[Full-disclosure] simple phishing fix
stuart at cyberdelix.net
Sun Aug 3 03:05:14 BST 2008
To cut to the chase, approx 80% of all phish target 1 of 20 or less
companies.     
I also found a paper which suggests the blacklist might work.  I
found three other papers that reviewed phish detection in-depth,
however none of them seemed to mention filtering on the FROM field.
  
I also detail a fix for unblocked senders (eg. to selectively allow
mail from spoofed domains, such as Paypal), see below.
Nick says the blacklist won't stop phishing, per se, because phishers
will begin to target unlisted companies. While I agree that phishers
will begin to target unlisted companies, it does not follow that
phishing will continue to be profitable. It MAY still be profitable
to be a phisher in these circumstances.
What will definitely be true is that such a blacklist will make
phishing less profitable, this being because the total amount of
funds available to phish has been substantially reduced, while at the
same time, locating new victims is more difficult.
What will also be true is the list will stop phish from listed
companies from clogging mail systems, particularly as most users
never have any need to receive mail from those companies.
I accept that the blacklist MAY NOT make phishing unprofitable, and
the blacklist WILL NOT stop phish from unlisted companies.
So, the list WILL reduce junk and WILL hit phishers in the back
pocket. And this is a bad idea?
1. the phisher does NOT know which bank his potential victims use
2. the phisher is seeking to maximise revenue, and minimise costs
3. creating the fake mail and site is time-consuming
likely factors affecting phishing profitability:
Here's a description of the phishing business model, there's no
reference cos I made it up. As you can see there's a few more costs
than actually spamming out the phish, which I agree may be without
total cost =
time + money to create the fake mail
time + money to create the fake web site
time + money to obtain hosting for the fake web site
time + money to obtain/maintain/rent the botnet used to send the fake
time + money to launder the cash
time + money on personal security
total revenue =
total number of mails sent
mails blocked - bad recipient address
mails blocked - filtered (anti-spam/phish filter etc)
mails deleted - end-user not a customer of target institution
mails deleted - end-user not fooled
mails deleted - end-user not interested
mails deleted - technical issue
average profit per successful phish
Most articles on phishing describe how the fake mail and fake website
are "carefully" designed, and "carefully" selected recipient lists
are used. Careful means slow, AFAIK. The more careful you are, the
more successful your phish, BUT the longer it takes you to make, the
more money you need to make to break even. So the rational phisher
will find a balance there. The point is, the rational phisher will
not bang out a new site every five minutes. The site needs to be
convincing, the email needs to be convincing, and being convincing
I might be wrong. The kits Nick mentioned might make it all easy.
But Nick also mentions that those kits are backdoored. So I think
that means the rational phisher is going to have to make his own
pages from scratch. And that is gonna take time.
Time = money. If the phisher makes $20/hr from phishing, but he
could be making $50/hr spamming, it's costing him $30/hr to be a
phisher. The rational phisher would cease phishing in these
statistics showing that blocking the top 20 brands will have a big
"..These brands exhibited Pareto-type properties in that a small
number of brands accounts for a large number of actual phishing
Approx 80% of all phish target 1 of 20 or less companies.   
  If those companies were widely blacklisted, 80% of all
phish/phishers would need to make new phishing sites, and find new
Note that 20 is a very small number and a blacklist of this size,
including variants, is manageable.
Note that although 20 is a very small number, it covers all of the
most-profitable-to-phish companies currently being phished (assuming
that profitability-to-phish is proportionate to total phishing
attempts, this may be wrong, but if it is wrong, some phishers are
wasting their time).
Although the top 20 account for 80% of total phish, blacklisting mail
from those companies will not stop 80% of phish, because phishers
will presumably move on to target companies that are not blacklisted.
However, those companies are less profitable for phishers - if they
were more profitable, then those companies would be in the top 80%
already. There are many reasons why they might be less profitable:
- ease of execution
- size of customerbase
- total funds available
- additional benefits or penalties
The blacklist would make phishing less profitable because it forces
less-profitable companies to be targetted. When an unlisted company
is targetted, it is added to the list. Eventually, all high-profit
companies will be listed.
Nick suggests that the phishers will just send more emails, I suggest
this will just get them detected, blocked, and taken down faster.
Nick seems to be suggesting that phishers will always be able to make
a healthy profit by targetting small institutions. This might
continue to be true if:
- costs to phishers are small, and remain so
- revenue is decent, and remains so
However various technologies are working to push costs up and revenue
down, this is going to continue. Phishers, OTOH cannot do much more
than they are already doing to maximise their revenues, that means as
anti-phishing technology evolves, phishing profits are going to fall.
How much they fall depends on the tech.
There is a definite possibility that some/all phishers will not be
able to cover their costs. Certainly, anti-phishing technologies
should seek to maximise this possibility. The harder phishing is,
the less profitable it becomes.
Nick mentioned an infinite set of domainnames, I believe at that time
he was confused between the domainname stated in the FROM field
(which is what I am focusing on) and domainnames listed in the
bodytext (I'm ignoring those). The set of domainnames in the from
field is very small, 714 items in total , most of which have only
been phished a few times. I agree the set of domainnames in the
bodytext is infinite.
It seems to me that the FROM field is the most obvious sign of a
phish. If the mail is FROM a company I don't do business with, of
course it's a phish, no need for any further testing. But I don't
need to list every company I don't do business with, I only need to
list every company I don't do business with *that phishes me*. This
list is currently very small, as the referenced statistics show.
ease of use by end-users:
I agree end-users can't be relied on. The way it could work, say
with a webmail service, is that the webmail service has a page, "my
phishing preferences", on there is a list of blocked-by-default
companies (the blacklist). The user scrolls down to the company they
want to unblock and unchecks the "blocked" box. Then they click
For corporate environments, a similar function could be performed by
the IT dept as part of their usual antispam/antivirus routine. All
users are blocked by default from receiving all mail from any
blacklisted company. To receive mail from a blacklisted company,
fill in a form on the intranet and await a response in email from the
IT dept. The IT dept does their magic using procmail or similar.
For end-users with POP3 clients the blacklist would ideally be a
installation component, packaged with the binary, the user would go
to Tools.. Options.. Phishing Preferences. The default setting for
each company listed is "blocked". The user scrolls down to the
company they want to unblock and unchecks the "blocked" box. Then
they click Save.
If an updated blacklist was deployed, users would want to see the
list of new blocked companies, in case they were corresponding with
I agree that a list with hundreds of thousands of institutions on it
would not be workable. However the statistics show that currently,
this is not required.     
how to secure "unblocked" companies:
So above I went through a few ways in which users could unblock
companies they want to receive mail from, it's obviously a
vulnerability when they do this, but it can be fixed, Paypal's
strategy is to include a pre-shared secret in the bodytext of the
mail. This requires two filtering rules, the second conditional on a
match on the first. This is not a problem for some mail clients such
as Pegasus Mail but may be a problem for lesser-evolved beasts such
This same technique (the pre-shared secret) could be used by any
targetted company that sends emails to customers, all that is needed
is that the filter knows the secret, and takes that into account when
Ideally, what would happen is that when the user unblocks a company,
they are prompted for the pre-shared secret. Missing secret = unable
to unblock. The filtering rules ideally would then be autoconfigured
in the correct way by the software/IT dept.
There is very little evidence, in the databases I checked  , of
the use of variations such as wachov1a, although added spaces,
missing hyphens and so on does happen. Obfuscation/armouring is a
common spam tactic, but phish are seeking to be as legitimate as
possible, and any kind of obfuscation reduces total revenue. This is
a distinguishing feature between phish and spam, and it permits the
possibility that techniques that don't work against spam, such as a
blacklist, might be successfully used against phish.
If the variations get excessive, I suggest regular expressions.
Again, not a problem for some mail clients, but other software such
as Thunderbird does not support them (last I checked).
It is *hoped* that the power of regex's will be enough - there is a
limit on how much obfuscation can be used, as it potentially alerts
the user to the phish. Time will tell.
this idea elsewhere on the net:
Three academic papers    review the literature concerning
phish detection in detail, however none of them list analysis of the
FROM field of the mail. That is, they don't even list it and dismiss
it, because of x, y and z, the technique is simply not mentioned.
One paper  notes that the FROM field "likely matches legitimate
mail from [the targetted company]"; later it says "domain
blacklisting can be used effectively to flag and drop messages".
 shows that the top 10 targetted companies account for 12166 of
16527 phish (73%)
 shows a total of 714 targetted companies - with some duplication -
most with one 1 or 2 phishing attempts
 gives an estimate of average profit per successful phish = USD
 "Behind Phishing: An Examination of Phisher Modi Operandi"
(contains a useful literature review)
 "Learning to Detect Phishing Emails" (contains a useful
 "Evolution of Phishing Attacks" (mentions that filtering on the
FROM field might be beneficial)
 shows a list similar to Millers' Miles
 "Phishing Activity Trends Report" states that the top 17
targetted companies account for 80% of all phish
 "Phishing Attacks: Analyzing Trends in 2006" (states that "the
top 10 spoofed brands account for nearly 85% of phishing web sites")
 "Anti-Phishing Best Practices for ISPs and Mailbox Providers"
(contains a useful literature review)
PS no I'm not trolling I've been using this approach for 6 months or
so and it works great for me, so I thought I'd share it ...
PPS "80% of all phish target 1 of 20 or less companies" DOES NOT MEAN
that 20% of phish target 2 companies or more, each phish targets 1
company, but that 1 company is, 80% of the time, in a list of 20
companies that are commonly phished. And the list of companies might
be even smaller than 20, depending on whose stats you're reading.
stuart at at cyberdelix.dot net - http://www.cyberdelix.net/
* Origin: lsi: revolution through evolution (192:168/0.2)
Full-Disclosure is hosted and sponsored by Secunia.