Principles behind IE7’s Phishing Filter

My last post was intended to introduce our overall security strategy and the specific features in IE7 Beta1 for XP SP2 and Windows Vista. A lot of responses to my post were questions about why and how the Microsoft Phishing Filter in IE7 will check websites. We have also have heard from a number of site owners who want to know how they can correct an evaluation of “suspicious” or “confirmed phishing”. Before we continue posting on the rest of the IE7 security features, I want to let you know that we’re listening to your feedback about the Phishing Filter and take this opportunity to clarify the process.

The prime directive of the Phishing Filter feature is to help protect users from phishing websites, while maintaining user privacy and being transparent and flexible about how we do it. Protecting your privacy means we will not collect personally identifiable information, we will explain clearly how the feature works, we will give you the choice to use it only when you want to, we will provide a clear indication of how we will use any data, and we’ll use SSL encryption to help protect any queries you send to the anti-phishing server. These are the principles we used to design the Phishing Filter.

1. Readers asked why we decided to use real-time look ups against the anti-phishing server as opposed to an intermittent download list of sites in the way that an Anti-spyware product might.  We included real-time checking for phishing sites because it offers better protection than only using static lists and avoids overloading networks. Phishing Filter does have an intermittently downloaded list of “known-safe” sites but we know phishing attacks can strike quickly and move to new addresses, often within a 24-48 hour time period which is faster than we could practically push out updates to a list of “known-phishing” sites. Even if the Phishing Filter downloaded a list of phishing sites 24 times a day, you might not be protected against a confirmed, known phishing site for an hour at a time, at any time of day. Because Phishing Filter checks unknown sites in real-time you always have the latest intelligence. There would also be network scale problems with requiring users to constantly download a local list. We think the number of computers that could be used to launch phishing attacks is much higher than the number of spyware signatures that users deal with today. In a scenario where phishing threats move rapidly, downloading a list of new reported phishing sites every hour could significantly clog internet traffic.

2. Readers asked about how the data from the Phishing Filter will be used. We want to be very clear about this so we actually updated the privacy statement last week to spell it out in more detail: We use the data to make the Phishing Filter service better and constantly improve the level of accuracy in our results, not to personally identify you.

   The updated privacy statement also explains how and when the Phishing Filter will check sites.

   • No site will be checked on the server unless you choose to enable the feature.
   • Phishing Filter only checks sites that aren’t in IE’s downloaded “known-safe” list
   • Potentially sensitive data, like the URL query string, is stripped out of the URL before it’s sent to the server for checking. Other types of navigation-related information, like http cookies, are not sent to Microsoft.
   • The URL is sent securely over an encrypted SSL connection to help protect your privacy

   You may not find the privacy statement to be a page turner, but it does represent our promise to you. I hope this clarification helps dispel a conspiracy theory or two.

3. Folks have also raised concerns about how Microsoft will judge sites for the confirmed-phishing-site list. We want you to know that the process to evaluate reported phishing sites will be fair, simple and clear. To be sure it’s fair, the process will allow sites to ask for a reevaluation if the site owner does not agree with the Phishing filter rating. You won’t have to find a support number to call, instead the link to report an incorrect evaluation is built into the UI of IE7. If you dispute an evaluation by the phishing filter, the situation will be addressed as quickly as possible.  If the review process determines that there was a mistake on part of the phishing filter, your site will instantly be restored to good standing once it’s been reevaluated as not-phishing. The phishing filter whitepaper includes more information about best practices to prevent your site from being marked suspicious.

I hope this has helped folks understand the benefits of getting dynamic protection with a real-time service. I encourage you to try it out. Even if you turn real-time protection off, it’s nice to know that you can always manually check on a site if you have reason to suspect foul play.

Tariq’s post is teed up and will go into way more detail about the UX and how Phishing Filter actually works. If you have questions like that you should hold for him. If you have questions or feedback on the privacy concerns, fire away!

Thanks,
Rob Franco

Update: Changed the link of the phishing filter whitepaper to reflect the correct URL (it got changed).

Comments

• Anonymous
  January 01, 2003
  [If the review process determines that there was a mistake on part of the phishing filter, your site will instantly be restored to good standing once it’s been reevaluated as not-phishing.]
  
  
  
  Also if a filter has made a "mistake" - please keep some database and analysis of WHY it came to those conclusions - and use the info to further "tweak" the filtering ALGOs
  
  All in All - this technology is long overdue
  :-)
  
  Also those "phishing" pages - if they appear on MSN Search - should be automatically "banned" from the SERPs ....
  
  and if the domains are owned by one person - the entire domain should be banned permanently!!
  
  

• Anonymous
  January 01, 2003
  So, it's gonna be a "Manual Verification" to see if a "reported site" is really a Phishing ?
  So the process has a delay ? There is any kind of SLA ? Because a phishing site has a short TTL and if this manual verification don't be done faster, it could be later.

• Anonymous
  January 01, 2003
  Just for the record, you guys are doing a really good job of keeping information flowing.

• Anonymous
  January 01, 2003
  Just for the record, it's remarkable what you are not talking about. Time to unsubscribe from this feed.

• Anonymous
  January 01, 2003
  Rob, you still haven't cleared our doubts that the thing actually works... Give us URLs or testcases that WE CAN USE to see how the filter works first-hand.

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  My worries are that the phishing filter is gonna turn out like something at HotOrNot. The reason I say this is because people can rate anything however they want. You'll have people that will want to report sites whether they think they're safe or not. I think Microsoft should have some type of thing to protect against this kinda thing, otherwise it'll slow down the whole review process for addresses.

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  How many people have to report a site before someone at microsoft decides to investigate it?
  
  And, could microsoft effectively block every website if they were feeling extra evil?

• Anonymous
  January 01, 2003
  Please stop it flashing up for reserved (i.e. internal / local) ip addresses as for end users seeing the phishing warning on their intranet applications will frustrate/ worry them and i cannot see a way around it at present

• Anonymous
  January 01, 2003
  If I receive an obvious phishing mail, can I report the URL in it without visiting the site? I don't visit phishing sites because they could use a exploit that hasn't been fixed therefore it is mandatory that phishing sites from emails can be tagged as such without visiting them.

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  Hey, what zzz just wrote is true. There should be a possibility to tag a phishing mail as such without first having to browse to that site.

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  Hey Rob, it's Paul. I'm really glad to see that ieblog is keeping customers up to date on internet explorer features. I think the phishing filter is a great feature, and I'm glad to see it implemented in the internet explorer base installation so there's no need to download bloatware from a 3rd party site that has spyware bundled :).
  
  Also, I think it's really cool to see the reader comments have gone from slashdotesque (anti-ms) to productive and encouraging. It shows that Microsoft is definately going in the right direction with their browser and giving Mozilla a run for their money.
  
  Kind regards,
  Paul

• Anonymous
  January 01, 2003
  Inside Microsoft tells of news that MSNs Phishing Filter add-in is available for download for US...

• Anonymous
  January 01, 2003
  Is there an official procedure to post bugs to Microsoft regarding IE7 Beta 1?

• Anonymous
  January 01, 2003
  Excellent article. Informative and nicely targetted at real concerns - it's exactly what this blog should be about.
  
  Unfortunately, these efforts are struggling against a wider mis-trust of Microsoft which is regularly reinforced in much more public places. An earlier comment raises the example of Windows Update only working with Internet Explorer. OK, this is off-topic but it is a valid point. Why are there no answers coming from Microsoft about these other areas of customer concern? Who could and should be answering them?
  
  Until some of these issues are addressed, I don't see Microsoft being able to regain the trust it has lost in a lot of the IT community.
  
  As for the phishing filter, is the reporting of dodgy URLs partly in the hands of users? If so, that could cause a world of pain. Never underestimate the power of stupid people in large numbers!
  
  Keep up the good work,
  Chris

• Anonymous
  January 01, 2003
  From your description of this lookup feature I would assume the following so it works without mutch hassle:
  * every user running IE from everywhere can use it
  * thus the request has to be done over port 80 (or 443 as in the privacy statement SSL is meantioned) or it won't really work inside companies due firewalls
  * there's no restriction on to who can you this service (i.e. very IP is allowed)
  
  It isn't mentioned in detail in the privacy statements how the SSL encryption is exactly done, but let us assume for a moment that's not much different than from a standard https nowadays used everywhere.
  
  This drives me to the question: is there any limitation which client can ask the (microsoft?) server about a url whether it's used in phishing fraud or not?
  
  Basically, is microsoft providing a free of charger public SSL encrypted interface to query any client whether a given site is maybe a phishing site?
  
  The privacy statement says the following "standard" information is sent:
  * url of site
  * ip of client
  * browser type
  * phishing version number
  
  So what if browser type is lynx/opera/firefox? Are you allowing these?
  
  On a related note:
  the privacy statment says:
  For example, if you visited the MSN search web site at http://search.msn.com and entered "MySecret" as the search term, instead of sending the full address "http://search.msn.com/results.aspx?q=MySecret&FORM=QBHP", Phishing Filter would remove the search term and only send "http://search.msn.com/results.aspx".
  
  Nowadays it's not uncommon to use the usual paths of an uri to actually pass information around, think about:
  http://server/url/with/sessioid/and/other/maybe/sensitive/info
  
  Would this also send the complete path to the server?
  
  
  Thanks to the IE Team for providing this in-depth information.
  
  - Markus

• Anonymous
  January 01, 2003
  LOL
  the next step to get userinformation and a try to keep the browser monopol.
  
  i hope this will NEVER be reality.
  
  
  daniel

• Anonymous
  January 01, 2003
  I've been thinking about this for a while, and I came up with a list of example URLs that should trigger the filter:
  
  1. http://#.#.#.#/ (addresses from ip addresses are always more likely)
  2. http://address.com:##/ (same as above except port number)
  
  I think those two are the most likely ones for phishing attacks.
  

• Anonymous
  January 01, 2003
  This is a repost, but I'd still like to see this occur.
  
  The phishing filter can be smarter...
  "It checks web pages that don’t even have fields. The filter could scan for key words by input forms. Phishers must identify fields like credit card number, password, id, etc. for a victim to input. An additional security measure would be to check for encryption."
  
  Phishers MUST identify the fields with personal information. How else is a user going to input information. Look how we post comments. Posting comments requires a tinput for a title, name, and comments. Unless you plan to go further with this filter and include sites that exploit IE holes, I think this implmentation would cut down on bandwidth and ease some privacy fears.

• Anonymous
  January 01, 2003
  I've not followed the news about IE7 recently. But will IE7 distributed as a mandatory security update over Windows update? Will it be part of an XP SP3? Why is the feature not supported for IE6? Most Phishing victims will run the OS delivered with the PC they have bought and will not care for the version of their browser.

• Anonymous
  January 01, 2003
  http://blogs.msdn.com/ie/archive/2005/08/31/458663.aspx
  Rob Franco discusses the anti-phishing technology...

• Anonymous
  January 01, 2003
  
  Hi. I can't seem to find the company you bought this from. I saw it once on a paper, but no more.
  

• Anonymous
  January 01, 2003
  translated via google "German to English" - translater ... but maybe interessting what germans thought! :P
  
  http://translate.google.com/translate?u=http%3A%2F%2Fwww.heise.de%2Fsecurity%2Fnews%2Fforen%2Fgo.shtml%3Flist%3D1%26forum_id%3D84158&langpair=de%7Cen&hl=de&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  Hi, my name is Tariq Sharif and I am a Program Manager on the IE Security team. One of the threats users...

• Anonymous
  January 01, 2003
  Inside Microsoft tells of news that MSNs Phishing Filter add-in is available for download for US...

• Anonymous
  January 01, 2003
  Inside Microsoft tells of news that MSNs Phishing Filter add-in is available for download for US...

• Anonymous
  May 08, 2006
  When we shipped the Microsoft Phishing Filter in Internet Explorer 7 Beta 1, many readers on the blog...

• Anonymous
  May 11, 2006
  IE7 - フィッシング詐欺検出機能

• Anonymous
  September 28, 2006
  
  As we’ve worked on the new Phishing Filter in IE7, we knew the key measure would be how effective it...

• Anonymous
  December 24, 2006
  Moderatoren: Matthias Niess und Timon Royer Themen: Die FSF Kampagne Bad Vista, was steckt dahinter? Opera für Nintendo Wii und Samsung Handys Phishing Filter für Browser, wie funktionieren sie? Erste Eindrücke vom Azureus Nachfolger Z

• Anonymous
  January 22, 2007
  PingBack from http://phishing.blognicity.com/?p=46

• Anonymous
  February 07, 2007
  In the keynote today at the RSA Conference 2007, the technology-security industry’s annual conference,

• Anonymous
  June 12, 2007
  For the SECOND week in a row, I'm heading into town for a lunch meeting at Bayou City Seafood and Pasta. This time, I'm working with two guys who developed the best stock trading course I've ever seen.

• Anonymous
  October 14, 2007
  When you're looking for get web site traffic news and websites, be certain to tap into all of the sources available.

• Anonymous
  March 26, 2008
  PingBack from http://www.joemanna.com/blog/free-alternatives-to-aol/

• Anonymous
  May 12, 2008
  PingBack from http://jonah.clearmediainc.info/phishingfilterwiki.html

• Anonymous
  May 25, 2008
  PingBack from http://colton.clearnewsview.info/whydoesinternetexplorergetredirectedtoaol.html

• Anonymous
  June 21, 2008
  PingBack from http://anais.finestmatingstories.com/whoisbehindphishing.html

• Anonymous
  December 04, 2008
  PingBack from http://blogsitos.com/msn/2007/08/13/diy-phishing-kits/

• Anonymous
  April 27, 2009
  PingBack from http://jonathanmarsh.net/2006/10/30/obfuscated-urls/

• Anonymous
  June 16, 2009
  PingBack from http://fixmycrediteasily.info/story.php?id=1960