This week Facebook recommended OpenDNS on its Security Page, the place Facebook users are encouraged to go to learn how to stay safe on Facebook and on the Internet. OpenDNS is recommended because it takes the guesswork out of identifying phishing scams for you. Even if you click a suspicious link sent to you in a message by your Facebook friend, or posted on your wall, we’ll still prevent you from being fooled by showing you a warning. That’s a lot of incentive to use OpenDNS.

Like other social networks, Facebook seems to be working hard to eliminate phishing on its site. The more popular a site becomes, the more phishers are inclined to use it for phishing and saying Facebook has been gaining in popularity as of late is an understatement.

While Facebook has been growing its global user base we’ve been growing ours, and a big part of the reason people choose OpenDNS is our anti-phishing service. PhishTank.com has identified and verified more than 300,000 individual phishing scams, all of which are blocked for our users.

We’re thrilled Facebook recommends our service.

We just posted PhishTank statistics for April 2008. No major surprises: The United States is, for the thirteenth straight month, hosting more phishes than any other country; A group of large banks, eBay, and PayPal round out the top most spoofed brands; And the PhishTank community of submitters and verifiers continues to have an impressively high accuracy rate.

The headlines tell us the phishers are not giving up. Seemingly every week we see reports of a new type of phishing scam. This week it’s Google AdWords phishing, where AdWords account holders are sent emails alerting them their account needs updating. The account holder logs into the spoofed AdWords interface and hands over their credit card information.

The AdWords phishing scam is interesting to me largely because, in lots of cases, it’s targeting businesses. People understand identity theft. But what happens when a business’s identity is stolen? There’s no easier or more efficient avenue to get reimbursed for a business than for an individual. Basically, whether you represent yourself or your company, you have to go to your credit card company and beg for forgiveness. (Whether or not it should be the banks — some of the most commonly spoofed brands — that are responsible for reimbursing money stolen through phishing is part of a separate debate.)

And the spoofed AdWords account interfaces, at least the ones I’ve seen, are good. I can easily understand how the marketing person tasked with managing AdWords for their company could be fooled. I know plenty of small and mid-size companies that rely on online advertising to drive traffic to their site, and see huge dents in revenue when something goes wrong and the traffic doesn’t come. That marketing person has plenty of incentive to make sure their account information isn’t wrong and nothing is preventing potential customers from seeing their ads.

Experts repeat the same warning about AdWords phishing that we’ve all heard about phishing in general for years: Educate yourself about phishing and look skeptically at URLs. Remember that as a general rule, you won’t be warned via e-mail that your account has been compromised, so if you are ever encouraged via e-mail to login to an account and update information, proceed with caution and look closely at the URL you’re encouraged to click.

Take for example, one of the AdWords phishes someone submitted to PhishTank. See the “d0l9i.cn” in the middle of the URL? If you open a new window and load http://adwords.google.com/select/login, you’ll see the real site’s URL doesn’t include that series of characters. That should be a red flag.

[NOTE: This is a known, verified phishing site. We recommend you do NOT visit it.]

OpenDNS users and users of other services leveraging PhishTank data — McAfee, Opera, Yahoo! Mail, Kaspersky Labs, to name a few — have an extra line of defense when it comes to phishing — they benefit from PhishTank and the wisdom of the community. But it’s abolsutely a good idea to learn to look for inconsistencies in URLs and think twice before providing sensitive information online, whether it’s your own or your company’s.

I’ll keep this one short.

David will be on the radio tonight. Gene Steinberg, the original Tech Night Owl himself, asked David to talk about the first PhishTank annual report.

Who: OpenDNS CEO David Ulevitch

What: Tech Night Owl LIVE with Gene Steinberg

When: 6 p.m. PST to 8 p.m. PST, Thursday, October 18, 2007

Where: www.techbroadcasting.com

How to listen: go to the Web site and turn up your volume.

If you miss the original broadcast, you can listen later.

As we mentioned over on the PhishTank blog, Mozilla, maker of Firefox, announced today it selected PhishTank data as the benchmark for comparing phishing protection in Firefox 2.0 and Internet Explorer 7.0. This is a big deal, considering the number of phishing-data sources to choose from.

The results? Firefox blocked 243 phishing sites that IE7 missed, making it the better of the two at blocking phishing sites, according to third-party evaluator (hired by Mozilla) Smartware.

Check out today’s articles about the testing in Slashdot, SearchSecurity and The Washington Post.

If you’re not a member of the PhishTank community yet, we hope this validation is the motivation you needed.

PhishTank is alive, and filling up.

PhishTank is a community anti-phishing Web site where anyone can go to submit suspected phishes, track the status of their submissions and help verify others’ submissions. Unlike other anti-phishing efforts that may come to mind, PhishTank is totally free to use and open to access.

After a qualified number of users collectively agree that a suspected phish is, in fact, a real phish, the phish becomes verified. (Amit drew the Digg parallel.)

But we didn’t stop there. Because we genuinely want to stop phishing and believe firmly that phishing data should not cost money, PhishTank has a free and open API. Our hope is that developers will use PhishTank data to build anti-phishing elements into their tools.

And you’ve probably guessed by now how OpenDNS uses PhishTank data. Once the PhishTank community collectively verifies a phish, we conduct an additional layer of checks and balances and ultimately block the phish for OpenDNS users (if the users have phishing protection enabled, of course). We still get phishing data from other sources, too, but we think you’re going to help make PhishTank our best source.

We want OpenDNS to be the best it can possibly be, and in order for that to happen we need the best phishing data available. But we’re not selfish — the data belongs to all of us.

Read more about PhishTank here and let us know what you think!

Update: While we encourage people to write code using the PhishTank API, this specific offer is no longer valid.

We’re looking for someone to write some sample (but working) code to help test an anti-phishing database API we’ve developed and are about to release for public use (for free!). We are busy working on a ton of projects right now and rather than divert our attention to writing plugins and extensions for apps we aren’t familiar with we figured we could pay one or two of you to do it for us instead. The code will be licensed under an open-source approved license, probably the Mozilla license, or something even more open. We basically just want our API to have some example implementations when we launch it next week.

Here’s the problem: time is of the essence! We want to have something ready to go public October 2nd, which means we really want to see a test version by Friday, September 29th. This will give us enough time to work out any bugs (in your code or our API) by the morning of Monday, October 2nd. That’s only a week from today (yikes!).

I want to offer some good incentives for you, especially since time is short. Feel free to pick some or all of the following:

• $300 for a Thunderbird extension which scans an email for URLs and checks them against our API and optionally submits suspected URLs from phishing emails into our API.
• $100 for a SpamAssassin plugin which just scans an email for URLs and checks them against our API
• $100 for another equally as cool open source project like Squid Cache, per our approval via email.
• A free lunch w/ our CEO at a good restaurant if you’re willing to come into San Francisco to have it. Our CEO (me) has good taste and gets to decide what a ‘good restaurant’ is, but it’ll be good.
• A blog post saying how much you rock.
• If you really are good, we are hiring and this is a fast-track way to get through the interview process.

Since you will be one of the first to use our API it might require some back and forth with us as we tune our API. It would help if you used Yahoo IM or AIM and spoke English. Other than that, we are pretty flexible about who you are. We posted a listing at RentACoder for a Thunderbird hacker but haven’t had any bites yet which is why we’re posting here. Unless you hear from us directly (John Roberts or myself) that you are hired, we make no guarantees.

You can post general questions here on the blog but specific questions should be sent to us via email (firstname at opendns dot com will get to John or myself).

We’ve been quiet recently. Too quiet.

Seriously, all of us are focused on two large projects, each of which will see the light of day shortly. Both of these efforts won’t surprise those who have been paying close attention to some of our previous writings.

Just to add to the behind-the-scenes fun, our growth (thank you!) has accelerated some of our storage upgrade plans, since we hate falling behind in our stats processing. As noted on the system status posts [1, 2], DNS services are not affected by stats processing, deliberately — but it means our pretty graphs get stuck until we catch up.

(And, yes, London is still in progress.)

Phishing prevention is not a “fire and forget” task. You have to make sure you have great data, double-check the information, and update the data to avoid “false positives.” And you have to do it all the time.

Different folks (see two below) have wondered publicly where our phishing data comes from and how OpenDNS uses the data. This post helps answer those questions, and more.

Phishing protection is a significant benefit to customers but it’s also a notable responsibility — under no circumstances does OpenDNS want to disrupt its customers’ normal Internet usage.

Note: if you just want speedy, reliable DNS without any protection from phishing, it’s available. (Not recommended, but available.) Use the OpenDNS preferences.

With that background out of the way, let me share what we added to our Frequently Asked Questions earlier this week.

How does OpenDNS decide if a site is a phishing site?

Currently, OpenDNS uses two methods for determining if a site is a phishing site:

1. Analysis of our network data, based on years of experience with DNS traffic.
2. Feeds from several network operators and others working against “Internet Bad Guys.”

There are three providers that we may identify and thank publicly for their participation:

1. Support Intelligence
2. Team Cymru
3. CastleCops PIRT

How do I report a phishing site to OpenDNS?

The fight against phishing isn’t just for the banks and big companies to tackle; you can help. Right now [July, 2006], we encourage submission of possible phishing sites via our contact form. Nothing will be blocked unless it’s verified.

How do I tell OpenDNS about a mistakenly-blocked site?

Every time OpenDNS shows the phish-blocked page (example), we offer the option to tell us to review the site. These requests are treated with urgency; we understand that false positives are painful, too.

Sites which are removed from the phishing list will be available to OpenDNS customers within one hour after review, and hopefully much sooner.

An extra detail: for the data from outside partners, we update our lists every six hours, including removing sites which no longer appear in the feeds.

PhishTank

PhishTank is a site OpenDNS will launch later this summer as a collaborative clearing house for data and information about phishing and malware on the Internet. PhishTank will be a free community site for validating and sharing this kind of data. There will be various statistics and an API, so anyone else who needs solid data to help fight Internet Bad Guys can use PhishTank as a source.

The point? The fight against phishing isn’t just for the banks and big companies to tackle; you can help. Several of you have sent us phishing URLs to add to our lists already — thank you! OpenDNS is selfishly interested in having the best, most up-to-date data available, but we don’t believe that proprietary data in this area is the answer: the API will be open to others, whether they contribute or not.

Too often now, phish reports go into a black hole where no response comes back and none of the aggregated intelligence is shared. PhishTank will be a solution to that problem.

Next steps

Yesterday, we were offered another validated feed of sites to avoid. Thanks! This looks to be a great additional resource, and once it’s confirmed and integrated, we’ll announce it here (with permission).

If you have data that will help us block the “Internet Bad Guys” from OpenDNS customers, please let me know. Use the contact form, or try me via direct email (first name at opendns.com).

p.s. As noted above, here are two blogs which took a look at OpenDNS right as we launched and wondered aloud about our phishing protection.

Another thing OpenDNS should work on ASAP is transparency. I’d really like to know the false positive rate on phishing sites. How many legitimate sites get flagged as a phishing site? (Tyler Longren, July 10, 2006)

Tyler, too early to have that specific stat, yet, but we hear you.

It looks like they are using blacklists to stop you from hitting known phishing sites. They don’t say where the list comes from or how ofter it is updated. (Mike Frank, July 11, 2006)

Mike, thanks for pushing us.