Sometimes you just cannot help it, you find yourself with time on your hands and you go snooping around in places that normal folk just do not venture. So it was with security researcher Michael Sutton who spent an entire day plugging through the Google blacklist, the Google encoded/hashed blacklist and the Google domain whitelist.
The blacklist, in case you did not know, contains a huge listing of URLs that Google suspects might be involved in phishing activity, and forms the basis of the Google Safe Browsing tool for Firefox, and the new Firefox anti-phishing filter for that matter. Both of these allow for user feedback when a suspect site is stumbled upon, and one must assume that this is how the blacklist is compiled although Google itself is keeping schtum.
What Sutton did reveal, though, was just how useful such an exercise in monotony can be, especially if you have an interest in phishing trends. So, for example, he discovered that a staggering 86% of the URLs listed were no longer actually available. Not surprising, as phishing crews tend to work on a ‘here today, gone later today’ basis to avoid getting caught. Less obvious was the fact that of the sites that were still accessible, the majority employed simple social engineering tactics rather than the perhaps to be expected zero day exploits we read so much about. Once a conman, always a conman I suspect. Which is why the soft targets, the easy touches of eBay, PayPal and Bank of America accounted for a whopping 63% of all the active phishing site scams. Sutton was perhaps most amused, however, by his discovery that a significant number of sites used to scam visitors into handing over their Yahoo login credentials were hosted by none other than, yes you have guessed it, Yahoo.
Looking at the detail of his research, I was interested by the fact that very few of the phishing scams featured made any use of open URL redirection which has in the past been a very popular technique, especially when it comes to redirecting from Google. Sutton did locate an attack using a Google AdWords redirection, but it was very much in the minority so perhaps the phishers have moved on to technologies new?
Either that or, as Sutton concludes, the majority of phishing scammers are a lot less sophisticated than we give them credit for. And hey, why should they bother investing the time, effort and money into technically complex cons when there is still plenty of money to be made from millions of unsuspecting newbies (and some long time Internet users who really should know better) who fall for the oldest cons in the book?
As long as people think that they might have won a lottery in a country they have never visited with a ticket they did not purchase, or will trust anyone claiming to be their bank asking for their username and password in order to update security files, there will always be money to be made.