We just posted PhishTank statistics for April 2008. No major surprises: The United States is, for the thirteenth straight month, hosting more phishes than any other country; A group of large banks, eBay, and PayPal round out the top most spoofed brands; And the PhishTank community of submitters and verifiers continues to have an impressively high accuracy rate.

The headlines tell us the phishers are not giving up. Seemingly every week we see reports of a new type of phishing scam. This week it’s Google AdWords phishing, where AdWords account holders are sent emails alerting them their account needs updating. The account holder logs into the spoofed AdWords interface and hands over their credit card information.

The AdWords phishing scam is interesting to me largely because, in lots of cases, it’s targeting businesses. People understand identity theft. But what happens when a business’s identity is stolen? There’s no easier or more efficient avenue to get reimbursed for a business than for an individual. Basically, whether you represent yourself or your company, you have to go to your credit card company and beg for forgiveness. (Whether or not it should be the banks — some of the most commonly spoofed brands — that are responsible for reimbursing money stolen through phishing is part of a separate debate.)

And the spoofed AdWords account interfaces, at least the ones I’ve seen, are good. I can easily understand how the marketing person tasked with managing AdWords for their company could be fooled. I know plenty of small and mid-size companies that rely on online advertising to drive traffic to their site, and see huge dents in revenue when something goes wrong and the traffic doesn’t come. That marketing person has plenty of incentive to make sure their account information isn’t wrong and nothing is preventing potential customers from seeing their ads.

Experts repeat the same warning about AdWords phishing that we’ve all heard about phishing in general for years: Educate yourself about phishing and look skeptically at URLs. Remember that as a general rule, you won’t be warned via e-mail that your account has been compromised, so if you are ever encouraged via e-mail to login to an account and update information, proceed with caution and look closely at the URL you’re encouraged to click.

Take for example, one of the AdWords phishes someone submitted to PhishTank. See the “d0l9i.cn” in the middle of the URL? If you open a new window and load http://adwords.google.com/select/login, you’ll see the real site’s URL doesn’t include that series of characters. That should be a red flag.

[NOTE: This is a known, verified phishing site. We recommend you do NOT visit it.]

OpenDNS users and users of other services leveraging PhishTank data — McAfee, Opera, Yahoo! Mail, Kaspersky Labs, to name a few — have an extra line of defense when it comes to phishing — they benefit from PhishTank and the wisdom of the community. But it’s abolsutely a good idea to learn to look for inconsistencies in URLs and think twice before providing sensitive information online, whether it’s your own or your company’s.

This is my first post to this blog and probably a good time to introduce myself as one of the developers here at OpenDNS. I do a lot of work on Domain Tagging, and in the past few weeks have made a bunch of changes that make Domain Tagging faster than ever. That means domains get verified faster, added to categories faster and blocked faster.

I’d also like to welcome 7 new moderators we brought onboard this week. We’re really happy to have them help out, and I’m sure they’re also excited to be a part of the moderator community. So welcome guys, you’re a huge asset to a great community!

The Domain Tagging system has been a huge success for us, and for everyone who uses it. Here’s a few numbers to illustrate:

31: The number of categories the system had when we launched in late February.

53: The number of categories in the Domain Tagging system today.

15,000: The number of decided domains in the “Proxy/Anonymizer” category.

Note: This number doesn’t even include the domains from St. Bernard, which number in the millions.

418,701: The number of decided domains system-wide.

903,536: Number of domains submitted to Domain Tagging (so close to a milestone…)

4 Million: The number of Internet users whose experience is made safer by Domain Tagging.

Have a great weekend!

Congratulations are in order today to CEO David Ulevitch.

It comes as no surprise to us, and probably you too, that David was named one of BusinessWeek magazine’s “Most Promising Entrepreneurs Under the Age of 30.” (Yes, he’s only 26.) You can read the entire feature here, but the gist is this: The BusinessWeek editorial staff gets together once a year and selects a handful of high-tech entrepreneurs that are clear standouts among their peers. These are people that are expected to do great things over the course of their careers - this year eleven people were awarded the honor.

Given where David has taken OpenDNS thus far and all the significant “firsts” OpenDNS is responsible for, I know BusinessWeek made the right decision including him.

We just launched a subtle new feature for all OpenDNS account holders (it’s free) that helps protect against a class of DNS vulnerabilities known as DNS Rebinding attacks. In short, these attacks take advantage of design flaws or weaknesses in how some Internet applications (notably web browsers) cache DNS data so that internal network resources can be accessed by external servers regardless of firewall settings.

This can happen because the browser (or similarly exploitable vector) acts as a conduit between the private internal resource and the external server. In plain English this means that some bad guy on the Internet can access your home access point, wireless access point, internal file server or any other networked device on your network just by getting you to load some javascript on a webpage.

While this might seem like a browser issue, it’s fundamentally a DNS issue. This is why OpenDNS created what will become a new class of filtering tools called Suspicious Response Filters.

These new filters are different from the filtering options we’ve offered to date in one important way. Rather than filtering based on the DNS question being asked (eg, “Where is foo.com?”) these filters inspect the DNS reply before we send it back to you (eg, “Does this reply point to an internal resource?”). Like most of our features, this is an industry first. No other major DNS software or service offers anything like this.

When I started OpenDNS I often told people one of my main goals was to design a global DNS service that empowered people to let the good DNS in and keep the bad DNS out, for whatever definition of good and bad they had. This feature gets us one step closer to delivering on that promise.

The feature is turned off by default, but I encourage everyone to go into your account and turn it on. Those of you with domains that point to private address space legitimately (to your intranet, for example) should also visit the domain whitelist page and whitelist your domain. Naturally, any domain in your whitelist will not have its responses filtered in any way and will be explicitly allowed.

Today kicks off the March Madness basketball tournament and in case you haven’t heard, CBS is broadcasting all 63 NCAA games live - and free - on the Internet. All you need is broadband to tune in.

What makes this particularly relevant to YOU is the fact that many of the games are being played during the workday.

According to an article in the San Jose Mercury News, network admins are blocking the site(s) broadcasting the games because they’re concerned all that streaming video is going to slow down their networks. Unlike the reasons you might block adult sites or social networking sites, there’s nothing inappropriate or unsafe about the NCAA tournament. But without question if several people on your network were watching the games, it could slow things down.

The SJ Mercury is doing a poll, asking people if video is blocked where they work. Right now it’s almost a tie between yes and no answers.

Are you blocking the games?

(If you aren’t and want to, it’s as easy as signing into your account and adding NCAASports.com to your block list. )