This should be relatively simple to counteract, however, if the percentage of false positives in the feeds from each contributor are taken into account. Some level of false positives is expected, of course, but abnormally-high rates should be penalised.

I don’t think cheating would be a problem. Takedown companies wouldn’t be able to claim they spotted a phish first when the received it from the joint feed because the joint feed processor knows who submitted what originally. Also, the bad guys create plenty of phishing sites. No company needs to do that nor would anyone jeopardize their business by doing such.

There’s another wrinkle to this I haven’t seen mentioned. Many of the takedown companies are contractually forbidden to share the URLs with third parties. This is because the takedown companies often get spam data from ISPs who don’t want that info being shared with others for various reasons. The model would likely have to be restricted to phish sites discovered directly by the takedown company lest you have to persuade others of the same benefits (and convince folks to revisit contracts).

Lastly, I think the delayed sharing approach is viable. It works in the antivirus world. While not ideal from a detection time perspective, it’s better that not detected at all.

John, PhishLabs
PhishLabs

I’m not certain your model adressess a fundemental problem.

There are five main classess of player in the game,

A, The Attackers,
B, The Banks,
C, The Customers,
D, The Takedown Co’s,
E, The legislators.

The primary relationship you are actually addressing is between the banks and their customers,

B_C

By altering the relationship between compeating entities (D_D, B_B)

There are however a number of other relationships bank to bank (B_B) for instance.

Some of these relationships are very new (B_D) and have not realy been tested. Others (A_B, A_C, A_D) are in a state of flux and others are reasonably expected to change (E_B, E_A, E_D) and others effectivly unknown (A_A, A_D) but assumed.

Your model only losely addressess these additional relationships, and realy only from the perspective of possibly increasing security on the bank to customer (B_C) relationship.

As noted by Theo Markettos the takedown to takedown (D_D) relationship can quite easily be abused for competative advantage in your model.

But importantly so can the other relationships.

Infact it could be quite benificial for Banks to deliberatly abuse the bank to takedown company relationship (B_D) of their compettitiors and likewise for takedown companies to abuse the B_D relationship of their compettitors.

With a little thought you can realise that this would be a very effective place to gain either commercial advantage, or regulatory relief.

And it is not without past president. Further you do not appear to have considered the nature of quite important relationships (B_B, A_A, A_D, etc)

You also need to realise that the bank to takedown company relationship is mostly to the benifit of the banks interms of externalising not just risk but liability.

Also that is likley to be a transitory relationship, that is if the legislators raise the bar in various ways for the banks (E_B), or takedown companies (E_D). With even quite small changesthe banks will in house the activity fairly rapidly to reduce the risk/liability to themselves, and the takedown companies are probably aware of this so may well have only very short term interests.

All that said I am not to saying I think what you are doing is the wrong thing but just the first hesetant step on the journey.

And like all journies it is best to have not just a clear view of the objective but alternative routes etc in mind should the original journey need to be changed due to changes in the environment.

http://www.lightbluetouchpaper.org/2007/12/21/how-effective-
is-the-wisdom-of-crowds-as-a-security-mechanism/

We didn’t observe any intentionally malicious voting at the time, but we did notice that PhishTank appears especially vulnerable to manipulation.

@Theo: Good point, disreputable take-down companies could also try to cheat by including fake phishing websites. Presumably this could be detected by a clever auditor, but even so, any sharing club can only work if there is a basic level of trust between take-down companies. The take-down companies I have encountered seem open to sharing so long as they are compensated if they contribute more than others.

Say take-down company A in your example creates (through suitable cutouts or middlemen) a series of phishing sites for bank B1 based on clones of real phishing sites. They can then ‘detect’ these ‘fake-phishing’ sites and sell the list to take-down company B at a profit. If they’re particularly disreputable they can clean up from the phished account details, but otherwise adding a slow trickle of fake-phishing sites to their feed may increase their profitability at the expense of the competition.

This then turns into an arms race based on who can create the most fake-phishing sites. With real phishing sites or bank customers being merely collateral damage.

When I processed wrongly-addressed mail (for accounts that don’t exist; using the luser_relay of postfix) I was getting 16,000 phishes in 12 hours - before I added a rate limiter.

One problem was people would vote as NOTAPHISH something that (if you read the HTML) clearly was a phish. It seems one genuince link in the mail is enough to get some people to approve of it.

You can submit phishing reports to a number of places. The best place to send them is to the Anti-Phishing Working Group, who create a feed which is given to the take-down companies and banks. Here’s instructions on how to submit to the APWG:

http://www.antiphishing.org/report_phishing.html

You can also submit to PhishTank, which is a volunteer group that creates a public feed:

http://www.phishtank.com

Unfortunately, their feed is slow to be processed, since PhishTank relies on volunteers to vote on each submission’s veracity.

Most banks will also accept phishing notifications when their own brand is targeted. You can usually find information from each bank’s home page.

Our proposal would have take-down companies who gain more from sharing compensate those take-down companies who gain less.

Would this model also work for phishing information feeds? It would allow some of the benefits of sharing, while protecting the investment of take-down companies.