Anti-Phishing Site Launches

OpenDNS' new public phishing database is thorough, accurate—and free.

by Jeff Goldman [October 18, 2006]

OpenDNS this month launched PhishTank, a free, community-based public database of phishing URLs. The PhishTank web site allows anyone to submit phishing data, check the status of their submissions, and rate other people's submissions—Digital Inspiration's Amit Agarwal calls it "Digg-style voting," a good way to describe the collective process by which phishing sites are verified.

David Ulevitch, founder and CEO of OpenDNS, says his company receives phishing data from a range of private sources, but has never been happy with the results. "A lot of that data has a lot of false positives, and it's not very accurate," he says. "And some of the data we get that is accurate is very, very slim—it doesn't cover a wide ground of phishing sites."

By opening up the system to user submission and user verification, Ulevitch says, PhishTank is able to be both much more thorough and much more accurate than any private, closed solution. And with an API and RSS feed available to automate both sending and receiving of data, an ISP can set up an application or a feed to inform them of phishes just on a specific netblock. Ulevitch says additional solutions like an Outlook plug-in to enable one-button submission are in the works.

Strength in numbers
To improve verification, the site encourages a sense of community, with users getting recognition for being both top submitters and top verifiers of submissions. "People that have been using the site for a long time and that are very accurate, their vote counts for more," Ulevitch says. "And it takes a certain threshold of votes to actually mark it as, 'Yes, this is a phish.'"

As a result, Ulevitch claims PhishTank essentially can't be gamed. "Someone who wants to mess around can't just register ten accounts to screw with the system, because all it takes is for somebody who's been using the site to go in and put in their one vote saying 'this is a phish,' and their vote counts much more," he says.

Because an ISP can use the API or the RSS feed to get information on a specific netblock, Ulevitch says PhishTank can make it extremely easy for a service provider to keep track of issues on their network. "Whenever they refresh the feed, the can see there's nothing there, or that there's four more and they need to go and close them," he says. "It's a nice way to manage abuse."

In spite of all its benefits, Ulevitch doesn't think PhishTank will necessarily compete with paid services. "We work with a company called Support Intelligence—they'll take the data from PhishTank, but they have a whole control panel and web interface, and they provide much more granular reporting and analysis than PhishTank will ever do," he says. "So they're in support of it, because their customers need more than just an RSS feed. They look at PhishTank as helping out."

Looking forward
Improved statistics are coming soon—"It turns out lots of people love looking at the pretty graphs," Ulevitch says—and in the meantime, basic graphs of verified phishes can be embedded on a user's or an ISP's website. "Any way that we can improve how we get data out there, we will," Ulevitch says. "That means RSS, API, embeddable charts—a lot of ISPs have their own abuse dashboard or NOC dashboard, and they can just throw a graph up there of valid phishes for their netblock."

Another next step will be a page on the PhishTank site listing available applications that have been built using the API. "We've already seen in the last couple of days that over 20 developers have registered for the API program," Ulevitch says.

And beyond phishing data, Ulevitch sees the basic concept behind PhishTank as applicable to a wide range of different issues. "It seems like the model of how we're doing this might be scalable for malware and spyware, for lots of things where people get these kinds of abuse and don't really have a central place to put them," he says.

Still, Ulevitch says it would be wrong to think that this is purely an unselfish effort by OpenDNS. "All we care about is having the best source of phishing data—and we think the means to accomplishing that is by having a totally open platform," he says. "So while it seems like it's 100 percent altruistic, our secret benefit is, just like any developer, we want to use the best data possible."

— End