Filters can't stop phishing attacks: NCR

Software filters that are designed to block access to fraudulent Web sites are largely ineffective at protecting against new attacks, according to security experts.A number of companies -- including Microsoft, McAfee and Neowin -- have developed anti-phishing filters that are designed to warn users if they attempt to access a known or potential phishing Web site.

Software filters that are designed to block access to fraudulent Web sites are largely ineffective at protecting against new attacks, according to security experts.

A number of companies -- including Microsoft, McAfee and Neowin -- have developed anti-phishing filters that are designed to warn users if they attempt to access a known or potential phishing Web site. The filters are made to combat the growing problem of fake Web sites that attempt to dupe Web users into divulging personal information.

But these filters are relatively useless since many phishing Web sites go offline relatively fast, and the filters are unlikely to be updated in time to protect users, said NM Suprabhat, South Asia Pacific marketing manager for software and security at NCR.

"I think the fraudsters are operating much faster than that [filters]. Most of these [phishing] sites are there for less than a couple of hours," said Suprabhat.

According to Tariq Sharif, program manager on Microsoft's IE Security team, the phishing filter being built into the upcoming IE7 browser will attempt to recognise potential phishing sites using heuristics, and by looking up a list kept online by Microsoft -- but he admits that the system has its flaws.

"When you visit a site that uses common phishing tactics but isn't listed on the server as a known phishing site, Phishing Filter will display a strong yellow alert.... Since the Phishing Filter heuristics are based on a learning machine, there might be a case where an actual phishing site may not even be flagged as suspicious (false negatives) and some sites which are legitimate could be marked as suspicious (false positive)," Sharif wrote in a recent blog entry.

Sharif said to help fight the problem of false positives and negatives, the browser would have to be in continuous contact with Microsoft's Phishing server, which he said would "not scale very well".

"Therefore to keep the number of mistakes to its lowest and for Phishing Filter to work most effectively it contacts the Microsoft servers to determine if a Web site is phishing or not," said Sharif.

The Anti-Phishing Working Group recorded more than 14,000 phishing reports in July 2005. On average, a site remained online for about six days.

James Turner, security analyst at Frost & Sullivan Australia, compared anti-phishing technology to anti-virus technology, which is also dependent on an attack being launched before it can be defended against.

"There are some [phishing Web sites] that are going to be there for two weeks and others that will be there for a few hours. Signature-based antivirus is totally at the mercy of when [the virus] is identified to when it is inoculated against -- that is a huge issue. With the constant threat of zero day attacks, signatures can't carry us forward," said Turner.

According to NCR's Suprabhat, the problem is getting worse as phishers become better at creating more authentic [yet illegal] Web sites: "I have seen some of these phishing examples -- I think even a bank employee would get fooled. Those sites are so well made and so cleverly written. Two hours is enough... to keep [the phisher] in business."