Shortcomings of anti-phishing blacklisting

Blacklisting is the most common form of anti-phishing protection. It is used by internet browsers as well as by popular internet security suites to protect against phishing attacks. Blacklisting has serious shortcomings.

Phishing continues to be a major security threat. In a phishing attack, the criminal sends emails which use social engineering techniques to entice the user into clicking onto fake sites and entering their confidential information such as bank login details. Often the phishing websites are exact copies of the user’s bank login site making it very difficult for the average user to spot anything amiss. Everyday, thousands of new phishing websites are setup to entrap internet users – the Anti-Phishing Working Group identify around 50,000 new phishing websites every month. These websites emulate a small number of brands, around 400 brands are targeted each month, mainly in the financial and payment services markets, but also in other sectors such as retail and social networking.

Blacklisting is the most common defence against phishing attacks. The method identifies phishing sites after they are launched and reported as suspicious, and then circulates this known list of phishing web pages, warning users when they attempt to navigate to these sites.

The main shortcoming of blacklisting is the time it takes for a phishing site to get onto the blacklist. The phishing site needs to be reported and then accurately identified as malicious in order to avoid false positives. Phishing sites are now typically hosted for only about 12 hours – their uptimes have decreased over the years. The phisher’s strategy these days is to host the phishing site for a few hours, entrap as many users as possible during this period, and then move on to another phishing site. The blacklisting process simply cannot operate fast enough to be an effective defence in this scenario, as unwary users are entrapped before the blacklist becomes active.

In a recent development, phishers have now utilised whitelisting to delay analysis of their phishing attack by the blacklisting security organisation. A new phishing toolkit dubbed “Bouncer” incorporates a unique ID in each email sent to potential victims. The tool validates the user’s IP address before displaying the phishing webpage. This process is used to block security firms from analysing the attack, further delaying the blacklist process.

Reactive techniques such as blacklisting are proving too slow and ineffective in the fast-moving world of phishing attacks. Proactive approaches which do not need to be modified for each new attack are the most effective defence.

Leave a Reply

%d bloggers like this: