incrediBILL - 4:48 pm on Nov 7, 2006 (gmt 0)

Come on people, this isn't rocket science...

Not knowing what MS does, it's really hard to criticize IMO but technically speaking, from all the phishing sites I've ever seen, and I've seen a LOT of them just for curiosity, I think I could easily develop code to profile the page so a mega company like MS could sure put enough resources than I can deploy to make such a thing REASONABLY safe.

I do similar site profiling when I link check my directory and have profiles that cover hundreds of domain parks and I can pretty accurately identify a domain park page I've never seen even, and some are pretty tricky trying not to be identified, so I'm sure pretty sure automated anti-phishing could do the same.

OK, let's look at what it would take to provide real-time anti-phishing.

MS could easily pull the referenced page in real time and evaluate the content automatically to see if it looks like a phishing page, about 1-2 second turnaround in most cases.

You could check the text for many keywords like paypal, citibank, BofA, compare the graphics against logos for those companies, yada yada. check URLs in the page for just IPs or subdomains which is common and report back whether it looks safe or not.

What's the main clue it's a phish page?

Phish pages typically have all links out to the real site, which isn't the current domain, and a single form that either submits to the current domain or a 3rd party domain. Seems like just evaluating the page to see if it has all external links except the form post itself would be a real tip we have a suspicious page on it's own.

It's not rocket science to built something that could easily profile what appears to be phishing, and worse case, pop it up on a screen for a human in a control room to quickly glance at when something meets the criteria and they review it ASAP. After a quick hand review, everyone else that encounters the page is protected.

In my scenario of how I would implement this technically, you might have ZERO people get to the page if it's automatically checked in real-time, or a handful of people tricked while waiting on someone to hand check a suspicious page.

So, based on my experience building similar page profiling code, I see it possible to be at least 98% accurate just with automated page profiling alone and improving over time.