Cenzic 232 Patent
Paid Advertising
web application security lab

OpenDNS Launches Phishing Site Aggregation Service - PhishTank

It was only a matter of time before this happened, but OpenDNS launched a new service today called PhishTank. The concept, according to their community advocate, Allison Rhodes, is as follows:

- PhishTank is a free community site that aims to be an accurate clearing house of phishing data.
- Users submit their phishes through email, the web, or via APIs.
- Other users then can login to the Web site and verify phishes. There are backend systems which help prevent gaming of the voting mechanisms to ensure that there are no false positives.
- PhishTank closes the ‘feedback loop’ with end users to let them know of the status’ of the phish they submit either via email alerts or a personal RSS feed. This is in contrast to the black box nature of most anti-phishing services on the net (run by security companies who want the data kept private).
- PhishTank has a free and open API. The goal of this API is to allow any developer to use the data in the PhishTank and help put an end to phishing in their own applications.

I’ve got pretty much the same concerns with this as I had with OpenDNS’s original implementation of the anti-phishing list. It’s a clever idea, but it’s got two gaping holes in it.

The first issue is our favorite one - XSS. If I can inject XSS in a website all the DNS can say is “domain is good” or “domain is bad” - nothing more. But in the case of XSS the site can be good, but the specific URL you are attempting to visit is bad. You can’t blacklist entire websites because one URL is bad - you need to stop that one URL, or maybe a directory of URLs. That’s a granularity that DNS cannot help with.

Okay, that’s fine, you can phish the user’s sensitive information but you still have to send the data off somewhere, right? And when they do that you can block THAT host - because that host has to be compromised to log that information in the first place so that’s a safe bet, right? Okay, fine, I might agree with that statement, even though lots of otherwise valid sites get owned for this exact reason, but okay. But even still it’s easy to get around - just use an IP address. No DNS lookup required. Complete circumvention using XSS and an IP address. Seems like an issue to me.

My other concern with this service, although still valuable, is that it’s competitive against a number of other services that do the exact same thing. APWG (Anti-Phishing Work Group), PRN (Phish Report Network - owned by Symantec), and MarkMonitor (the service that IE7.0 uses) all do the exact same thing. Why start another one?

I guess you could make the point that people prefer an open source solution but I don’t really want some idiot hijacking my domain by claiming I have a phishing site on my domain (through XSS or otherwise). The liabilities there are pretty huge. But even still, I see the point in it, and I wish them the best of luck and I hope the people who use the API do something better with it than DNS alone. Frankly I don’t care who wins, but really there should be one master service - not four. Maybe one of these groups will bite the bullet and start working with the others.

12 Responses to “OpenDNS Launches Phishing Site Aggregation Service - PhishTank”

  1. Chris Shiflett Says:

    “You can’t blacklist entire websites because one URL is bad.”

    Perhaps their stance is that you can. This seems somewhat similar to sites who find themselves on one of those email blackhole lists due to a vulnerability in their web site that’s being exploited to send spam.

    Traditionally, my biggest complaint with these systems is their focus on streamlining the process of blacklisting a site but making it very difficult to have a false positive removed. This is what makes your first concern a really big one. Maybe PhishTank will be better about this:

    http://www.phishtank.com/faq.php#howdoireportafalsepo

  2. David Ulevitch Says:

    Good points you raise — a couple things. First, we aren’t competitive with any of the organizations you list. The problems with those organizations is that they are black boxes, users submit and get no information back. The database and backend are closed off to developers.

    What you point out about PhishTank and blocking URLs in DNS is not related — any developer can use the data in PhishTank in their own applications, it’s not DNS focused.

    And Chris — You bring up a good issue, we do check sites once they are marked as a valid phish to see if the phish is taken down and then it leaves the system. We also return the age of the phish in the API so a developer can say if a phish is older than 7 days, maybe I shouldn’t block it, or I should score it less (since most phishing sites are down ~72 hours or so from what I pay attention to).

    -david

  3. RSnake Says:

    You absolutely cannot block an entire domain because it has a phishing site on it. I can put phishing sites on almost every domain on earth via XSS and an IP address to host the JavaScript and post submission form on. Check the sla.ckers.org full disclosure forum for a list of sites you’d have to block if I felt like running a phishing site on them. Do you feel comfortable blocking microsoft.com, yahoo.com, amex.com etc… etc…? I don’t!

    I understand OpenDNS and Phishtank aren’t related, but I assume OpenDNS will use PhishTank, correct? Therein lies the problems I mentioned, and yes, I understand it’s an API, and even mentioned it several times in the post. That, I believe, has more merit than DNS alone.

    Let me ask you another question. What if the attacker sets up a phishing site, and submits it himself, and then immediately takes it down? It gets marked as a false positive and then they turn it on. Are you prepared to remove false positives too? Sites get hacked and re-hacked.

    Lastly, I’m not sure how they aren’t competitive, just because it’s not open doesn’t mean it’s not competitive. That’s kinda like saying Firefox and Internet Explorer aren’t competitive because people can’t watch bugzilla. I think they are competitive. The value is not in question, the problem is you’ll have yet another list that’s out of sync with the others. Look at APWG compared to PRN compared to MarkMonitor today. They are all out of sync with one another. This will be no different. Without overlap and a single repository things will always be missed.

    Another issue that I didn’t mention in this, but that I have first hand experience with is that big companies often don’t like to publish how many phishing sites are out there. They don’t want to get on top of some list of “most phished bank”. I don’t blame them. This is another reason they’d be less likely to share their known holes with that sort of list and would be more likely to go towards the black box approach that feed into the anti-phishing toolbars etc… of the world.

  4. RSnake Says:

    Case in point, submitted and verified by the PhishTank team: http://ha.ckers.org/images/phishtank.png

    Do you really want to block rds.yahoo.com for being used in a redirection phishing attack? I don’t think the whole domain is bad, just because there is a redirection. I do think that hole needs to be closed, and that particular URL should be blacklisted, but nothing beyond that as it wouldn’t be reliable.

  5. David Ulevitch Says:

    RSnake,

    That is a phishing site. I understand what you’re saying about OpenDNS but PhishTank still just verified a valid phishing site. The site is doing exactly what it should. Glad you are checking it out and asking important questions.

  6. RSnake Says:

    David, any comment on the competitive concern and the open source concern above?

    Regarding what you did respond to - rds.yahoo.com is definitely not a phishing site - not unless my understanding of the internet is really warped. :) It is a redirection site (there is nothing phishing related at all on that site other than it sends the user elsewhere). If your software marks any site that does redirection as a phishing site you’re going to end up with a lot of angry domains that are otherwise completely free of any issues (and potentially lots of false positives).

    The “site” or “IP” or “domain” isn’t bad, however the URL is - that’s why DNS doesn’t make sense as the right place to stop this. The granularity just isn’t there. And if you take “action” against rds.yahoo.com by blocking their entire domain for having one URL that redirects that’s not actually helping the consumer as the other billion links on Yahoo are completely benign.

  7. Iygas Says:

    Yahoo and Google stupids should figure their redirection services are being abused for YEARS by phishers. I am figuring it as end user,why they can’t? Even a simple referrer check mechanism can save 90% of these abuses.

  8. Ilgaz Says:

    APWG (Anti-Phishing Work Group) –>Submitted hundreds of phishing mails and they were still online after weeks, so I re-submitted them to phishtank.

    PRN (Phish Report Network - owned by Symantec) –> Symantec lost my trust years ago with their shadowy business tactics

    , and MarkMonitor (the service that IE7.0 uses)–> Has to be nice to MSFT, there is no guarantee it will work with my OS of choice (OS X) and its default browser (Safari) for submitting. They didn’t bother to code anything for my system of choice,why support them for free?

  9. RSnake Says:

    Iygas/Ilgaz: You can’t use referrers (because in most cases there is none). Also it’s spoofable by Flash header spoofing, and in many cases it’s not there. See this thread.

    My understanding is that Phishtank is not a takedown service so I’m not sure what additional help they will provide in actually taking them offline unless domain registrars start using the APIs (which registrars have been notoriously bad about doing). I will make the clarification though that it is very uncommon for a phishing site to be taken down within 24 hours. A good deal of phishing sites do last up to several day, and some last up to weeks. Unless you contact a take-down service (like MarkMonitor or NameProtect or WatchFire or others) it wouldn’t surprise me if it stayed up for that long.

    I can’t comment on Symantec, but I actually have pretty high hopes about their integration of their blacklists with their desktop clients, which could be a huge boost in protection for the consumers who have it installed. With MarkMonitor there are other issues than that (and it’s just a list so technically any software/OS could use it if you were willing to pay for it), but your point is taken.

    My point isn’t that any of them are better than the other - frankly I don’t care who wins. I just think they should start working together instead of making more places that people have to submit to. Since they don’t communicate there’s no way to know if you’re safe since you may not use the one peice of software that’s designed to use that particular list that has that one particular phishing scam.

  10. Ilgaz Says:

    This is more community based site rather than the others. They are ex CNET people and known in industry and especially media.

    I reported lots and lots of phishing sparing my time to antiphishing.org which is backed by various huge companies including IT. Sad to say that when I heard about this service,I checked them trusting to my browser and OS (not on win32 here), they were all up and running. Even after 5 days.

    Of course,if anything would be done with this service, it should be “opt-in” basis by default. I agree.

  11. RSnake Says:

    I’m not sure what them being a community site or how well known they are really has to do with this issue. As I said, antiphishing.org is not a takedown service, so that statistic is not surprising and not unexpected.

    The real issue is that PhishNet is _also_ not a take-down service, and they are competitive to things that already exist. This really isn’t helping things, it just makes it harder. Case in point, you probably will stop submitting to APWG now that you have PhishNet. By doing that your phishing sites are no longer going to be fed into Netscape. So by protecting the 10 people who use PhishNet you are no longer protecting the million or so Netscape users.

    This could be mitigated if one of the services decided to play nice with the others. Short of that, it’s only making the issue harder to deal with and leaving more people at risk.

  12. RSnake Says:

    Here’s another issue… I don’t know if it’s because they are using a dword instead of an IP address or if it went offline and then came back online again, but either way the screenshot itself tells the tail. Phishnet thinks the phishing site is offline, but it’s still very much live:

    http://ha.ckers.org/images/phishtank2.png