The Internet Defence Phishery is Launched: A new anti-phishing/security resource

With a nasty grinding and crunching of over-used metaphors, the shiny new Internet Defence PhishTank has been pushed out of the laboratory, and is now on full display at http://phishery.internetdefence.net.

What is the phishery?

The Phishery is a real time, automated, device to capture and display Phishing Emails. And to keep a tab on what phake logon sites the phishermen are actually using. Phew, that’s got the surpheit of “Ph” out of the way!

The other day, I was reviewing the access logs to www.internetdefence.net, and noticed that we were getting quite a lot of hits from people searching either for a phishing email by reference to the clamav malware name, or by text contained in the email. Now, we do have quite a few references for these, but only casually interspersed through various articles. So it seem to be a Good Thing to create a definitive systematic archive of these. And so the Phishery was born.

Whenever a phishing email is detected, it is placed in the tank. Various useful bits of information a gathered, including a plain text rendering of the content (to aid in searches), plus a rather pretty rendering of the email (thumbnails and full size images):

However, the icing on the cake is that the phishtank also monitors the availability of the fake site - the one that the phishing email directs you to, to harvest the credentials from the victim. I’ve not seen this done before, and I’m hoping that it will yield some interesting information. This can be seen in the real time monitor part of the tank.

For phishing emails that are not recognised by clamav, there is a risk of misidentification. I can’t really quantify that until we have enough data. But an example would be where a Viagra spam is sent out from, say, “alerts@barclays.co.uk”: so an email can have all the hallmarks of a phishing email, but not really be one as such. For these, there is a block on the display of the content, just in case the spam emails contain anything offensive, until they’ve been manually checked.

Anyway, enough on that, the best thing is to head over to the PhishTank, and check it out.

Update: To avoid confusion with what might be another phishing email related project at www.phishtank.com, this site is now called the “phishery” instead of the “phishtank”.

This entry was posted on Friday, July 14th, 2006 at 8:51 pm and is filed under E-Mail, General, Phishing. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.

Categories

Articles

Pages

Archives

Search

Links

The Internet Defence Phishery is Launched: A new anti-phishing/security resource

What is the phishery?



Categories E-Mail 419 Scams Phishing Spam Viruses General Daily Review Services Top Tips Security Threats Vulnerabilities XSS 2.0 Articles 06/04 April Report 06/05 May Report 06/06 June Report Email activity in June 06/07 July Report Email Activity in July ECSC Ltd. FireHat Internet Defence The Phishery Pages 419 Scam Archives October 2007 September 2007 August 2007 May 2007 February 2007 January 2007 December 2006 November 2006 October 2006 September 2006 August 2006 July 2006 June 2006 May 2006 April 2006 March 2006 February 2006 January 2006 December 2005 November 2005 August 2005 June 2005 March 2005 July 2004 June 2004 Search Links 06/04 April Report 06/05 May Report 06/06 June Report Email activity in June 06/07 July Report Email Activity in July ECSC Ltd. FireHat Internet Defence The Phishery	« Email activity in June: Spams, Viruses and Phishing Desperately Seeking Jim » The Internet Defence Phishery is Launched: A new anti-phishing/security resource With a nasty grinding and crunching of over-used metaphors, the shiny new Internet Defence PhishTank has been pushed out of the laboratory, and is now on full display at http://phishery.internetdefence.net. What is the phishery? The Phishery is a real time, automated, device to capture and display Phishing Emails. And to keep a tab on what phake logon sites the phishermen are actually using. Phew, that’s got the surpheit of “Ph” out of the way! The other day, I was reviewing the access logs to www.internetdefence.net, and noticed that we were getting quite a lot of hits from people searching either for a phishing email by reference to the clamav malware name, or by text contained in the email. Now, we do have quite a few references for these, but only casually interspersed through various articles. So it seem to be a Good Thing to create a definitive systematic archive of these. And so the Phishery was born. Whenever a phishing email is detected, it is placed in the tank. Various useful bits of information a gathered, including a plain text rendering of the content (to aid in searches), plus a rather pretty rendering of the email (thumbnails and full size images): However, the icing on the cake is that the phishtank also monitors the availability of the fake site - the one that the phishing email directs you to, to harvest the credentials from the victim. I’ve not seen this done before, and I’m hoping that it will yield some interesting information. This can be seen in the real time monitor part of the tank. For phishing emails that are not recognised by clamav, there is a risk of misidentification. I can’t really quantify that until we have enough data. But an example would be where a Viagra spam is sent out from, say, “alerts@barclays.co.uk”: so an email can have all the hallmarks of a phishing email, but not really be one as such. For these, there is a block on the display of the content, just in case the spam emails contain anything offensive, until they’ve been manually checked. Anyway, enough on that, the best thing is to head over to the PhishTank, and check it out. Update: To avoid confusion with what might be another phishing email related project at www.phishtank.com, this site is now called the “phishery” instead of the “phishtank”. This entry was posted on Friday, July 14th, 2006 at 8:51 pm and is filed under E-Mail, General, Phishing. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed. Comments are closed.