While mass mailing of electronic junk messages has fallen into disfavor among spammers, phishing continues to attract a loyal following. That’s because the technique has been successful at bypassing anti-spam measures deployed by many organizations.
Old-fashioned mass spam mailings are like direct mail campaigns: massive numbers of messages are sent to recipients with little regard to whom those recipients might be.
Phishing pays more attention to whom it’s aimed at. For example, it might be aimed at customers of the bank. Although many of the phishing messages will land in the inboxes of people who aren’t customers of the target bank, the junk mailer hopes to land in enough inboxes that do belong to bank customers to make whatever scam is being perpetrated profitable.
That’s because phishers trade on trust. A bank customer is likely to trust communication from their bank. A phisher can exploit that trust to get the recipient of a phishing email to do things — like open attachments — they wouldn’t do for an untrusted or unknown source.
Malicious escapades perpetrated by phishing include theft of personal information and the planting of pernicious software on computers.
Needless to say, the better prepared an organization is to foil phishers, the better off its workers and valuable data will be.
When defending against phishers, a browser can be an important weapon. That’s because many phishing messages contain links to infected websites designed to impose mischief on anyone who lands on them.
The proliferation of such sites continues to grow, according to independent tester NSS labs. In 2011, for example, under 40,000 phishing sites were being created a month. This year, that number has jumped to more than 50,000 per month.
The good news, however, is that the major web browsers have become quite good at identifying and blocking access to those sites. In a test over a 10-day period, NSS found found that Google’s browser Chrome 21 blocked 94 percent of the phishing URLs appearing on its address bar, followed by Internet Explorer 10 (92 percent), Safari 5 (91 percent) in Firefox 15 (90 percent).
NSS calculates the margin of error for its test to be two percent, so most of the browsers are pretty close to equal at handling nefarious URLs.
The testers noted that there are some other considerations besides blocking bad URLs when evaluating a browser’s effectiveness against phishing attacks. For instance, the quickness at which a browser can react to new black URLs is also very important, especially since the shelf life of malicious websites continues to decline.
In 2010, for example, the average uptime for sites link to phishing attacks was 73 hours. This year, the average has slipped to 23 hours.
The quickest browser for blocking zero-day phishing URLs was Safari 5, with a rate of 79.2 percent. Chrome had the lowest rate, at 53.2 percent.
As for the fastest average time for discovering and blocking unsavory URLs, Firefox 15 led the pack (2.35 hours), while the other browsers ranged from 5.38 to 6.11 hours.
NSS also tested the browsers for their effectiveness at blocking malicious downloads. Microsoft Internet Explorer led all its competitors, blocking more than 99.1 percent of all dastardly downloads. Chrome finished a distant second at 70.4 percent. Safari and Firefox were malware sieves with a rate of less than six percent.