11:21 AM
Dark Reading
Dark Reading
Products and Releases
Connect Directly

NSS Labs Reveals Browsers' Anti-Phishing Progress And Phishers' New Tactics

Examined four leading browsers -- Apple Safari, Google Chrome, Microsoft Internet Explorer, and Mozilla Firefox

AUSTIN, TX--(Nov 28, 2012) - NSS Labs today released the latest results and analysis from its web browser security comparative series which evaluated the phishing protection offered by the four leading browsers -- Apple Safari, Google Chrome, Microsoft Internet Explorer, and Mozilla Firefox. During the 10-day test period, the average phishing URL catch rate ranged from 90% for Firefox 15 to 94% for Chrome 21 -- a significant improvement from 2009 testing where the average block rate was 46%. The average time it took the tested browsers to block a phishing URL also improved to 4.87 hours versus 16.43 hours in 2009 tests.

These test results show that web browsers, an important first line of defense, have improved their ability to detect and block malicious phishing sites sufficiently promoted through fraudulent messages to be more quickly logged in reputation-based systems updating browsers' blocking features. As a result, attackers must create and rotate phishing URLs far more frequently in order for them to be effective. Browsers' reputation-based defenses, as a rule, offer less protection from more narrowly targeted phishing attacks, such as those aimed at government and financial services organizations and likely launched selectively in an effort to evade reputation system recognition.

View the NSS Labs 2012 Browser Security Comparative Analysis Report - Phishing Protection.

Key browser security test conclusions for phishing protection include:

The number of malicious, phishing-linked URLs is growing significantly: Phishing continues to be one of the top attack vectors used by cybercriminals to gain access to systems and sensitive data. While the number of reported phishing attacks peaked in 2009, the average number of phishing sites detected has been on the rise from under 40,000 per month in 2011 to over 50,000 per month in 2012. Seconds count in the war on phishing: The new challenge for web browsers is to quicken blocking response times. With phishing sites now rotating at a much faster pace, it is critical for browsers to identify and block sites more rapidly. The average uptime for sites linked to phishing attacks in 2012 is around 23 hours; down from a high of 73 hours in 2010. The zero-hour block rates for the browsers tested against brand new malicious URLs ranged from Chrome 21 at 53.2% to Safari 5 at 79.2%. Firefox 15 had the fastest average block time at 2.35 hours, while all other browsers ranged from 5.38 to 6.11 hours. While all the browsers blocked over 83% of the phishing URLs used in testing by end of day one; it took 3 - 5 days for each to reach its maximum block rate. Phishing protection is just one of many browser security factors to consider: While all browsers average above a 90% block rate for phishing, end-users and enterprises should also take protection against other threats -- such as malware and drive-by downloads -- into consideration when selecting a browser. Although Firefox and Safari performed well in phishing response times, separate NSS Labs testing shows they lag behind Internet Explorer and Chrome in blocking socially-engineered malware. In overall malware testing, Internet Explorer blocked over 99.1% of malicious downloads, while Chrome was a distant second blocking only 70.4%, followed by both Firefox and Safari blocking less than 6%. Results of all previous browser security tests performed by NSS Labs can be found online at www.nsslabs.com.

Commentary: NSS Labs Research Director Randy Abrams "Phishing has been a pernicious threat for several years and the variety of measures designed to mitigate the problem have yet to decrease the prevalence of such attacks. Recent advances in reputation-based blocking systems are reaching maturity and now afford consumers and enterprises significant protections against the less sophisticated attacks," said Randy Abrams, Research Director at NSS Labs. "Still, the availability of cheap and disposable domains allow criminals to rapidly change the location of phishing sites. The result is that even a site that is live for only a few hours can evade detection and ensnare enough unwary consumers to be a profitable criminal endeavor. Sophisticated spearphishing campaigns continue to be highly problematic to defend against. It is important that developers harden browsers to block not only phishing attacks, but also other threats, such as socially engineered malware and drive-by downloads as these remain popular and effective attack vectors for cybercriminals."

The products covered in this test were:

Apple Safari 5 Google Chrome 21 Microsoft Internet Explorer 10 Mozilla Firefox 15

About NSS Labs, Inc. NSS Labs, Inc. is the world's leading information security research and advisory company. We deliver a unique mix of test-based research and expert analysis to provide our clients with the information they need to make good security decisions. CIOs, CISOs, and information security professionals from many of the largest and most demanding enterprises rely on NSS Labs' insight, every day. Founded in 1991, the company is located in Austin, Texas. For more information, visit www.nsslabs.com.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.