Anti-Phishing Services: Pros and Cons
What Is Anti-Phishing?
Anti-phishing includes the number of techniques used to prevent phishing attacks against the individual’s machine or organizations. Several anti-phishing services are available today that can be used to counter phishing attacks. These services usually work for both emails and websites.
Anti-phishing services can be classified into the following categories:
- Content Filtering. This involves filtering the malicious content or email because it enters your mailbox.
- This is based on a list of a large number of phishing websites. When a new website is visited, it is compared with the websites in the blacklist for comparison purposes. If the visited website is already in the blacklist, it is an untrusted Internet site.
- Symptom-Based Prevention. This involves the analysis of the content of every web page that you visit and the generation of phishing alerts, based on the type and number of symptoms on each page.
- Domain Binding. In this anti-phishing technique, you are warned whenever you visit a domain that is not linked or bound to your credentials.
Familiarizing yourself with the wide array of anti-phishing services, including their advantages and disadvantages, will help you decide which of them best suits the needs of your organization. These anti-phishing services provide help by preventing and mitigating online fraud.
The most common anti-phishing services are discussed below.
Bayesian Content Filtering
Bayesian content filtering is the content-based anti-phishing approach used to assess the headers (From, Subject, Date, To, etc.) and contents of an incoming email to determine the probability of whether the email is legitimate or not. The Bayesian filter investigates the two separate groups, consisting of spam and legitimate emails, and compares the contents in both to create a database of words that includes the header information, phrases, pair of words, HTML code, certain colours, and meta information.
For example, many internet users see the word “XXX” frequently on porn web pages, but rarely encounter it on other type of websites. The filter does not know this probability in advance; therefore, it must be trained so that it can build it up. To do so, the external “grader” or user must indicate whether a new web page is XXX porn or not. The filter sets the probabilities for all the words on each page and compares these words in porn websites against legitimate websites in its database. For instance, the filter has learned the high probability for some porn words like a sex tape, Paris Hilton, and big breasts.
The vendors offering Bayesian content filtering technique include:
- Kaspersky Internet Security
- Spam Assassin
- Spam Probe
- Sophos PureMessage
- Bright mail
Also, the GoldPhish is the most popular tool that implements content-based approach and uses the Google search engine for this purpose. It provides higher ranks to firmly established web pages. GoldPhish also determines that the phishing websites are operational for a short time and will be rated as lower rank.
- Bayesian content filtering can be trained on a per user basis.
- It avoids the false positives.
- Scammers use “Bayesian poisoning” technique to circumvent Bayesian content filtering.
- Phishers sometimes bypass the filter’s database by transforming the words. For example, they may replace “Viagra” with “Viaagra.”
As mentioned, the blacklist contains the list of malicious URLs. Various methods are used to collect the blacklist—for example, honeypots, manual voting, and heuristics from the web crawlers. Whenever a URL is visited by the user, the web browser sends it to the blacklist to see if this website is already present in the blacklist. If so, the web browser warns the user not to submit personal information to this malicious internet site. The blacklist can be stored either on the user’s end or the server of the service provider.
The Google’s blacklist is referred to as Google Safe Browsing, and it takes around seven hours to be updated. Another example is the Site Adviser, which is designed to protect against malware attacks, such as spyware and Trojan horses. Other Vendors, such as Microsoft, Opera, and AOL, also offer blacklist-based anti-phishing methodologies.
Among many others, Netcraft is a software tool based on the blacklist methodology.
The main characteristics of the blacklist are timing, quality, and quantity (the number of URLs in the list).
There are instances when this type of service results in false positives. Sometimes, the updating process of the list can be slow; so a new phishing website may prove to be detrimental because it has not been added to the blacklist yet.
The browser-Integrated solution is based on the domain binding category of anti-phishing services. To mitigate phishing attacks, various browser-integrated solutions have been introduced. SpoofGuard and PwdHash are the best-known.
SpoofGuard examines the phishing symptoms, such as obfuscated URLs in the web pages, and increases alerts. On the other hand, PwdHash generates domain-specific passwords that are acceptable only to their specific domains. If the password of one domain is submitted to another domain, it is rendered useless. For example, a password for www.yahoo.com would be different if submitted to www.attackers.com. Both SpoofGuard and PwdHash are installed as the browser extensions.
The tools used for this technique include:
- Google Safe Browsing
- NetCraft Tool Bar
- eBay Tool Bar
- McAfee Site Advisor
- VeriSign commercial Anti-Phishing Service
- PwdHash prevents password theft.
- SpoofGuard protects against unauthorized IP and MAC addresses.
- Captured password can be used at target site.
Authentication-based anti-phishing is extremely important for online banking. Authentication is the process of allowing users access to the system objects based on their identities. The main targets of scammers are the market segments, such as online banking and ecommerce. Authentication-based anti-phishing uses approaches including open ID, two-.factor authentication, multi-factor mutual authentication, and three-factor authentication.
Open ID is an open-standard, user-centric ID-management system. It allows the user to employ an existing account to sign in to multiple websites without creating a new account. The user may need to associate information with his open ID that is shared with the web pages he visits, such as name or email addresses. Open ID ensures that the user’s password is provided only to his identity provider and that provider confirms his identity to the web pages he visits. Other than his provider, no web page can see his password.
Anti-phishing uses multi-factor mutual authentication for e-banking environment. In e-banking, online transactions are performed, and their verification is extremely important. The multi-factor authentication, in fact, is the security system that is used to verify different online transactions. Also, multi-factor authentication uses SSL/TLS and the HTTP protocol to secure the transaction between a customer and bank server.
Three-factor authentication (3FA) uses identity-confirming credentials by three distinct categories of authentication factors—typically, the inherence, possession, and knowledge categories. The best examples of 3AF are biometrics, such as user’s hand configuration, voice, fingerprint, and a retina scan.
Vendors such as Microsoft and Yahoo offer the authentication-based approach. Another important vendor of this approach is Easy Solutions, based in Latin America. Easy Solutions is a member of the Anti-Phishing Working Group (APWG) and the American Banker Association.
URL verification is one of the great advantages of three-factor authentication. According to a trusted source, 79% of phishing attacks are blocked by URL verification. Open ID decreases the detection times of phishing attacks.
In 3FA, fingerprinted images can be copied and scanned, voices can be recorded, and the recognition of facial images can be circumvented.
Knowing Which Anti-Phishing Service Is the Best for Your Organization
It is extremely important for following entities:
- Commercial businesses
- Local, state, and federal governments
All of these are facing different risks, but they are trying to solve one or more of the challenges, such as:
- Protect client’s and company sensitive data
- Maintain compliance
- Avoid expensive legal liabilities on account of sexual harassment lawsuits
- Preserve network bandwidth by blocking unwanted traffic (content)
- Control access to client’s private data and records
- Protect children against porn content
Browser-integrated anti-phishing is a client-based approach, therefore it is used to protect the large number of clients’ machines associated with multinational corporations. In this way, the clients’ sensitive information can be protected from phishing attacks.
Blacklist-based anti-phishing is very effective for social media users. Facebook suggests that its users employ an up-to-date browser that features an anti-phishing blacklist.
Also, if you are a member of an online auction website, you can add other members to your personal blacklist. By doing so, they cannot ask questions or bid on your auctions. Also, they cannot use a function like “Buy it now” on your item.
Furthermore, this approach is widely used by email clients, such as Gmail, Yahoo, and Hotmail, for their users.
Internet banking and ecommerce stakeholders should employ effective proven technology, such as multi-factor authentication.
According to a Frost & Sullivan Latin America, authentication services grew by approximately 28% in terms of revenues in 2010, driven by the banking sector, finance, and government organs.
Things You Should Consider in Choosing an Anti-Phishing Service Provider
Here are some of the most important criteria that you need to consider in choosing your provider:
- Your service provider should offer meticulous monitoring, authentication, and a quick takedown.
- Can they tailor a solution based on your organization’s risk profile and security needs?
- The service must have a strong detection capability and fast-documented takedown times.
- They must ensure end-to-end security against phishers through the following observations:
- Threat detection through active scanning of URLs
- Rapid site shutdown
- Effective tracking of fraudulent activities
- Keeping up-to-date with emerging fraud trends
- Educating organizations about online threats and their risks
- They should assist in preparing a framework that can evaluate your fraud-protection program.
Infosec IQ by Infosec
Do you think your company is vulnerable to phishing attacks? Do not wait until it is too late. The InfoSec Institute offers Security Awareness and Anti-phishing Training from Infosec IQ, a computer-based enterprise training platform that protects your company or organization against phishing attacks today.
Moreover, InfoSec offers a phishing training and simulation tool called PhishSim. It provides realistic phishing tests, custom templates, and automatic education for company’s employees.