informa
4 min read
article

Shoes of a Phisherman

It takes remarkably little to get your Website mis-labeled as a phishing site

11:50 AM -- I have had the distinction of having my site added to anti-phishing lists three times now. The first two were during tests of anti-phishing technologies, and I probably deserved it. The third time, however, was a complete surprise to me.

One of the users of my site randomly discussed a certain vulnerability found in lots of Websites. He even went so far as to write out the URLs of two sites by name, and poof, within 24 hours I was on the blacklists for Internet Explorer and Firefox. Now mind you, my site looks nothing like a phishing site, not to mention the sites that were named, nevertheless anyone seeing my page would be warned that my site is a potential phishing attack.

The ramifications for me in particular were minor. The site chugged along, and really only a very small handful of people even noticed at all. If anything, it was funny to me, because I have next to nothing to lose in having my site marked as a phishing site. However, I'm one of the few.

Think about the ramifications for an e-commerce site. Let's say there is a discussion board where anyone can enter any text they like. If you were running such a company, would you feel comfortable with having this text on your page knowing that it could damage your brand and in fact stop people from visiting your site?

And consider this: How would you even stop something like this once it has started? Thankfully, I noticed right away, and I am easy to get in touch with if someone else had it noticed first. But many organizations aren't as accessible, nor do they have someone viewing each page with a modern browser to insure that there is nothing wrong with the site. All it took was two small lines of text and my site was added to a phishing list. How ridiculously easy is that?

Think about the damage one organization could do if it used this against its arch competitor. Plus, the best part is there is a large amount of plausible deniability, because the sites are often mentioned in conversation due to their size.

What's a webmaster to do? Can you monitor your site to make sure there is no such text? Is there an API provided by the anti-phishing companies to allow you to validate that your text is not going to end up on the phishing lists? Of course not, that would make it too easy for the bad guys.

Both Firefox and Internet Explorer have ways for you to declare that sites are not phishing sites. Both also have forms to fill out if you are the owner of the site or know that it is not a phishing site. I did not have to provide any proof of who I was or even that I owned the site. It was rather quick for both browser sites to verify that I wasn't a phisher. Clearly, they didn't spend the same amount of time adding my site to the phishing filter in the first place, or it would have saved me some trouble.

So where does that leave us? I guess we'll have to stay vigilant, and watch our customer service calls for any activities that could harm our businesses. In the meantime, thankfully it only took three-four hours to get myself off all the lists once I noticed the problem.

I'm not sure how long it had been on the lists (24 hours or less), but any time that a business is that heavily impacted by anti-phishing technology is too much time, I'd say.

— RSnake is a red-blooded lumberjack whose rants can also be found at Ha.ckers and F*the.net. Special to Dark Reading