- PhishTank is a free community site that aims to be an accurate clearing house of phishing data.
- Users submit their phishes through email, the web, or via APIs.
- Other users then can login to the Web site and verify phishes. There are backend systems which help prevent gaming of the voting mechanisms to ensure that there are no false positives.
- PhishTank closes the ‘feedback loop’ with end users to let them know of the status’ of the phish they submit either via email alerts or a personal RSS feed. This is in contrast to the black box nature of most anti-phishing services on the net (run by security companies who want the data kept private).
- PhishTank has a free and open API. The goal of this API is to allow any developer to use the data in the PhishTank and help put an end to phishing in their own applications.
I’ve got pretty much the same concerns with this as I had with OpenDNS’s original implementation of the anti-phishing list. It’s a clever idea, but it’s got two gaping holes in it.
The first issue is our favorite one - XSS. If I can inject XSS in a website all the DNS can say is “domain is good” or “domain is bad” - nothing more. But in the case of XSS the site can be good, but the specific URL you are attempting to visit is bad. You can’t blacklist entire websites because one URL is bad - you need to stop that one URL, or maybe a directory of URLs. That’s a granularity that DNS cannot help with.
Okay, that’s fine, you can phish the user’s sensitive information but you still have to send the data off somewhere, right? And when they do that you can block THAT host - because that host has to be compromised to log that information in the first place so that’s a safe bet, right? Okay, fine, I might agree with that statement, even though lots of otherwise valid sites get owned for this exact reason, but okay. But even still it’s easy to get around - just use an IP address. No DNS lookup required. Complete circumvention using XSS and an IP address. Seems like an issue to me.
My other concern with this service, although still valuable, is that it’s competitive against a number of other services that do the exact same thing. APWG (Anti-Phishing Work Group), PRN (Phish Report Network - owned by Symantec), and MarkMonitor (the service that IE7.0 uses) all do the exact same thing. Why start another one?
I guess you could make the point that people prefer an open source solution but I don’t really want some idiot hijacking my domain by claiming I have a phishing site on my domain (through XSS or otherwise). The liabilities there are pretty huge. But even still, I see the point in it, and I wish them the best of luck and I hope the people who use the API do something better with it than DNS alone. Frankly I don’t care who wins, but really there should be one master service - not four. Maybe one of these groups will bite the bullet and start working with the others.