recent posts

Report: Firefox 2.0 Trumps IE7 In Phish-Fighting
A Little Patch Housekeeping
Exploit Targets Widely Deployed Wireless Flaw
Microsoft to Issue Six Security Patches Next Week
Report: Phishers Hooking Fewer (But Fatter) Victims

Stories by Category

Stories By Date

related links

The Archives
Security Fix Live: Web Chats
About This Blog
Password Primer
7 Security Tips
Technology Section

syndicate

About This Blog   |   Archives   |   RSS Feeds RSS Feed   (What's RSS?)

Report: Firefox 2.0 Trumps IE7 In Phish-Fighting

The newly released Mozilla Firefox 2.0 and Microsoft Internet Explorer 7 Web browsers both include new technology to help flag and block phishing sites -- those authentic-looking Web sites set up by scammers to trick users into entering personal financial information.

So how do the browsers stack up against one another in a no-holds-barred, anti-phishing slugfest? One third-party test that pitted the browsers against two week's worth of phishing sites concluded that Firefox's phish net may have fewer holes than IE's.

The evidence comes in a report released today by software testing firm SmartWare. The company tested each browser against the same phishing sites flagged by contributors to Phishtank, an anti-phishing network run by OpenDNS.

Firefox blocked 243 phishing sites that IE7 overlooked, while IE7 blocked 117 sites that Firefox did not.

Before I go any further with the numbers, I think it's important to offer a little background on how the phish-filtering technology is set up within both browsers. With IE7, the user is asked upon installation whether he wants to allow the browser to auto-check all Web sites against a Microsoft database. (More about how this technology works in IE7 is online here, and the obvious privacy issues are discussed here.)

Firefox's default setting, in contrast, uses a blacklist of known phishing sites that is stored on the user's computer and updated approximately every 30 minutes. Alternatively, Firefox users can opt to turn auto-detect on, in which case the browser will check Web sites the user visits by checking them against a database maintained by Google. (More about the service is online here.)

Back to the numbers: The testers found that with IE7's auto-check turned off, the browser blocked less than two percent of all phishing sites thrown at it. With the phone-home option turned on, IE blocked 66 percent of the scam sites.

In its default configuration, Firefox 2.0 blocked close to 79 percent of all phishing sites during the test period; with the "Ask Google" option enabled, Mozilla's browser blocked nearly 82 percent of all scam pages.

While I applaud Microsoft and Mozilla for their first efforts, the reality is that -- depending on which browser (and setting) you use -- anywhere from 20 to 40 percent of the phishing scams are going to sneak past undetected. I'm not saying this is an easy problem to solve: It certainly isn't. But I'm left wondering whether a stronger "whitelist" approach that involves identifying legitimate banking sites might prove to be a more effective strategy, or at least a highly complementary one.

As Security Fix noted last week, Mozilla, Microsoft and other browser makers are teaming up with Web site certificate authorities to try to make it more obvious when a user is truly at a verified banking site as opposed to a convincing fake. It may turn out that phishers will come up with a clever way to spoof these "supercerts" as well. But it seems to me that combined with an oft-updated blacklist, the whitelist approach has the greatest potential to bring the number of phishing scams that go undetected by either browser well down into the single digits.

Avivah Litan, an online fraud analyst with Gartner Inc., agreed. "With crooks moving these phishing sites from place to place within minutes, it's really hard to keep a blacklist up-to-date," Litan said "The future of [browser-based anti-phishing technology] is whitelisting, backed up with heuristics" that allow the browser to detect unidentified phishing links as suspicious.

For its part, Microsoft pointed to a report the company commissioned earlier this year that gave Microsoft's anti-phishing measures top marks compared with other browsers and technologies. The report highlights the fact that IE7 didn't raise any alarm bells about legitimate sites, a problem known in the business as a "false positive." It's not hard to see why that factor alone would be a paramount concern for Microsoft: A legitimate company whose site was errantly blocked by IE7 most likely would file a lawsuit against Microsoft in a heartbeat.

The SmartWare study doesn't appear to have addressed the problem of false-positives to any meaningful degree. Still, what I especially like about the Phishtank-based study is that it is premised on open-source information that everyone has the same access to. In contrast, the founders of 3Sharp, the company that authored the Microsoft study, clearly state on their site that their goal in creating 3Sharp was "to use the robustness, flexibility, and sheer native capabilities of the Microsoft communication and collaboration technologies to enhance the business of our customers."

Incidentally, any serious Mozilla-using phish fighters out there who want an easier way to submit "phishy" sites to Phishtank should check out this Firefox add-on.

By Brian Krebs |  November 14, 2006; 6:00 AM ET  | Category:  Misc. , Safety Tips
Previous: A Little Patch Housekeeping | Next: Microsoft Patches 9 Security Holes

Blogs That Reference This Entry

TrackBack URL for this entry:
http://blog.washingtonpost.com/cgi-bin/mt/mtb.cgi/13228

Comments

Please email us to report offensive comments.



Thanks for the heads up Brian, it just further secures my decision to finally switch from IE to Firefox, which I recently did. While these numbers do seem rather close at very certain things, the fact that Firefox has consistently put up better numbers, time and again, really makes me believe that it is a better browser.

Every week I get my typical "Update your account" etc. emails which take me to a fraudulant site, and to know that Firefox will potentially block those sites from even letting me incidentally go there makes me feel much better.

My biggest concern has always been with people whom are new to the internet because they aren't trained to check the URL before going to a potentiall phishing site. If Firefox continues this trend, hopefully even the most novice internet users can be secure with their browsing.

Posted by: NathanK | November 14, 2006 09:30 AM

These are some interesting results; I note that they are significantly different to both what 3Sharp found, but also from what a team at Carnegie Mellon found in their own research. More thoughts at http://www.robichaux.net/blog/2006/11/mozilla_releases_antiphishing_report.php. (BTW, I pointed out to Brian that's it's not entirely fair to dis 3Sharp's report as less "open source" than Mozilla's, given that we published all our URLs as part of the study and have made results freely available to everyone who's asked.)

Posted by: Paul Robichaux | November 14, 2006 10:27 AM

Thanks Paul, and as I pointed out, Mozilla is going to make its raw data available in about an hour, so when they do I will update this post with a link to it.

Posted by: Bk | November 14, 2006 10:32 AM

It just proves what I've been saying all along: The use of IE, any version, marks the user as a technical neophyte.

The whole "...but my web site doesn't work with anything but IE..." is something straight out of 1999 and hasn't been true for about 2-3 years now.

Firefox is a great browser. Opera is a great browser. Konqueror is a great browser.

IE7? Not so good. I guess MS is too busy with the XBox and the Zune to worry about browsers these days.

Posted by: Bunkley | November 14, 2006 11:13 AM

>The use of IE, any version, marks the user as a technical neophyte.<

I have been using personal computers since the pre-Windows days of DOS, and recently dumped Firefox 2.0, because I prefer IE7.

I don't really care that much about anti-phishing filters, because I'm not stupid enough to fall for phishing scams.

Posted by: JohnJ | November 14, 2006 12:50 PM

I'm tired of Mozilla, Apple, and any other anti-Microsoft users that love to rag on anything Microsoft. All platforms [windows vs. linux vs. apple, IE vs. firefox] are pretty good and each has their advantages/disadvantages [like apple is better for media but windows is much better for utility, work, etc.]. I myself don't like the firefox or apple layouts and prefer to use microsoft products [and no, I do not like how they've switched to a more firefox layout in IE7] but it doesn't mean I won't use firefox or apple if its handy.

Posted by: Bean | November 14, 2006 01:01 PM

Well, reading this very instructive article show me somethings not pointed in the article :

Does it proves that Firefox 2 is Better than IE7 : Surely NOT !!!, it only proves that the Mozilla database is fare better than Microsoft one. Yes, i know that at the end of the day the result is the same, and firefox is filtering better but it is unfair to blame IE develloppers for something they are not responible of..

Does it proves that Mozilla database is the best : Surely NOT too !!! Google offer better results (yes, not that much, but you know : the bigger, the better that's all...)

Let's wait for Google and Ms to mix there database so evey browzers will takes benefits of it.

Posted by: Diagg | November 14, 2006 01:20 PM

>"But I'm left wondering whether a
>stronger "whitelist" approach that
>involves identifying legitimate banking
>sites might prove to be a more effective
>strategy"

I am the information security officer at a financial institution, and the problem that I see with a "whitelist" approach is that it assumes you know what site that the users think they are going to. In other words, you would have to know that the user means to go to Bank Of America when they click "http://blahblah.com/phishers/BofA/phishme.php" (and thereby know that is not Bank of Americas URL). Without knowing the mindset of the user, you would then have to create a whitelist that includes ALL good sites on the Internet.

Brian

Posted by: Bachroxx | November 14, 2006 01:30 PM

Great to see all the shills ,fanboys and astroturfers battling it out in there little blogophere. It's been real fun the last couple of weeks. OSS , MS and Apple on the WEB 2.o, but I think the people will just move along to WEB 3.0. You stay put now, you hear !.

Posted by: Retep. | November 14, 2006 01:41 PM

I'm an ASP.NET and .NET framework programer, so for me it's start with IE6 & 7 then get it to work in other browsers. Until Firefox 2.0 this was a pain in the rump. I could get everything I did to work perfectly in IE, Netscape, Opera and even some other "off brand" browsers, but had a terrible time getting work done with Firefox 2.0.

The odddest part of my experience is the difficulty I have getting simple client side Java to work in FireFox 2 that works perfectly in all the others! Odd isn't it? Anyway, so it FireFox a better browser? Nope...is IE7 the best browser ever? Nope... it's all a matter of what you're doing with it that makes all the difference. (I'm responding to the Firefox is a better browser comments)

So what does that have to do with the article? The phishing filter is a nice addition by both of the companies, and it's pointless. Completely utterly pointless.

The people who run phishing sites don't leave them up long enough for them to be identified, added and then distributed to the end user. They move...hourly. And when they move they often have created their site on top of a legitimate site which now will get flagged as a phishing site. Creating those wonderful false positives and blocking access to someone's legitimate site that happend to share the same URL header as the Phish site.

Whitelist? Best idea ever! until someone pirates the URL from the DNS server and points it back to a phsihing site...

You can't win, you come up with a solution, and someone will find an exploit, that's the nature of the game. So how do you make the best browser ever?

You make better internet users.

Posted by: Stephen | November 14, 2006 02:14 PM

Post a Comment

We encourage users to analyze, comment on and even challenge washingtonpost.com's articles, blogs, reviews and multimedia features.

User reviews and comments that include profanity or personal attacks or other inappropriate comments or material will be removed from the site. Additionally, entries that are unsigned or contain "signatures" by someone other than the actual author will be removed. Finally, we will take steps to block users who violate any of our posting standards, terms of use or privacy policies or any other policies governing this site. Please review the full rules governing commentaries and discussions.




 
 

© 2006 The Washington Post Company