PhishTank Taps Community To ID Scams

mikesd81 writes, "The AP has an article on PhishTank, OpenDNS's service for fighting e-mail fraud. The free service seeks to tap the wisdom of the Internet community in identifying phishing emails and sites." From the article: "Users simply submit to PhishTank.com the messages they believe are scams. Others then examine the message and the site to which it links and decide whether it is or isn't a scam. When an item gets enough votes and the margin is wide enough, it is either dropped or classified as a phishing message. To prevent scammers from trying to game the system, votes are weighed based on how long, how often, and how accurate one has rated other messages." Update: 10/05 18:24 GMT by kd : David Ulevitch wrote to mention: "PhishTank, unlike any other anti-phishing service, provides a full API and open access to the data for any developer to use to secure their applications. Before PhishTank, someone from the SpamAssassin project or maybe the Squid Cache would have to fork over a lot of money for phishing data to groups like the Anti Phishing Working Group or Symantec. It's now available for free, and I believe in a far more accurate and usable form."

Not really

[OverlordQ]

To prevent scammers from trying to game the system, votes are weighed based on how long, how often, and how accurate one has rated other messages.

I dont really see how that prevents scammers from gaming the system. All it means is that it'll take a few more scammers to make sure their definition of 'scam' isn't what everybody elses is. If they do that, when people vote scam pages as scams the system will think "Hey thats not right" and it'll lower the legit users accuracy.

Re:Not really

[joe+155]

Indeed. Although it would take a lot of scammers... maybe this is just a sophisticated phising attack, waiting for all the scammers to register and start voting (the way that they know is the wrong way) and then they have the scammers IP address. BAM! you've got one.

Sure some people will use a good proxy, but it only takes one idiot spammer to fall for it to be of use ; )

I Just Registered

[eldavojohn]

I just registered and flew through a few of them. Honestly, some of these are very very good phishing attacks. In fact, some are so good that it's unclear whether or not you can call them 'phishing attacks.' For instance, one asks you to apply for mortgage but doesn't ask you for sensitive information aside from your address and phone number.

Now, I don't want them selling this to telemarketers and snail mail SPAM but maybe there are people looking for mortgages and want to be contacted. What do I vote this as? There is no possible phishing attack to select. When I clicked 'phishing' attack, 70% said it wasn't while I was part of the 30% who said it was. Kind of confusing.

After voting on ten of them (all of which, I decided where scams), I found a classic Ukrainian eBay phish. 100% votes were phishing attack. I started to notice that the URL tells more than the actual message itself. I guess I wish the site would have a section firmly defining phishing attacks and what are obvious give-a-ways.

This is all they say on that:

What is phishing?

Phishing is a fraudulent attempt to get you to provide personal information, including but not limited to, account information.

How do I tell a phish email from just regular spam?

Spam is unsolicited commercial email...which may include phishing attempts, but is often simply unwanted marketing. Phishing often has criminal intent. Spam isn't always, though it can be.

So appearantly the mortgage example asked for personal information but was just Spam? I'm a bit confused.

Yes really.

[BlackMacUser]

Actually, it will do a good job of keeping scammers out as it specifically is designed to keep scammers out. You obviously do not understand how harddrives work, as this technology makes it impossible for untrusworthy users to edit the harddrive. This technology is amazing and I hope it is used in all future voting robots.

What's obviously coming...

[pazu13]

Dear PhishTank user: There has ben a problem with your account information. Please go to http://www.phishtank-org.uk/UserID357zzzzx.html to make appropriate changes.

Netcraft has done it for at least the past year

[Radice+Utente]

http://toolbar.netcraft.com/ Netcraft installs a tool bar on your browser that shows host information (including country) and the level of trustworthiness. Users can submit phishing links through a link on the bar. I use it mostly to spot the hosts of spammers, but it also raises useful questions such as a link from eBay with a web hosting service in Korea. They've recently become particular about what kind of URLs they consider phishing. For example I wouldn't consider a mortgage spammer hosted in China to be a serious candidate when it's time to re-fi the family manse. They also don't consider possibly illegal content (child porn for example) to be phishing.

Re:Netcraft has done it for at least the past year

[ostiln]

Personally I prefer WOT. It's a website reputation system, which lets me vote on the trustworthiness without leaving the site. More on their technology can be found on their blog. They say it knows over 10M sites already, which is quite impressive.

Phishers Will Test This

[miller60]

You'd be amazed at how technically sophisticated some of these phishing crews are becoming. They've all got botnets in which they wield large numbers of compromised computers. If a bot can be trained to sign up for a Blogspot blog and autogenerate SpamSense blogs, they may find a way to vote for/against sites on this system as well. Bot nets are perfect for online voting, as they can send a steady stream of votes from different IP addresses. That's why blogs have such trouble with comment spam - it's coming from 50 different IP addresses.

I think this is a bad idea...

[Phil_At_NHS]

I get this garbage all the time. I know instantly whether or not it is a Phish. If I get an email from a bank about some security issue, and I do not do business with that bank, it is a Phish. If there is any doubt, I can look at the data behind the link that is given. If it goes to www.bankofamerica.com, it is legit. If it begins with some IP address, it is not. I personally do not need group concensus to know it is a Phish. Being a good Netizen, I will hit the link to see if it is still active, and if it is, forward it to BOFA, Paypal, or whatever service is being used as bait. They also do not need any goup's concensus to know if it is a Phish, and they will take care of it, quickly. About half the time, by the time I open the email and check the link, it is already down, presumeably because the team dedicated to online fraud at the organization in question has had it shut down. Once it is shut down, NO-ONE can be duped by it. If I were to to use this site, I probably would be to lazy to ALSO forward the email on to the organization in question. The result is that, instead of a group who can actually kill it getting it as soon as possible, it is eventually, after a bunch of people have looked at it and made thier own determination, shut down for only those people who actually subscribe to that list, leaving it open for the rest of the Net to be duped. Now, if the idea was to identify, as in name and address, that bastards RESPONSIBLE for the Phish, I would be all for it. same thing with SPAM. Build something that gives us all names and addresses of the bastards, I will be first in line. This idea, however, simply delays and extends the useability of the Phish. Bad Idea Phil