Trusted source PhishTank reaches 4 million reports

User avatar
NotBuyingIt
Posts: 3301
Joined: Fri Mar 11, 2011 6:21 pm

Trusted source PhishTank reaches 4 million reports

Post by NotBuyingIt » Sun Apr 24, 2016 5:48 pm

Today, WOT trusted source PhishTank.com will reach a milestone of publishing 4 million incident reports about phishing scams.
<!--break-->
When the PhishTank evaluators deem a reported URL to be a phishing incident, WOT automatically posts a caution on the scorecard for the corresponding website. When PhishTank determines that the incident has been taken offline, WOT automatically removes its caution. To be effective, PhishTank needs to rapidly evaluate incoming incident reports because most of the harm from a phishing scam occurs within a day of so after it commences. Unfortunately, the PhishTank community is not processing the reports fast enough. For WOT users to be protected, PhishTank needs more evaluators.

May I suggest that interested WOT community members who have the technical savvy to recognise online scams volunteer a little of their time to help out PhishTank.

User avatar
spectre
Posts: 4017
Joined: Sun May 03, 2009 10:43 pm

RE: Trusted source PhishTank reaches 4 million reports

Post by spectre » Wed Apr 27, 2016 12:04 am

<quote user="notbuyingit">
May I suggest that interested WOT community members who have the technical savvy to recognise online scams volunteer a little of their time to help out PhishTank.[/quote]

Agreed, the quicker a Phishing URL is verified, the more people who are protected from these criminals.

Site-rater
Posts: 2926
Joined: Tue Sep 15, 2009 7:48 pm

RE: Trusted source PhishTank reaches 4 million reports

Post by Site-rater » Wed Apr 27, 2016 1:26 am

As a note, once a site gets verified in PhishTank, it will not only be listed on the WOT scorecard, but also users of OpenDNS will find that these reported sites will be blocked too.

PhishTank is run by OpenDNS, an independently-operated (to the best of my knowledge) subsidiary of Cisco Systems.

User avatar
spectre
Posts: 4017
Joined: Sun May 03, 2009 10:43 pm

RE: Trusted source PhishTank reaches 4 million reports

Post by spectre » Thu Sep 08, 2016 4:08 pm

Unfortunately, the PhishTank community is not processing the reports fast enough.
There are so many false positives being submitted by the cleanmx account that members waste time trawling through these and don't have time to verify genuine reports. I think this account submits its entire inbox to PhishTank rather than just suspected phishes.

I have also reported several accounts that submit links to streaming sites to promote these sites. These accounts should be banned.

User avatar
NotBuyingIt
Posts: 3301
Joined: Fri Mar 11, 2011 6:21 pm

RE: Trusted source PhishTank reaches 4 million reports

Post by NotBuyingIt » Thu Sep 08, 2016 5:07 pm

<quote user="shazza">
There are so many false positives being submitted by the cleanmx account that members waste time trawling through these and don't have time to verify genuine reports. I think this account submits its entire inbox to PhishTank rather than just suspected phishes.

I have also reported several accounts that submit links to streaming sites to promote these sites. These accounts should be banned.
[/quote]

I'm painfully aware of those two issues; they are among the reasons that additional highly capable evaluators are needed. Twenty minutes per day from several dozen additional evaluators would greatly help. PhishTank has already received over an additional four hundred thousand reports since I created this thread.

Connected with the service cleanmx.de, cleanmx is an aggregator which unfortunately doesn't always preen its feed suitably for PhishTank. (Because cleanmx.de sometimes is the target for severe DDoS attacks, some people may forgive the lapses.) However, cleanmx does supply the largest number of true positives to PhishTank. Also, one of the tank's important responsibilities is to identify false positives. When the volume of "duplicates" or of false positives from cleanmx becomes overwhelming, one may need to simply skip reports from that source. PhishTank's listserver provides two subscriptions through which this issue has been (and probably needs to be further) discussed.

The streaming sports spam is less of a problem. Instead of deleting the fake reports, PhishTank's administrators or moderators try to quickly remove them from the active evaluation queue by marking them off-line (even though they are really online). The spam attacks upon PhishTank are a great resource for evidence when WOT community members are rating sites for spam / privacy risks / potentially illegal activities. (Thanks to shazza for all those ratings!)

User avatar
NotBuyingIt
Posts: 3301
Joined: Fri Mar 11, 2011 6:21 pm

RE: Trusted source PhishTank reaches 4 million reports

Post by NotBuyingIt » Thu Sep 08, 2016 8:23 pm

Other problem, when clicking "Verify A Phish", I select the first in the list which was submitted the same day. Then I click on "Next unverified phish >" and I have to verify a phish submitted on "Aug 17th 2016 9:28 PM". I click again, "Submitted May 21st 2016 5:02 PM " etc.

I know I can verify last submission, but I don't understand why phishtank uses this behavior. It should focus its users on same submissions.
My guess: "Next unverified phish" presents reports in a random order so that not all evaluators will examine the same URL (or be a burden upon the same servers) at the same time. Several consecutive incident reports may involve the same domain, so the random presentations allow a broader range of opinions about it. Random order may also help give more attention for a larger number of submitters instead of all of the attention going to two or three bulk submitters. For example, one source use to submit hundreds of PayPal phishing incidences every day.

User avatar
NotBuyingIt
Posts: 3301
Joined: Fri Mar 11, 2011 6:21 pm

RE: Trusted source PhishTank reaches 4 million reports

Post by NotBuyingIt » Thu Sep 08, 2016 9:51 pm

Also, phishtank should resolve shortened URLs and remove them from their list.
Some of PhishTank's most important subscribes need to know when a "shortened" URL, in addition to its target, is involved in a phishing scam. To avoid email filters, criminals will often include shortened URLs in deceptive spam email instead of the URLs of actual scam or malware-laden webpages. In order for shortened URLs to be added to subscribers' email filters, they need to be voted "Is a Phish".

PhishTank is primarily concerned with URLs and their webpages, not with domains. For the same scam webpage, several incident reports may be involved when the hackers have constructed a chain of redirection. The inferences regarding whether or not to block a domain is determined at some other level, not in the evaluation of an incident report. Most often, domains that provide shortened links are whitelisted (by PhishTank subscribers in a subsequent process).

Site-rater
Posts: 2926
Joined: Tue Sep 15, 2009 7:48 pm

RE: Trusted source PhishTank reaches 4 million reports

Post by Site-rater » Thu Sep 08, 2016 9:55 pm

<quote user="notbuyingit">
PhishTank is primarily concerned with URLs and their webpages, not with domains. For the same scam webpage, several incident reports may be involved when the hackers have constructed a chain of redirection.
[/quote]

Since PhishTank is owned by OpenDNS, doesn't OpenDNS use the service as a source for their filters? And since OpenDNS operates on a DNS level, doesn't that mean any listings that trickle down to the OpenDNS filter get blocked at a per-domain level?
I would guess in such a case, OpenDNS would block only the most infected domains or domains dedicated to phishing activity.

User avatar
NotBuyingIt
Posts: 3301
Joined: Fri Mar 11, 2011 6:21 pm

RE: Trusted source PhishTank reaches 4 million reports

Post by NotBuyingIt » Thu Sep 08, 2016 10:05 pm

Since PhishTank is owned by OpenDNS, doesn't OpenDNS use the service as a source for their filters?
OpenDNS uses PhishTank data, but it makes its own decisions. I've seen OpenDNS block sites before PhishTank has made any determination and I've seen OpenDNS unblock sites because it deems PhishTank to have reported a false-positive. (Hopefully, PhishTank will later correct its report.) Of course, if a webpage is blocked because it contains malware, PhishTank may nevertheless accurately report the same webpage "Not a Phish".

User avatar
NotBuyingIt
Posts: 3301
Joined: Fri Mar 11, 2011 6:21 pm

Trusted source PhishTank approaches 5 million reports

Post by NotBuyingIt » Wed Apr 12, 2017 8:14 pm

WOT trusted source PhishTank.com will soon reach another milestone — publishing 5 million incident reports about phishing scams. I will be reducing my participation; (I've helped to evaluate over one-quarter million reports). May I suggest that adept community members with an interest in Latin American banking, in particular, volunteer some time with PhishTank. I have noticed roughly 100 new reports daily about Santander (Brazil), Banorte (Mexico) and Banco Estado (Chile) that are too slowly evaluated to have much benefit to WOT users. Many of the scams use newly registered domains which evaluators probably should immediately rate for WOT, too.
&nbps;

Post Reply

Who is online

Users browsing this forum: No registered users and 3 guests