Phishing is normally considered a scam propagated by email, but more and more bad guys are adding phishing websites to their repertoire. A recent NSS Labs study mentions that in 2011 an average of 40,000 new phishing websites were created every month. In 2012, there were over 52,000 unique phishing websites created monthly. To give those numbers some meaning, consider there are only 26,000 phishing email scams per month, and phishing emails scams are much easier to setup and manage.
Something else to note: The average time it takes to rebuild a phishing website and move it to a different domain has dropped from 73 hours in 2010 to less than 24 hours in 2012. If that also doesn’t seem like that big a deal, just ask someone familiar with the process how long it normally takes. The difference being the person you ask hopefully is not trying to evade detection.
Spotting phishing websites
There are currently two types of popular phishing websites. One is where the attacker tries to persuade the victim to enter sensitive financial information, such as credit-card numbers, at a website imitating a real company's site. Another ploy asks the victim to visit a website that automatically installs malware designed to capture the victim’s financial information when visiting an official website, and eventually sends it back to the phisher.
The fact that phishing websites are becoming more numerous can mean only one thing: They are working. Like legitimate businesses, bad guys seek the best possible return for their time and money.
The unsettling thing about phishing websites is the victim’s unawareness that anything is going on, only learning about the scam when bank or credit card statements show up.
In an attempt to curtail these highly-successful phishing websites, the security industry has resorted to setting up what are being called reputation-based systems. Basically web-browser developers buy databases containing information on a website’s legitimacy from services like Google's Safe Browsing, then they use the information to create their own blacklists and or whitelists of websites.
The key element of the reputation-based system is the web browser. When a website’s URL is typed in, the Web browser queries the lists created by its online reputation-based system. Depending on what command the web browser receives back, the web browser will either allow the website’s HTML to download, or it will prevent the website from opening, issuing instead a warning similar to the one shown below.
Testing the Web browser
NSS Labs tests all major Ceb browsers (Chrome, Firefox, Internet Explorer, Opera, and Safari) to see how well each browser system does in flagging phishing websites.
I’ve written about NSS Labs before, and if anything it is thorough, always explaining the test environment and methodology used (Appendix A of the study report). Before getting to the individual results, I’d like to pass along its comments about all of the web browsers tested:
- Overall response times have improved dramatically across the board
- The web browsers using Google’s Safe Browsing API averaged 94 percent block rate, an increase over last year’s 91.7 percent
- The mean phishing block rate among the tested browsers is 90.1 percent, a decrease from last year’s average of almost 2 percent.
The phishing block rate is one of the more important indicators. Simply because it tells how well both the web browser and online portion of the reputation-based system work together. The slide below shows the phishing block rate for each web browser.
Another interesting test parameter was the time required by web browsers to block a phishing threat once it was introduced into the test cycle. According to NSS Labs, all web browsers improved from last year. As the slide below shows, all threats were accounted for in less than 24 hours.
(Source: NSS Labs)
(Source: NSS Labs)
NSS Labs concluded the report with a few recommendations. Most are obvious, but I thought it best to include them to be sure:
- If possible, use the most current version of a Web browser. Doing so affords the best overall security and the latest version of reputation-based system software
- Keep users up to date. That improves the odds of not falling for phishing attacks that bypass Web browsers
- Increase security awareness. Good judgment remains the best defense against social-engineering attacks.
If I had to pick the most important recommendation it would be increasing security awareness. I do not care how well an automated system works, it is still a reactive response -- staying safe during your Internet travels depends on being well informed.
— Michael Kassner is a writer and consultant specializing in information security.