Sometimes you just cannot help it, you find yourself with time on your hands and you go snooping around in places that normal folk just do not venture. So it was with security researcher Michael Sutton who spent an entire day plugging through the Google blacklist, the Google encoded/hashed blacklist and the Google domain whitelist.

The blacklist, in case you did not know, contains a huge listing of URLs that Google suspects might be involved in phishing activity, and forms the basis of the Google Safe Browsing tool for Firefox, and the new Firefox anti-phishing filter for that matter. Both of these allow for user feedback when a suspect site is stumbled upon, and one must assume that this is how the blacklist is compiled although Google itself is keeping schtum.

What Sutton did reveal, though, was just how useful such an exercise in monotony can be, especially if you have an interest in phishing trends. So, for example, he discovered that a staggering 86% of the URLs listed were no longer actually available. Not surprising, as phishing crews tend to work on a ‘here today, gone later today’ basis to avoid getting caught. Less obvious was the fact that of the sites that were still accessible, the majority employed simple social engineering tactics rather than the perhaps to be expected zero day exploits we read so much about. Once a conman, always a conman I suspect. Which is why the soft targets, the easy touches of eBay, PayPal and Bank of America accounted for a whopping 63% of all the active phishing site scams. Sutton was perhaps most amused, however, by his discovery that a significant number of sites used to scam visitors into handing over their Yahoo login credentials were hosted by none other than, yes you have guessed it, Yahoo.

Looking at the detail of his research, I was interested by the fact that very few of the phishing scams featured made any use of open URL redirection which has in the past been a very popular technique, especially when it comes to redirecting from Google. Sutton did locate an attack using a Google AdWords redirection, but it was very much in the minority so perhaps the phishers have moved on to technologies new?

Either that or, as Sutton concludes, the majority of phishing scammers are a lot less sophisticated than we give them credit for. And hey, why should they bother investing the time, effort and money into technically complex cons when there is still plenty of money to be made from millions of unsuspecting newbies (and some long time Internet users who really should know better) who fall for the oldest cons in the book?

As long as people think that they might have won a lottery in a country they have never visited with a ticket they did not purchase, or will trust anyone claiming to be their bank asking for their username and password in order to update security files, there will always be money to be made.

About the Author

A freelance technology journalist for 30 years, I have been a Contributing Editor at PC Pro (one of the best selling computer magazines in the UK) for most of them. As well as currently contributing to, The Times and Sunday Times via Raconteur Special Reports, SC Magazine UK, Digital Health, IT Pro and Infosecurity Magazine, I am also something of a prolific author. My last book, Being Virtual: Who You Really are Online, which was published in 2008 as part of the Science Museum TechKnow Series by John Wiley & Sons. I am also the only three times winner (2006, 2008, 2010) of the BT Information Security Journalist of the Year title, and was humbled to be presented with the ‘Enigma Award’ for a ‘lifetime contribution to information security journalism’ in 2011 despite my life being far from over...