Low rate of phishing attacks detection

44 views
Skip to first unread message

diamon...@googlemail.com

unread,
Aug 16, 2007, 6:32:48 AM8/16/07
to Google Safe Browsing API
I'm current developing a library and sample client application (C#)
using the Google Safe Browsing API, I came a cross an interesting
issue during testing.

Namely the blacklist for the phishing attacks (goog-black-hash)
doesn't contain all that many records, at the moment I've got version
1.2643 which only contains 2172 entries. The malware blacklist (goog-
malware-hash) current version 1.545 has 171739 entries.

Trying known malware sites results in a hit being found in the malware
list, ok good so far.
However using known phishing urls does not result in a hit. (I'm
getting known phishing urls from www.phishtank.com)
At the moment it would appear the Safe Browsing API is more focused on
the malware side?

I know that Firefox uses the Safe Browser API and yes it does block
phishing attacks, however this uses a completely different Google Safe
Browsing API. You can see the difference in API calls if you run
Firefox in console mode with debugging turned on for phishing
protection.
Also Mozilla detail the calls here
http://wiki.mozilla.org/Phishing_Protection:_Design_Documentation#Lookup_Server

So has anyone else noticed the lack of positive hits on the phishing
attack blacklist?

sslh

unread,
Aug 16, 2007, 2:21:27 PM8/16/07
to Google Safe Browsing API

On Aug 16, 6:32 am, "diamondz1...@googlemail.com"

> Also Mozilla detail the calls herehttp://wiki.mozilla.org/Phishing_Protection:_Design_Documentation#Loo...


>
> So has anyone else noticed the lack of positive hits on the phishing
> attack blacklist?

Yes we have also noticed the lack of positive hits on the phishing
attack blacklist We are a leading Certificate Authority and Internet
security solutions provider and have the API in testing as well
(BASH / MySql). We are considering implementing it in a variety of
capacities, but are also concerned about the lack of hits.

An important thing to note about thwarting phishing attacks is a very
narrow window of opportunity. The sites are live and then gone within
an approximate average of 6 hours. This is why, as a further testing
measure, we have been trying domains within minutes of receiving
phishing emails, reporting them if they do not hit, and checking them
again after one or two updates. We still have yet to get a hit.

lh..

P.S. Thanks for posting this. We were just about to do the same.

ife...@google.com

unread,
Aug 22, 2007, 4:48:36 PM8/22/07
to Google Safe Browsing API
Thanks for your posts. We are aware that the level of protection
offered on the phishing side is not quite at the level we want it to
be at. We are working on improving the coverage of the phishing data,
and thank you for your patience and understanding.

With that said though, I would offer one correction to your previous
post: The average site stays up much longer than six hours - according
to the latest trend report made public by APWG (antiphishing.org) the
average time online for a site is around 3.8 days. It's definitely a
skewed distribution with some outliers lasting quite a while, but the
median time is still significantly more than 6 hours.

Thanks.

Reply all
Reply to author
Forward
0 new messages