Fooling the MS Phishing Filter

About a month ago I predicted the death of the IE7 phishing filter based on sketchy details of the MS implementation. Since that time, MS has also released an antiphishing plugin for the MSN toolbar and the IE blog has released more details about how the phishing filter works. After analysing the blog posts I stand by my prediction.

My previous reservations still stand and I have several others I will cover later. Here’s the zinger for today: for sites that aren’t on the block list, the MS approach will be easy for phishers to circumvent.

A little background. In an attempt to "anonymize" the data it sends home, IE7 removes query strings from URLs. The query string is anything after the (?) in the URL. Instead of phoning home http://example.com/?username=adam they will send home http://example.com/. Its great the MS wants to protect privacy, but they’ve also opened up an easy way for phishers to beat the system.

A smart phisher will return different content to end users (browsing the URL with the query string intact) than it will to the MS phishbot. The end user gets a scam site and the MS phish bot gets innocous content.

The fundamental flaw in the MS approach is that the analysis is performed on a server instead of on the client, and the client and server may be looking at entirely different content. Smart, client-side phishing detection engines like ScamAlarm don’t have this problem.

Advertisements