New browsers fail to curb phishing

Criminals have wised-up to blacklists by registering a new domain for each phishing run

Anti-phishing features inside popular browsers are failing to curb the onslaught of emails that attempt to steal confidential information.

Microsoft's Internet Explorer 7 and Mozilla's Firefox 2.0 incorporate blacklists that warn users when they attempt to visit known phishing websites. 

Both vendors claim to have been successful in stopping the attacks, but David Jevans, chairman of the Anti-Phishing Working Group (APWG), and chief executive at security firm IronKey, said at a meeting with reporters in San Francisco that this has not led to a decrease in the number of phishing emails. 

Criminals have wised-up to blacklists by registering a new domain for each phishing run. The result, according to Jevans, is an explosion in the number of unique phishing domains.

APWG records suggest that unique phishing domains rose from 11,976 a year ago to 37,438 last month. "The trend is not going in the right direction," Jevans said.

Registering a new domain for each phishing attack offers the criminal several hours to steal information between sending out the messages and the site being added to the blacklist.

In order to combat the practice in the short term, Jevans said that browser vendors should add heuristics systems that analyse the behaviour of a website and flag suspicious pages to the user.

But such systems can also mistakenly label many legitimate sites as phishing operations. 

The long term solution, according to Jevans, is a system that would allow for both websites and emails to be authenticated.

Such a system would require the cooperation of every major ISP, software vendor and hosting service, a monumentally expensive undertaking that Jevans admits is not likely to happen any time soon.

"Phishing emails are going to be with us for a while, unfortunately," he conceded.