Browsers fail to curb phishing

Anti-phishing features inside popular browsers are failing to curb the onslaught of emails that attempt to steal confidential information.

Both the Internet Explorer 7 and Firefox 2.0 browsers incorporate blacklists that warn users when they attempt to visit known phishing websites.

Although the vendors behind those browser claim to be succesful in stopping the phishing attacks, this hasn't lead to a decrease in the amount of phishing emails, David Jevans, chairman of the Anti-Phishing Working Group (APWG) chief executive for security firm IronKey said at a meeting with reporters in San Francisco.

Insted criminals have wised-up to blacklists by registering a new domain for each phishing run. The result, claims Jevans, is an explosion in the number of unique phishing domains recorded. Up from 11,976 a year ago to 37,438 last month, according to APWG records.

"Definitely the trend is not going in the right direction," Jevans said.

Registring a new domain for each phishing attack offers the criminal several hours to steal information between the times when they send out their email messages and when their site is added to the blacklist.

In order to combat the practice in the short term, Jevans advises that browser venders add heuristics systems that analyze the behaviour of a website and flag suspicious pages to the user.

Those heuristics systems can also mistakenly label many legitimate sites as phishing operations, however.

The long term solution, suggests Jevans, is for a new system to be established that would allow for both web sites and e-mails to be authenticated.

Such a system, however, would require the cooperation of every major ISP, software vendor, and hosting service, a monumentally expensive undertaking that Jevans admits is not likely to happen any time soon.

"This stuff is going to be with us for a while, unfortunately," he conceded.