, Kaspersky _is_ the company who found that iPod virus and the blog entry by the BOSS of Kaspersky says it is NOT a danger right now.

Also head to http://www.phishtank.com/ , see the unbreakable, super secure Linux and BSD systems used for criminal purposes. 3-4 years ago, if someone told 2000 phishing sites would be active at a second running Apache/Linux/BSD, they would be blamed for spreading FUD.

I am not saying Linux is unsecure, the "feel" of security such as blaming any company notifying about danger of outdated software and false sense of security is a more dangerous thing than 1000 buffer exploits.

http://www.phishtank.com/phish_archive.php , how many of them running windows servers? Almost NONE.

This kind of stupid windows bashing even makes pure OS X owner like me to type this message. Think about it.

Hi,

Here is the nightmare situation of current phishing all with some https: hosts (rare), decimal IPs, Geocities hosted Yahoo phishing pages which sends mail to Gmail (yes!) etc.

http://www.phishtank.com/

Watch and get amazed everyday, for help, submit or verify the open data.

The situation is already out of hand IMHO.

I understand what you mean. Check the hacked servers http://www.phishtank.com/ , almost all run Apache on Linux. Why? It has bigger marketshare on webservers.

I think the OS X, Linux, FreeBSD "I am invulnerable because of OS I run, I don't need security updates or basic sense of security" will cause problems soon just like phishing.

Well, if by "works for the Germans" you mean "every spammer and phisher and kiddie porn trader and net stalker and all the other net scum switch to German ISPs, until Germany gets blackholed by the rest of the world", then yeah, I think it will work out for them.

OpenDNS people started http://phishtank.com/ service which is completely community based, as you can actually see the phishes and verify them, I have seen some amazing stuff around. Compromised servers having SSL certificate which are abused in phishing operation, some pages having fake addressbar on top and most important of all, USA based banks are being phished from USA cable modem subscriber (haxored) and nothing done against it for days.

BTW as it is free to use, SURBL added it, now the stuff which you verify actually helps to people using that free list.

I use Yahoo mail and right after Domain keys implemented, there is zero amount of phishing in my inbox. I have also noticed highly respected Spamcop.net uses domainkeys for their (spamcop accepted mails) mails alerts.

If you are running Linux or advanced Windows setup, you won't notice how serious phishing problem is. Remember the times you wouldn't click IP hostnames? They are now using compromised hosts with real SSL certificate!

This URL will show a glimpse of the current,evil phishers:
http://www.phishtank.com/

BTW, it is free service of OpenDNS people with free SDK.

If Yahoo and Gmail uses in real life with success, Microsoft should adopt it.