PhishTank Taps Community To ID Scams

mikesd81 writes, "The AP has an article on PhishTank, OpenDNS's service for fighting e-mail fraud. The free service seeks to tap the wisdom of the Internet community in identifying phishing emails and sites." From the article: "Users simply submit to PhishTank.com the messages they believe are scams. Others then examine the message and the site to which it links and decide whether it is or isn't a scam. When an item gets enough votes and the margin is wide enough, it is either dropped or classified as a phishing message. To prevent scammers from trying to game the system, votes are weighed based on how long, how often, and how accurate one has rated other messages." Update: 10/05 18:24 GMT by kd : David Ulevitch wrote to mention: "PhishTank, unlike any other anti-phishing service, provides a full API and open access to the data for any developer to use to secure their applications. Before PhishTank, someone from the SpamAssassin project or maybe the Squid Cache would have to fork over a lot of money for phishing data to groups like the Anti Phishing Working Group or Symantec. It's now available for free, and I believe in a far more accurate and usable form."

Not really

To prevent scammers from trying to game the system, votes are weighed based on how long, how often, and how accurate one has rated other messages.

I dont really see how that prevents scammers from gaming the system. All it means is that it'll take a few more scammers to make sure their definition of 'scam' isn't what everybody elses is. If they do that, when people vote scam pages as scams the system will think "Hey thats not right" and it'll lower the legit users accuracy.

I Just Registered

I just registered and flew through a few of them. Honestly, some of these are very very good phishing attacks. In fact, some are so good that it's unclear whether or not you can call them 'phishing attacks.' For instance, one asks you to apply for mortgage but doesn't ask you for sensitive information aside from your address and phone number.

Now, I don't want them selling this to telemarketers and snail mail SPAM but maybe there are people looking for mortgages and want to be contacted. What do I vote this as? There is no possible phishing attack to select. When I clicked 'phishing' attack, 70% said it wasn't while I was part of the 30% who said it was. Kind of confusing.

After voting on ten of them (all of which, I decided where scams), I found a classic Ukrainian eBay phish. 100% votes were phishing attack. I started to notice that the URL tells more than the actual message itself. I guess I wish the site would have a section firmly defining phishing attacks and what are obvious give-a-ways.

This is all they say on that:

What is phishing?

Phishing is a fraudulent attempt to get you to provide personal information, including but not limited to, account information.

How do I tell a phish email from just regular spam?

Spam is unsolicited commercial email...which may include phishing attempts, but is often simply unwanted marketing. Phishing often has criminal intent. Spam isn't always, though it can be.

So appearantly the mortgage example asked for personal information but was just Spam? I'm a bit confused.

Why Not Just Fix It?

For as long as I can remember there have been attempts to fix email so that it won't be subject to spammer stupid-tactics. How long is it going to take? Answer: Until M$ makes OE use digital signatures by default.

Phishing using copied messages

A lot of the phishing scams I receive nowadays are real messages, such as ebay alerts, with the link pointing back to a phishing site that appears to be the real thing but actually is used to steal passwords. Other include fake announcements from banks, etc, again where everything is fairly close to the real thing exempting the actual web address linked.

So how would it differentiate between these and the emails from the original site. While some of the bank ones are most likely just make up to look legit, the ebay and others are copied from modified messages.

Interesting system...

Huh. Moderating messages, with some kind of 'meta-moderation' to keep track of the moderators.

Nope, that'll never catch on.

I remember when Phish was a good jam band...

((pre coventry)) And know the ph is usually sysnonymous with some sort of scammage, a scheme, and what not. How did we go so far away form the originally usage?? [assuming that no one was "phishing" before phish [phish.com] formed} I hope this isn't toooo oftopic?? ;) Also rather nice to see the continued usage of the power of the people, democratic methodology, rather like when those things are put to use.... Thanks all the dev's out there ((slashdot included 3 )) who keep that set of values rolling... And hopefully progressing... TAGS!!! EGOR!!! TAGS!!!!

forward my spam filter?

Why not just set up a scheme by which I can forward some of my spam-phish filter hits to their receiver?

• if it mentions [a known financial institution],
• if it doesn't mention [my own few known financial institutions],
• if it mentions "login" or "password" or "activity",
• it's a phish.

When I get a new one I've never seen, I just add the name of the institution to the top of the rule. It doesn't take ME long to rule out all mails claiming to be from First Mutual of Podunk, even though there may exist some legitimate mails from FMoP to their customers, wherever that is.

What's obviously coming...

Dear PhishTank user: There has ben a problem with your account information. Please go to http://www.phishtank-org.uk/UserID357zzzzx.html [phishtank-org.uk] to make appropriate changes.

cloudmark?

sounds a little like the old Cloudmark spam net.

Netcraft has done it for at least the past year

http://toolbar.netcraft.com/ [netcraft.com] Netcraft installs a tool bar on your browser that shows host information (including country) and the level of trustworthiness. Users can submit phishing links through a link on the bar. I use it mostly to spot the hosts of spammers, but it also raises useful questions such as a link from eBay with a web hosting service in Korea. They've recently become particular about what kind of URLs they consider phishing. For example I wouldn't consider a mortgage spammer hosted in China to be a serious candidate when it's time to re-fi the family manse. They also don't consider possibly illegal content (child porn for example) to be phishing.

Phishers Will Test This

You'd be amazed at how technically sophisticated some of these phishing crews are becoming. They've all got botnets in which they wield large numbers of compromised computers. If a bot can be trained to sign up for a Blogspot blog and autogenerate SpamSense blogs, they may find a way to vote for/against sites on this system as well. Bot nets are perfect for online voting, as they can send a steady stream of votes from different IP addresses. That's why blogs have such trouble with comment spam - it's coming from 50 different IP addresses.

I think this is a bad idea...

I get this garbage all the time. I know instantly whether or not it is a Phish. If I get an email from a bank about some security issue, and I do not do business with that bank, it is a Phish. If there is any doubt, I can look at the data behind the link that is given. If it goes to www.bankofamerica.com, it is legit. If it begins with some IP address, it is not. I personally do not need group concensus to know it is a Phish. Being a good Netizen, I will hit the link to see if it is still active, and if it is, forward it to BOFA, Paypal, or whatever service is being used as bait. They also do not need any goup's concensus to know if it is a Phish, and they will take care of it, quickly. About half the time, by the time I open the email and check the link, it is already down, presumeably because the team dedicated to online fraud at the organization in question has had it shut down. Once it is shut down, NO-ONE can be duped by it. If I were to to use this site, I probably would be to lazy to ALSO forward the email on to the organization in question. The result is that, instead of a group who can actually kill it getting it as soon as possible, it is eventually, after a bunch of people have looked at it and made thier own determination, shut down for only those people who actually subscribe to that list, leaving it open for the rest of the Net to be duped. Now, if the idea was to identify, as in name and address, that bastards RESPONSIBLE for the Phish, I would be all for it. same thing with SPAM. Build something that gives us all names and addresses of the bastards, I will be first in line. This idea, however, simply delays and extends the useability of the Phish. Bad Idea Phil

Do I want to send them non-scams?

I'm not sure that if I'm getting legitimate emails that might be a scam I want to submit it to find out. I recognize that email isn't secure and there shouldn't be any private information in them, but there is. At least partial information such as the last 4 CC digits. Often a token to take you direct to the page where you can input your personal info.

This is primarily geared towards people who have trouble determining if it's a scam or not. Should those people really be forwarding emails to a phishing detection service?

Not that I don't trust the intent of this group (nor do I necessarily trust them), but I would be uncomfortable with the idea of them having such a large collection of non-scam emails. If they had bad intent, that sounds like the ultimate phishing scam, send us everything that CLAIMS to need your personal info and this service will tell you whether's that was real or not. And if they are successfully detecting phishing scams, what a trove of private non-scam emails that were volunteered.

Moo

Is there some way to tell if a slashdot comment is just phishing for more comments, or actually has something to say?

Missiles

But will they launch cruise missiles at the perpetrators?

Until the US government takes at least the same level of action against phishers it has taken against online gambling establishments, phishing will continue unabated.

Clearer definition of phishing

A lot of the users on the site seem to be unclear of what phishing is. In short, according to wikipedia, phishing is a criminal act where you decieve someone to obtain sensitive information (bank accounts, credit cars numbers) from them. While some of the "2 minute mortage" messages on the site may seem like phishing, they aren't really that quite simply because you are not revealing any sensitive information to the site except your phone number (which all the tele marketers have anyway).

The goverments definition of phising seems to be at odds with that of wikipedia, which I assume is the average internet users definition. Take a look [michigan.gov]

But then again, "sensitive information" is a relative term. If one considers record of his bankruptcy sensitive information (i'm quite certain thats a matter of public record in most countries), then yes, the message above is phishing.