Volunteer Reviewers NeededI have noticed that Phishtank has gone from something where I could review the phish they had in one session of about two three hours to impossible. It is not the only thing that has gone down. Here was what my and others email spam problem used to look like:
(click on picture to enlarge)
Now it is malware as numerous as spam:
(click on picture to enlarge)
So kiss any idea of any help you will get from "the man". I have been getting many hundreds of malware per day recently. I have been submitting what I can at VirusTotal but the number has gone way beyond ridiculous. I can only assume that if the FBI didn't request it that they are in favor of it. Ditto for the US and Russian governments, the NSA, and the CIA. Look, we have millions of stolen credit card numbers at Target and Neiman Marcus at the end of 2013. Except for the contractors working on the problem they seem to be going it alone. Right now the world is upside down.
First, you need the link to Phishtank. Here it is with the secure login specified since they shift you to that whether you want it or not if you use their GUI to review.. Trust me; it is to your advantage to use the secure route (port 443) since many Internet Service Providers will interpret it as your machine is infected and no, they will not see that you are going to PhishTank. Okay, here is where they are at:
Here are tips mostly in just what pops into my mind order to help you to review the phish:
- I frown on the use of Windows for doing this. There is malware at Phishtank. Even worse there is no button say it is malware which could be used to winnow those entries out. I have tried to encourage a redesign that has a malware button but we won't get it. Use Windows only if you really know what you are doing. Avoid obvious malware links where the URL ends in ".cpl", ".exe" or similar. Better yet, use some sort of block mechanism that blocks those for you. But Firefox on Linux is one recommended phish review combination. Be aware that Firefox doesn't handle iFrames. Opera has similar problems where it really is a phish but you don't see it. Either Firefox or Safari on Macintosh will also do nicely as well. You don't have to use the GUI since Phishtank does provide lists but I strongly discourage the list approach if you are using Windows.
- Okay, you ignored me and you are using Windows anyway. Then I advise skipping those enties where they don't show you a picture. Just be aware that if it shows Google Docs in the picture and the URL is definitely not Google Docs that does not mean it is still a phish. Things come and go quickly here. What it does mean is that you can probably safely snatch the URL and try it out since it at least was a phish.
- While working on these I have two lists showing in vim in an xterm. They are Phish / Not Phish. They are the list not of the URLs but just the affected hosts when I notice three or more phish at a domain they go into the phish list. Rather than blaze away calling them all phish, check them every so often during the session. Do not be surprised that the host goes the phish list to the no phish list even during the session. The list I use has dates when I added them. These are helpful but volatile. Anything older than 5-7 days in your list is probably gone.
- If the URL shown to you is using not a host name but an IP (IPv4) address, if it shows what was a phish, then it is still a phish. The only question remaining is whether it is an active phish or whether it is gone. What do I do? If it shows one of the many banks, Google Docs, or other known phish types in the picture I mark it as a phish. It is never (well, almost never) a legitimate host. Instead it is a hacked Windows PC. See the two pictures in this blog entry? The machines sending the email messages are hacked Windows PCs. They are not supposed to be doing web-service duty or sending email directly. Mark them as phish and let us Linux and Mac reviewers put them to bed.
- You just got a redirect to Google so the people fixed the problem, right? Wrong! Malware links in web pages frequently let only 5% to 15% of the people through to the malware. Often, they redirect the others to Google or do nothing. So how do you "fix a phish?" First, clean the server and install new web-server code. Second close the entire folder down where all the phish live. Third, set all the phish links to redirect to your own home page. Fourth, set it to just give a blank line. In Firefox this can be viewed under Tools - Web Developer - Page Source. You will see a grayed out 1, or 1 and 2 which means that many blank lines. But it is just as likely that the phisher themselves have set the phish to go to Google or some place else 85% to 95% of the time. The only valid redirect phish fix is to yourself. It showed Google docs and now it shows Google? It is still a phish since you and me don't know who did the redirect.
- If your filters caused a block and you know this some way, just click on either "I don't know" or preferably just ask for the next entry. I use my PAC filter but in a file with all of the phish rules stripped out of it. I then actually have to add some of the GoodDomains phish rules back in but not the pair. E.g., the GoodDomains ebay rules may be added back in but I don't put the other Bad rules for ebay in. We shouldn't be testing your phish filtration. We are reviewing the phish.
- I will put more here as they come to me. Right now I am handling a slug of malware that despite the scam being the same the malware is not. I am probably getting 5+ different types of malware per day.