PhishTank Taps Community To ID Scams

mikesd81 writes, "The AP has an article on PhishTank, OpenDNS's service for fighting e-mail fraud. The free service seeks to tap the wisdom of the Internet community in identifying phishing emails and sites." From the article: "Users simply submit to PhishTank.com the messages they believe are scams. Others then examine the message and the site to which it links and decide whether it is or isn't a scam. When an item gets enough votes and the margin is wide enough, it is either dropped or classified as a phishing message. To prevent scammers from trying to game the system, votes are weighed based on how long, how often, and how accurate one has rated other messages." Update: 10/05 18:24 GMT by kd : David Ulevitch wrote to mention: "PhishTank, unlike any other anti-phishing service, provides a full API and open access to the data for any developer to use to secure their applications. Before PhishTank, someone from the SpamAssassin project or maybe the Squid Cache would have to fork over a lot of money for phishing data to groups like the Anti Phishing Working Group or Symantec. It's now available for free, and I believe in a far more accurate and usable form."

Not really

[OverlordQ]

To prevent scammers from trying to game the system, votes are weighed based on how long, how often, and how accurate one has rated other messages.

I dont really see how that prevents scammers from gaming the system. All it means is that it'll take a few more scammers to make sure their definition of 'scam' isn't what everybody elses is. If they do that, when people vote scam pages as scams the system will think "Hey thats not right" and it'll lower the legit users accuracy.

Yes really.

[BlackMacUser]

Actually, it will do a good job of keeping scammers out as it specifically is designed to keep scammers out. You obviously do not understand how harddrives work, as this technology makes it impossible for untrusworthy users to edit the harddrive. This technology is amazing and I hope it is used in all future voting robots.

Re:

[Mateo_LeFou]

I think a cool gotcha for people that tried this would be if a message gets a certain number of "notscam" votes, an administrator of the site looks at it personally. If it's a scam, the users who submitted those votes could have *all of their votes *reversed!

Re:

[joe 155]

Indeed. Although it would take a lot of scammers... maybe this is just a sophisticated phising attack, waiting for all the scammers to register and start voting (the way that they know is the wrong way) and then they have the scammers IP address. BAM! you've got one.

Sure some people will use a good proxy, but it only takes one idiot spammer to fall for it to be of use ; )

It will work

[OwenMarshall]

All PhishTank has to do is to inject known phishing messages. For example, each 1/10 messages the user rates are known to be phishing by PhishTank. If a user repeatedly marks that message as legit, we know that user is trying to game the system. Alternatively, (or perhaps additionally) a few trusted PhishTank users in the beginning can seed the system. Anyone who consistently votes against them will be gaming the system.

Re:

[hotdiggitydawg]

..and if a botnet Pharmer has a hundred thousand "users", all who vote as legit users for a month, and then all who suddenly mark as "legit" the messages he is personally sending out? You'll need a huge number of legitimate users to drown out the bots, and even then it'll be a struggle to keep up.

Re:

[mrogers]

Let's assume that scammers are outnumbered by legitimate volunteers - after all, spam and phishing rely on automation, not widespread participation. For the scammers to take over the community, they'd have to agree with the legitimate volunteers about the classification of most messages, and disagree with the legitimate volunteers (but agree with one another) about the small number of messages they wanted to force through. If they disagreed with the legitimate majority about too many messages, their opinion

Re:

[davidu]

I dont really see how that prevents scammers from gaming the system. All it means is that it'll take a few more scammers to make sure their definition of 'scam' isn't what everybody elses is. If they do that, when people vote scam pages as scams the system will think "Hey thats not right" and it'll lower the legit users accuracy.

That's not how it works.

1. You don't see other people's votes until after voting is done.
2. Second, you don't get scored until after the phish is verified.

The wisdom of the crowds, a

I Just Registered

[eldavojohn]

I just registered and flew through a few of them. Honestly, some of these are very very good phishing attacks. In fact, some are so good that it's unclear whether or not you can call them 'phishing attacks.' For instance, one asks you to apply for mortgage but doesn't ask you for sensitive information aside from your address and phone number.

Now, I don't want them selling this to telemarketers and snail mail SPAM but maybe there are people looking for mortgages and want to be contacted. What do I vote this as? There is no possible phishing attack to select. When I clicked 'phishing' attack, 70% said it wasn't while I was part of the 30% who said it was. Kind of confusing.

After voting on ten of them (all of which, I decided where scams), I found a classic Ukrainian eBay phish. 100% votes were phishing attack. I started to notice that the URL tells more than the actual message itself. I guess I wish the site would have a section firmly defining phishing attacks and what are obvious give-a-ways.

This is all they say on that:

What is phishing?

Phishing is a fraudulent attempt to get you to provide personal information, including but not limited to, account information.

How do I tell a phish email from just regular spam?

Spam is unsolicited commercial email...which may include phishing attempts, but is often simply unwanted marketing. Phishing often has criminal intent. Spam isn't always, though it can be.

So appearantly the mortgage example asked for personal information but was just Spam? I'm a bit confused.

It could be either.

[khasim]

So appearantly the mortgage example asked for personal information but was just Spam? I'm a bit confused.

"Spam" is in the eye of the beholder.

But this could also be phishing if the phisher is building a database linking email addresses to real names / physical addresses / phone numbers.

The more pieces of information they can get, the easier it is for them to get the missing pieces. Remember HP's "pretexting" story?

What is the minimum amount of info you need to "steal" someone's identify? Name, Social Securi

Re:

[joe 155]

One thing you mentioned which is something I've encountered when doing something functionally similar to this (it was a test to see how good you are at spotting these things where you had to vote either yes or no), being;

"After voting on ten of them (all of which, I decided where scams)"

...When I did it i said that all of the emails were scams because without context it can be hard to tell, and the more you know about computers and phishing the more you will be inclined to think that the mail is phishin

Re:

[joshetc]

Exactly. It doesn't take a computer genious to determine what is a scam. If you aren't EXPECTING the e-mail it is more than likely a scam. Reguardless of it being a scam or not if $RANDOM_BANK sent me an e-mail I wouldn't input personal data as I know I have no account with them.

Re:

[Mister Whirly]

Yeah, getting a notice from a bank I have never had an account with telling me I need to update my personal information is kind of a clue that it may not be legitimate... And don't even get me started on how much money that damn Nigerian still owes me....

Why Not Just Fix It?

[MikeyTheK]

For as long as I can remember there have been attempts to fix email so that it won't be subject to spammer stupid-tactics. How long is it going to take? Answer: Until M$ makes OE use digital signatures by default.

Re:

[MankyD]

For as long as I can remember there have been attempts to fix email so that it won't be subject to spammer stupid-tactics.

That may fix "stupid-tactics" but a lot of phishing is simpler social engineering. There's no concrete way around it really - if the phisher can type the write message up that convinces you to give your information away or click their link, then there's no stopping it.

The only semi-effective method developed so far is to measure each email against no phishing characterstics and webs

Phishing using copied messages

[phorm]

A lot of the phishing scams I receive nowadays are real messages, such as ebay alerts, with the link pointing back to a phishing site that appears to be the real thing but actually is used to steal passwords. Other include fake announcements from banks, etc, again where everything is fairly close to the real thing exempting the actual web address linked.

So how would it differentiate between these and the emails from the original site. While some of the bank ones are most likely just make up to look legit,

Re:

[InvisiBill]

So how would it differentiate between these and the emails from the original site. While some of the bank ones are most likely just make up to look legit, the ebay and others are copied from modified messages.

It doesn't. PhishTank identifies phishing sites, not phishing emails. It differentiates between http://www.ebay.com/ and http://www.ebay.com.hackersite.com. That in turn can be used to determine if an email is a phishing email (if it contains a link to a phishing site), but PhishTank itself doesn't ra

Re:

[phorm]

Ahhhh. Well that educates me a bit, so basically it's something like an RBL for phishing sites.

What about hacked sites? The last few phishes I found, they were actually legit sites that had been hacked (one was what appears to be a school in Brazil, which had it's hoarde email service hacked to impregnate it with a phishing sub-site).

Re:

[InvisiBill]

Ahhhh. Well that educates me a bit, so basically it's something like an RBL for phishing sites.

Yup, basically.

What about hacked sites? The last few phishes I found, they were actually legit sites that had been hacked (one was what appears to be a school in Brazil, which had it's hoarde email service hacked to impregnate it with a phishing sub-site).

There has been some confusion over this, especially due to the ties with OpenDNS. OpenDNS does plan to use PhishTank data to help keep people safe from phish

Interesting system...

[mutterc]

Huh. Moderating messages, with some kind of 'meta-moderation' to keep track of the moderators.

Nope, that'll never catch on.

I remember when Phish was a good jam band...

[jbdaem]

((pre coventry)) And know the ph is usually sysnonymous with some sort of scammage, a scheme, and what not. How did we go so far away form the originally usage?? [assuming that no one was "phishing" before phish [phish.com] formed} I hope this isn't toooo oftopic?? ;) Also rather nice to see the continued usage of the power of the people, democratic methodology, rather like when those things are put to use.... Thanks all the dev's out there ((slashdot included 3 )) who keep that set of values rolling... And h

Re:

[Rob T Firefly]

The term was originally coined back in the AOL days because the scammer was "fishing" for victims, casting out a ton of bait (as in fake msgs/emails/IMs) and hoping someone bit. The "ph" came about as the replacement for the "f" under standard l337-speak rules.

Re:

[jbdaem]

ah... was this a first born the media trying to spice up or otherwise make their drek palatable?

eh not leet speak

[BitterAndDrunk]

Well, sort of leet speak.

The grandparent is somewhat right. The term's "ph" originates from an original attack vector from back in the days of 300 baud called "phone phreaking" [wikipedia.org].

Phishing (with a ph) is a homage to that.

Re:

[Rob T Firefly]

I think I saw the term used by phishers themselves on the cheezy "underground" sites or BBSes they had in the early 1990s, while I've only seen the mass media use it in the past five years or so.

Re:

[jbdaem]

ok, so I threw blame out to someone who might NOT have deserved that little chunk... /me coughs, uh oh, here comes another piece of last nights chuck... Moof! funny, I was just reminiscing with someone last night about old 300 baud modems and BBS's and such... Also bantered about A/UX. Can't we just do the una Una (bomber) and go back to the good old days when primal rage roared of many ma bells guts?


Can someone help me find the tape, I think I need to seal this orafice shut... Man, try to make

forward my spam filter?

[Speare]

Why not just set up a scheme by which I can forward some of my spam-phish filter hits to their receiver?

• if it mentions [a known financial institution],
• if it doesn't mention [my own few known financial institutions],
• if it mentions "login" or "password" or "activity",
• it's a phish.

When I get a new one I've never seen, I just add the name of the institution to the top of the rule. It doesn't take ME long to rule out all mails claiming to be from First Mutual of Podunk, even though there may exist som

What's obviously coming...

[pazu13]

Dear PhishTank user: There has ben a problem with your account information. Please go to http://www.phishtank-org.uk/UserID357zzzzx.html [phishtank-org.uk] to make appropriate changes.

Re:

[UNIMurph]

That link seems to have been slashdotted, i can't load it.

cloudmark?

[Loconut1389]

sounds a little like the old Cloudmark spam net.

Netcraft has done it for at least the past year

[Radice Utente]

http://toolbar.netcraft.com/ [netcraft.com] Netcraft installs a tool bar on your browser that shows host information (including country) and the level of trustworthiness. Users can submit phishing links through a link on the bar. I use it mostly to spot the hosts of spammers, but it also raises useful questions such as a link from eBay with a web hosting service in Korea. They've recently become particular about what kind of URLs they consider phishing. For example I wouldn't consider a mortgage spammer hosted in China to be a serious candidate when it's time to re-fi the family manse. They also don't consider possibly illegal content (child porn for example) to be phishing.

Re:

[davidu]

And how do you access the netcraft data in your applications?

With PhishTank you don't need to pick Symantec over Netcraft or McAfee over Kaspersky. With PhishTank, they can all pull a feed and do what they want.

-david

Re:

[ostiln]

Personally I prefer WOT [mozilla.org]. It's a website reputation system, which lets me vote on the trustworthiness without leaving the site. More on their technology can be found on their blog [mywot.com]. They say it knows over 10M sites already, which is quite impressive.

Phishers Will Test This

[miller60]

You'd be amazed at how technically sophisticated some of these phishing crews are becoming. They've all got botnets in which they wield large numbers of compromised computers. If a bot can be trained to sign up for a Blogspot blog and autogenerate SpamSense blogs, they may find a way to vote for/against sites on this system as well. Bot nets are perfect for online voting, as they can send a steady stream of votes from different IP addresses. That's why blogs have such trouble with comment spam - it's coming from 50 different IP addresses.

I think this is a bad idea...

[Phil_At_NHS]

I get this garbage all the time. I know instantly whether or not it is a Phish. If I get an email from a bank about some security issue, and I do not do business with that bank, it is a Phish. If there is any doubt, I can look at the data behind the link that is given. If it goes to www.bankofamerica.com, it is legit. If it begins with some IP address, it is not. I personally do not need group concensus to know it is a Phish. Being a good Netizen, I will hit the link to see if it is still active, and

Re:

[Beardo the Bearded]

What if your link goes to bank0famerica.com? If you're not wearing your trifocals, you might not know that's a 0 instead of a o. If the website is designed to look like the legit site, then people could get phished. The 0/o is a simple example. There are recently patched exploits using non-romantic characters.

Remember that not everyone is tech savvy. Some people can't use a microwave.

Re:

[Phil_At_NHS]

Oh certainly, but that is not the point. If someone THINKS a site may be a Phish, you can send it to the targeted organization, who will KNOW, instantly, if it is not legit and take immediate steps to shut down the site for all the world, or you can send it to this new site, where a whole bunch of people will weigh in with thier opinion, (how many of THEM will have left thier trifocals at home?, how many might be the Phishermen themselves?) and EVENTUALLY after all of this voting is tallied up, it will be

Re:

[cdrguru]

Why isn't registering www.bank0famerica.com handled properly - by rejecting it?

Why would some scamming registrar accept such a domain name registration in the first place?

what about...

[BenSchuarmer]

an email from somebody you do business with with links to superstatement.com or rm05.net?

It's not always as black and white as the examples you mention.

Re:

[Phil_At_NHS]

It may not be be black or white to me, and it will be just as grey and iffy to you, Joe, Fred, Wilma or any other everday shmoe who will be asked to evaluate the link on the Phishtank site to determine if it is good or bad. However, I guarentee you it will indeed be black or white to the online fraud department of whatever organization is being hijacked. They WILL know, to a 100% certianty, if it is not legit, and rather than put it on a list of sites to be avoided, they will shut it down. Which is bette

that takes time...

[BenSchuarmer]

I do generally forward anything that looks remotely phishy to the organization that it appears to be from. Hopefully they'll shut down the phishing sites or give their own pages URLs that are under their domain instead a third partiy domain.

I've never gotten a useful reply back (5 pages of boilerplate about how to report abuse is not useful to sobebody who just reported abuse correctly).

More importantly, I've seen phishing sites that were still up weeks after I reported them to the hosting ISP and the co

Re:

[Phil_At_NHS]

When I have checked fishing links, about half the time, they are shut down by the time I check my email and hit the link. Whenever I have checked previously functional links a few hours after turning them in, about half the time I turn one in, they have almost alway been down. the other hald that I don't check back on? Who knows. I do know of one possible problem, which is one phisher setting up multiple sights. I usually get the same needless boileplate, but always ask, on the off chance, if they will

Phising is fairly sophisticated...

[figgypower]

I've gotten eBay messages that look pretty authentic. The only reason I know they aren't is because I changed the default of recieving HTML e-mails ot text. I'm not even sure why HTML is the default.

That said, a lot of people easily go through with these links and they're often working for days on end. I don't know what you're talking about, honestly. I check this links and try to do stupid things like fill in my username as "fuckyou" and my password as "f_u_8_c_k_9_y_o_u"... yeah, I'm a geek with some

Re:

[Phil_At_NHS]

I do the same thing you do, except my "password" is usually, "getarealjob, jackass." I never said things were "Dandy", just that it seemed this site was counterproductive. If the site would forward those PAYPAL phishes to PAYPAL, the BOA Phishes to BOA, as soon as they are recieved, and even allow and encourage these companies to be the final expert on the legitimacy of the email, that would be prefect. I don't have a problem with anything they are trying to do here,It just seems to me that it will tend

Re:

[figgypower]

A wall of shame is a brilliant idea! If I'm motivated enough, I might tell PhishTank -- but knowing me, maybe you should.

Re:

[Phil_At_NHS]

Good Idea. I just did.

Re:

[InvisiBill]

If the site would forward those PAYPAL phishes to PAYPAL, the BOA Phishes to BOA, as soon as they are recieved, and even allow and encourage these companies to be the final expert on the legitimacy of the email, that would be prefect. I don't have a problem with anything they are trying to do here,It just seems to me that it will tend to reduce the likelyhood of a report going to the targeted organization.

With the open API, each target could actually parse the submissions for attacks against it. When you s

Re:

[Phil_At_NHS]

Exactly. Well, that would be ALMOST perfect. PERFECT would be if those reports could somehow include the name and address of the bastard's responsible for it.

Do I want to send them non-scams?

[Pootie Tang]

I'm not sure that if I'm getting legitimate emails that might be a scam I want to submit it to find out. I recognize that email isn't secure and there shouldn't be any private information in them, but there is. At least partial information such as the last 4 CC digits. Often a token to take you direct to the page where you can input your personal info.

This is primarily geared towards people who have trouble determining if it's a scam or not. Should those people really be forwarding emails to a phishing dete

Moo

[Chacham]

Is there some way to tell if a slashdot comment is just phishing for more comments, or actually has something to say?

Missiles

[Anne Thwacks]

But will they launch cruise missiles at the perpetrators?

Until the US government takes at least the same level of action against phishers it has taken against online gambling establishments, phishing will continue unabated.

Clearer definition of phishing

[NubKnacker]

A lot of the users on the site seem to be unclear of what phishing is. In short, according to wikipedia, phishing is a criminal act where you decieve someone to obtain sensitive information (bank accounts, credit cars numbers) from them. While some of the "2 minute mortage" messages on the site may seem like phishing, they aren't really that quite simply because you are not revealing any sensitive information to the site except your phone number (which all the tele marketers have anyway).

The goverments d