The Phishing Filter: Fighting the Modern Day Con Artist
Published: November 10, 2005
By Sandi Hardmeier
Back in November 2004, I wrote what proved to be a very popular article about one of the scourges of the Internet — Phishing. Entitled "Help protect yourself from online crime" the article describes in detail what Phishing is and demonstrates some of the tricks used by Phishing sites to fool users into handing over personally sensitive information.
Since the article went live the phishing phenomenon has accelerated and widened its net. Scammers no longer restrict themselves to impersonating larger banks and online financial services such as PayPal and eBay and are now targeting the customers of smaller regional financial institutions, retailers and even ISPs. Phishers have evolved to "spear phishing", targeting specific companies and employees. A recent example was a phishing attack impersonating a public company with a known 401(k) administrator. The phishers timed the email to coincide with the end of the quarter, when users would be expecting to receive an account update.
Microsoft's Anti-Phishing White Paper published in July 2005 reports that more than $2 billion a year in fraudulent bank and financial charges is believed to have been lost to phishing scams. In addition, the Anti-Phishing Working Group advises that the number of phishing reports they receive has almost doubled, increasing from 8,975 in November 2004 to 14,135 in July 2005. Even more concerning, APWG reports a 100% increase in the number of phishing sites that use malicious code such as keyloggers and Trojans to infect and compromise an unsuspecting visitor's computer. Just by visiting these sites, a user is at risk from spyware and scripting exploits hosted at these sites.
One of the best weapons against phishing is user education. However, there will always be users who have not had an opportunity to learn about the dangers that they may encounter online. Microsoft has an excellent educational site at
http://www.microsoft.com/athome/security/default.mspx dedicated to educating home users about security on the Internet. You will find videos and quizzes, educational articles and advice on what to do if things go wrong.
Internet Explorer is one of the most widely used Web browsers and is therefore in a good position to reach, and help protect, millions of users online. To that end, Internet Explorer 7 (now in beta) introduces a new weapon in the fight against phishers called the Phishing Filter.
Tip: Those who are not able to update to Internet Explorer 7 can install an alternative protection such as such as SpoofStick or the EarthLink toolbar. Users of Windows XP Service Pack 2 can download and install the Microsoft Phishing Filter Add-in for the MSN Search Toolbar.
The online Phishing Filter is not enabled by default in order to allow users to choose the level of phishing protection they wish to use.
The first time a user visits a site that is not on a list of "known safe" sites, he or she will be prompted to turn on the Phishing Filter. If enabled, the Phishing Filter will send the website address of the unknown site to Microsoft for checking. This "known safe" list is saved to each computer as part of the Internet Explorer 7 installation; therefore, there is no need for the Filter to access the Internet unless and until the user selects dynamic protection, or requests a manual site check.
It is important to note that this article discusses the Phishing Filter as it appears in Beta 1 of Internet Explorer 7. The look and feel, features and behavior of the filter may change by the time the final version of Internet Explorer 7 is released.
The user can change the Filter settings at any time simply by clicking on Tools, then Internet Options then selecting the Advanced tab. Scroll down to Phishing Filter Settings and change as desired. Alternatively, the user can click on Tools, then Phishing Filter, then Phishing Filter Settings and then select the preferred option.
Phishing Filter settings are easily changed.
The safest choice is, of course, to Check Websites Automatically. This means that every site visited that is not on the "known safe" list, will be checked against a list of known bad sites, and for characteristics common to phishing sites. Do Not Check Websites Automatically means that a site will only be checked on request. Turn Off Phishing Filter means no protection at all.
Disable Check This Website by selecting Turn Off Phishing Filter.
An important thing to note about the Phishing Filter check is that the information sent to Microsoft is limited to just the web address of the web site. Information associated with the web site address that could contain personal or sensitive information such as search terms you may have entered is removed before the address information is sent to Microsoft.
Another important point to remember is that the URL is transmitted using SSL (Secure Socket Layer) encryption. This is the same encryption used by banks, financial institutions and other organizations to protect their users' data.
The user experience — dynamic protection
The Phishing Filter has two levels of alert. Level one indicates a suspicious website (yellow). Level two identifies a reported phishing site (red).
A yellow alert is triggered if a Web site or URL has characteristics similar to a phishing site and the site is not listed in the reported phishing site list or in the "known safe" list of high-volume trusted sites.
The Yellow Alert button appears on the Security Status Bar.
Access to yellow alert sites is not blocked. When the user clicks on the yellow button, a pop-up appears that warns the user to avoid entering any personal information on the site. If we know that a site is legitimate, we are able to advise Microsoft of this via the pop-up window. We can also advise Microsoft if we believe the site is fraudulent.
The Phishing Filter Suspicious website warning.
A red alert blocks immediate access to reported phishing sites, although users can proceed to the site if they so desire.
The Phishing Filter blocks immediate access to a reported phishing site.
The user experience — case by case checks
As noted above, the user has a choice between real time, dynamic protection or running a manual check of sites that are visited. A manual check can be triggered at any time by clicking on Tools, then Internet Options, then Check This Website.
Reporting suspicious sites
Phishing sites are created and abandoned very rapidly, often remaining in place for only a few days. For this reason, it is essential that new sites are reported and flagged as quickly as possible. We all have a role to play in reporting phishing Web sites. Internet Explorer users can report a suspicious site at any time by using the Phishing Filter Feedback form, accessed by clicking on Tools then Internet Options, then Report This Website. Every report is checked by a team of experts at Microsoft who will, if deemed appropriate, add a reported site to the red status list as quickly as possible.
Phishers move quickly. With our help the Phishing Filter will move quickly as well.
Assistance for site owners
Owners of Web sites can dispute a yellow or red designation at any time by using a special online form accessed by clicking on Tools, then Phishing Filter, then Report this Website. Site owners must provide information about themselves and their site which will then be examined by the team of experts at Microsoft. After examining the site, the team can move a disputed site into the "clean" category, or flag it with red status if it believes the Filter's diagnosis is correct.
The future
We can expect phishers to continue to evolve in their tactics and approaches to try to ensnare the innocent. The new Microsoft Phishing Filter will raise the bar significantly and make it harder for them. But remember, the Phishing Filter is only as good as the information that it receives. Users who come across a phishing site should report it. Users who experience a false positive should report that too. To quote the famous catch-cry of the 1960's...'power to the people'.
