Microsoft Sponsors Antiphishing Bakeoff

uniquebydegrees writes, "InfoWorld is blogging about the (predictable) results of a Microsoft-sponsored antiphishing technology bakeoff. From the TechWatch blog: 'Microsoft's Phishing Filter (MPF) in IE 7 Beta 3 received the highest "composite score" at 172, followed closely by NetCraft's toolbar with a composite score of 168. But when you dig into the numbers, another story emerges... IE's MPF antiphishing toolbar doesn't top out any of the individual tests that make up the composite score... So how did MPF end up on top?... Microsoft didn't do the best job of spotting phish sites, but it did do the best job of blocking the ones it did spot, and blocking was what garnered the most points... Blocking a phishing Web site earned you twice as many points as just warning about it in this test, but is blocking really twice as effective as just warning users?'"

What a silly question.

...but is blocking really twice as effective as just warning users?

No, of course not. That's why I tape the root password for the file server to users' monitors, but warn them strongly not to use it.

What do most users do when they get a warning box?

"What is this window doing here?! I just want to get to paypal already..." *clicks ok* "There. Now I can finish this ssn and cc verification..."

Do a lot of people still get phished?

Is it just hype or is this still an effective tool?

Re:Do a lot of people still get phished?

Just a few months ago, someone "broke into" my sister's PayPal account, and from there her bank account.

A couple of months after the fact, my mom let slip that not only was this actually because she fell for phishing, but my mom had fallen for the same email - luckily, they didn't get to her bank account. (Mainly b/c when my sister discovered what had happened, my mom ran to cover her ass.)

I wanted to whack them both upside the head. But trust me, they are far more representative of the average user than you or I.

Re:Do a lot of people still get phished?

My fiance just started as a teller at a Wells Fargo. She says that people come in with questions exactly like that every single day, along with "I need a cashiers check to send to this nice man in Nigeria", and

"I just got an email saying I won the Canadian Lottery, and I need a cashiers check for $4,000 to cover the taxes"
"Did you ever _enter_ the Canadian lottery?"
"No."
"I hate to tell you this ma'am, but it's a scam."

Every god damn day.

I hate slashdot so much

If anything, blocking a site should be worth more than double, since most people I know seem to just ignore warning dialogs.

Re:I hate slashdot so much

If anything, blocking a site should be worth more than double, since most people I know seem to just ignore warning dialogs.

My first thought was that the false positive rate is probably going to be about the same as WGA, blocking far too many sites, but you're right. The ideal solution would be to have it configurable and default to blocking, since the users who click through without reading are probably not going to go anywhere near the Options dialog.

BS composite scores didn't make a huge difference.

Disregarding their arbitrary scoring BS, and only looking at detection percentages, IE7 still did a good job, as expected from a Microsoft commissioned study.
GeoTrust TrustWatch caught 99%, but had a 32% false positive rate.
IE7 - 89%
Netcraft Toolbar - 84%
EarthLink ScamBlocker - 64%
Firefox/Google - 53%
eBay Toolbar - 46%
Netscape 8.1 - 28%
McAfee Site Advisor - 3%

How they came out with only 89% when they selected the sites themselves is anyone's guess.

Stupid questions

Why do all article descriptions end with a stupid question?

And for those who disagree, there ARE stupid questions.

Actually...

Blocking a phishing Web site earned you twice as many points as just warning about it in this test, but is blocking really twice as effective as just warning users?

In fact, blocking is pi times as effective as warning, so this result is even better for IE than it appears. (Yeesh, even by Obligatory Stupid Question standards, that one was pretty stupid.)

Actually....

It is the blocking part without user interaction that provokes that 'just click ok' reflex all the time. When the OS (or any machine, service, etc.) coddles the user to the point that they don't know what they are doing, or having the computer do, it breeds ignorance. No, I'm not dumb enough to think that all computer users must be sysadmins, but software that deepens their ignorance is not good software. Intelligent software should tell user's what is happening, why(if possible), and what the software can do about it, and/or what the user should do about it. I know that clippy was pretty annoying, but a less annoying and more intelligent approach like clippy would help user's to make better security decisions in the future. Just two cents worth.

Sadly, yes

[...] but is blocking really twice as effective as just warning users?

While I am loath to say anything positive about Microsoft, I'd have to agree with the scoring. Most end-users, especially the developmentally challenged ones that are prone to phishing scams, simply do not read warnings. If someone is drooling, it does no good to tell them. Just wipe their chin.

Yes...

Because your average user is stupid and will click away any phishing warning, especially if the email says "You may see a dialog like this, click yes/ignore (just like installing your printer, scanner, tv card, etc drivers)"

I really don't want to advocate handholding, but some people really do need it..

Template for MS Slashdot Articles

Microsoft did something right...but is that something actually not wrong?

Microsoft performed well...but is performing well more important than performing badly?

Microsoft isnt all bad...but is not being bad the same as being good?

D

Mmmmm, Pie...

At first when I read the post title I thought Microsoft was going to have an actual baking competition. "Wow," I thought, "That would be an awsome way to spread the antiphishing message to the common Windows user." Alas, it was not to be. Maybe I was just overcome by the image of apple pie cooling by the monitor, fresh from the gentoo box. *sigh* Memories...

Never mind phishing

When is MSFT going to take responsibility for the tens of thousands of windows zombies out there? Microsoft are desperate to be seen to be doing something in the eyes of the public but when it comes to the crunch, they don't give a shit!

Perhaps we should start a "Spam is a Microsoft problem" campaign until they backport Vista's security model to the millions of systems already out there?

Lets Go 'Phishing'...

I'd say blocking phishing web pages are great...but if MPF is ONLY able to detect the KNOW phish..i'd say thats just a waste of time..another great HYPE from microsoft...hey bill,let go phishing!!!

Average user ignores warnings

Blocking a phishing Web site earned you twice as many points as just warning about it in this test, but is blocking really twice as effective as just warning users?'"

The average user ignores all warnings so it is very important to block phishing sites.

For advanced users warning is as effective as blocking a website.

Interesting

Interesting concept...
I would say that blocking is more effective than just warning users, but to tell you the truth, as a user I want to control what I have access too. I don't want a filter blocking things for me. A warning is nice, but I can take care of blocking on my own, thank you very much. Isn't this one of the annoying things about MS products - that they try to make up your mind for you?

Rigged weighting

Blocking a phishing Web site earned you twice as many points as just warning about it in this test

This reminds me of when the "Quarterback Rating" came out back in the 80's. Back then, there were people arguing that Joe Montana was the greatest QB in history. Around that time, a "Quarterback Rating" scheme emerged with some esoteric weighting of various performance stats (completion percentage, TD's per game, etc. etc). Although nobody seemed to understand the rationale for the particular weighting... lo and behold, Joe Montana came out with the highest rating of current QB's and, IIRC, all QB's in history.

The lesson: Beware of any "combined" or "aggregate" score of competing products when the person doing the aggregating: A) has an interest in one product doing better than the others, and B) knows, beforehand, what the strengths of that product are.

But wait.. there's more..

So there's something really important that everyone seems to be forgetting here.
Yes, blocking a site is very effective, it's most likely more than two times more effective at preventing a phishing scam for the sites that it blocks.
But at the same time, if you block 50% of the sites and users never see them, never see a message or a warning, they think that they are safe and as a result, they are less likely to look at other sites with any degree of caution.
On the other side, if you as a user are warned at every sight that coud be dangerous, and block from only a few right off the bat, then at least you've got it in the back of your mind that you need to be careful. It might actually instill the idea into people's head that they ought to look at the sites thay are traveling on.
So, what you've really created is a situation where 50% of the time it works all of the time.
Instead of a situation where your program covers your ass 30% of the time (or whatever it is, the number doesn't really matter) and then at least helps you to cover your own the rest of the time.
You take your pick.

still beta..

This antiphishing will be available in Internet Explorer (IE) 7, which is not yet in public release. They release just for testing. I want to see how much it can block all unwanted thing in the IE.

what's about this phishing stuff?

this is a great idea to have a browser with its own anti-phishing but there's some point we need to look at. The blocked sites may be not really a threat but it is blocked because someone just don't like it and report to micrsoft. There will be a great misunderstanding between the users who browse the site where the browser told them it is not a safe site to surf, but it actually safe. This phishing technology has made the browser (IE7) become more heavy. Browsing speed becoming a little bit slower and it effects the overall performance of the browser itself. However, there is option to turn off the phishing feature and this really help those who have problem when encountering site that been identified as "phishing sites". There's alaways alternative for everything.. use firefox with fasterfox.. really cool..

Results

The results of the study as below:
1. Internet Explorer 7 Beta 3 RC3 with Microsoft Phishing Filter with a score of 172 points
2. Netcraft Toolbar with a score of 168
3. Google Safe Browsing on Firefox with a score of 106
4. eBay Toolbar with a score of 92
5. Earthlink ScamBlocker with a score of 76
6. GeoTrust TrustWatch with a score of 67
7. Netscape 8.1 with score a of 56
8. McAfee Site Advisor with a score of 3

Check http://www.3sharp.com/projects/antiphishing/ [3sharp.com]

Ratings and statistics...

If you torture them enough they'll say anything you want.

( No truth has been hurted writing this post )

Washington Post recommends Netcraft toolbar

Skeptical about Microsoft's survey? Try the Netcraft toolbar, which finished a close second. Washington post security columnist Brian Krebs has written many columns about phishing, and thus surfs to known phishing sites all the time. Here's his take [washingtonpost.com] after visiting a malware site for a recent column:

"It's worth noting that Netcraft's anti-phishing toolbar detected this site as malicious and tried to prevent me from visiting it, as it is designed to do. I have to say that I've visited countless phishing sites in the past few months, and Netcraft's toolbar has done its job almost unfailingly."

toolbar.netcraft.com [netcraft.com]

blocking more secure than warning

I bet many of my friends out there just click "Yes" or "Ok" when there is a warning pop up window without paying attention to what the warning has said. Even sometimes they have read it but they don't understand what is all about. So the blocking will be the best action to be taken rather than just give a warning to the user.

Methods of phishing

Most methods of phishing use some form of technical deception designed to make a link in an email appear to belong to the spoofed organization. One method of spoofing links use web addresses containing the @ symbol, which are used to include a username and password in a web. For more details http://en.wikipedia.org/wiki/Phishing [wikipedia.org]

Just Throw in the Damn Towel.

Although blocking is a far greater choice than those provoking warning messages which users tend to ignore, perhaps why not throw in the towel and allow those damn warning messages to appear, you can even come up with a statistic by looking at the numbers of those who are ignorant and fall victim from this so called imposter.

RE : anti-phishing technology

Microsoft new IE7 browsers include a form of anti-phishing technology, by which a site may be checked against a list of known phishing sites. If the site is a suspect the user is warned, although not prevented from visiting it. This phishing technology has made the browser (IE7) become more heavy. Browsing speed becoming a little bit slower and it effects the overall performance of the browser itself. Spam filters also help protect users from phishers, because they reduce the number of phishing-related emails that users receive.

alert

as a user we not suppose totally depend on the software to avoid this phishing stuff. we can take a carefull step to prevent this phishing from happen to ourself. i'll shared with you all the step that will help you avoid becoming a victim of these scams:- 1. Be suspicious of any e-mail with urgent requests for personal financial information. 2. Don't be fooled by e-mails with upsetting or exciting (but false) statements that try to get you to react immediately. 3. If you suspect the message might not be authentic, don't use the links within the e-mail to get to a webpage. 4. Don't fill out forms in e-mail messages that ask for personal financial information. 5. Communicate information such as credit card numbers only via a secure website or the telephone. 6. To make sure you're on a secure Web server, check the beginning of the URL in your browser address bar. It should be "https" rather than "http." The "s" stands for secure. 7. Consider installing a Web browser toolbar such as EarthLink's ScamBlocker to alert you before you visit known phishing fraud websites. 8. If an e-mail message is not personalized, assume it's not a valid message. 9. Log in to your online accounts regularly, and check bank, credit and debit card statements to ensure that all transactions are legitimate. 10. Ensure that your browser is up-to-date and security patches have been applied. credits:- http://www.csoonline.com/read/090104/briefing_phis h.html [csoonline.com]

maybe they need more understanding the definition

Phishing is online identity theft in which confidential information is obtained from an individual. Phishing includes deceptive attacks, in which users are tricked by fraudulent messages into giving out information; malware attacks, in which malicious software causes data compromises; and DNS-based attacks, in which the lookup of host names is altered to send users to a fraudulent server

The Gartner group estimates that the direct phishing-related loss to US banks
and credit card issuers in 2003 was $1.2 billion. Indirect losses are much higher,
including customer service expenses, account replacement costs, and higher
expenses due to decreased use of online services in the face of widespread fear
about the security of online financial transactions. Phishing also causes
substantial hardship for victimized consumers, due to the difficulty of repairing
credit damaged by fraudulent activity.

So, as long Microsft can prevent from any online thief with effectively, users will happy about it.

no. 1 doesn't mean the Best

I dont surprise because Microsoft are really good in this kind of strategy.
They wont tell average user that they get the high score in blocking the url, but they will absolutely tell them that "We have no.1 antiphising toolbar!".

Maybe for them, blocking the url is much more efficient to prevent their customer rather than warn them. This is because their customer (most are not computer geeks) maybe be not aware about "phishing" threats; "Phishing?? Is it a new cool words from Microsoft refer to fishing?" -- 8P

If they give a warning to their customer, may be the customer will just ignore it.

So, lastly i would prefer if the customer know all details and let them make their own choice. No. 1 doesn't the best but poor score toolbar mean horrible (especially with a big scores gap)

Hmm.....

In my opinion if someone knows what a phishing website is then they don't need a phishing filter.

And if they don't know what a phishing site is then they probably wouldn't understand the importance of enabling the phishing filter.

As soon as I got IE7 beta1 I disabled the filter because it seemed to be slowing things down. (I've uninstalled the beta btw)

And I believe anti-phishing heruistics is useless. All phishers will check their websites against IE7's filter and modify their techniques till IE7 stops detecting them.

the solution is ..

The real solution is an email system with end to end encryption and digital signatures. Basically an email doesn't pop up in your inbox unless it passes these tests. The same with e-commerce sites. You sign up to a provider who allocates you a PGP key which is then published to a number of online directories. Why we don't have such a solution is that the security services won't be able to monitor our online activities.

Antiphishing made easy.

1. As an ISP, offer your users the ability to alias their mail address for companies they do business online with.
2. If the user receives mail from that company not to the alias they registered, it's obviously a phishing attempt or spam. Heck, the ISP could just drop it altogether based on the mail routing information.
3. profit?