A couple of weeks back, I blogged on a new site, called phishfighting.com.

The idea is you enter a URL into the site, and it sends the phishing site fake hits every 20 seconds.

Well it was a hot subject. Lots of comments on the original blog, and I followed up with a new blog entry here. Now, Microsoft MVP Sandi Hardmeier at the SpywareSucks blog had even more damning comments than the prior one:

Here’s the deal. The sentiment is great, but the reality is not. Having “fun“ is of no practical use (although it may make you feel good).

Many phishing sites are hosted on compromised computers – computers that have been hacked. The owners have no idea what has happened to their systems, and invariably each phish site only lasts 5 to 9 days (on average) before the phishers move on.

Who are we punishing here? The victim whose computer has been hacked and who has to pay for the phisher bandwidth, and now the bandwidth generated by sites like
phishfighting? Are we punishing the phishers? They don’t care. When one site is
compromised they simply create a new one.

We’re dealing with professionals who are more than capable of weeding out and
discarding fake data. All they need to do is whip up a little programme that
will retrieve, and test, information provided with no human interaction or
effort. If you think that there is a person, or a series of people, wading
through print-outs trying out each log-on by hand, I’m betting you’re wrong in
that assumption. Think about it. How many millions of phish emails do you think
are sent out every day? The bad guys have the capacity to handle a *lot* of
data.

Not only that, the Anti Phishing Working Group advised in their July report that there has been a 100% increase in the number of phishing sites that attempt to infect systems with keyloggers and trojans to capture sensitive information such as usernames and passwords. The implications are far worse, in such circumstances, than the compromise of username and password for one financial institution.

What is phishfighting’s “Method One” for retrieving a phishing URL? They say “Simply click on the link and copy the real url from the browser bar“… NO!!! DON’T DO IT!!!!! Don’t click on the link!!!!!

Edit: Let’s expand on this – don’t even *open* a phishing email. If it includes remote graphics, and your email client is set to download such things, simply by opening the email you are confirming that your email is “live“, making it immediately valuable to all kinds of spammers, and saleable.

Also, some phishing emails attempt to infect computers as soon as an email is
opened by using certain old security vulnerabilities that *should* be patched,
but may not be.

All that we get from services such phishfighting is a misplaced sense of satisfaction that we are somehow hurting the phishers. We’re not.

There is NOTHING on the phishfighting site that teaches users how to report phish sites to ISPs and get them shut down legitimately.

Phishfighters say that they are not using a DOS (denial of service) tactic because they only send one fake alert every 20 seconds. Is that 20 seconds per report, or 20 seconds per URL? The site doesn’t say.

Don’t use services such as phishfighting. Use spamcop to report spam emails (http://www.spamcop.net/). Learn how to read emails headers and report spammers to their ISP (http://www.stopspam.org/email/headers.html) but remember, the spamming computer may be a zombie, the owner may have no idea what has happened, so be nice.

Use allwhois (http://www.allwhois.com/) to trace the host of phish sites and report their existence direct to the host ISP – get the site shut down. Again, remember the host computer may have been hacked, and the owner completely unaware of what has happened. Be nice.

Please, don’t use services such as phishfighting and DON’T click on the link in a spam email … please.

Robin Grimes, the developer of PhishFighting.com, responds with this:

As I understand, from reading [his] post, his main premise is that the Phishers are to smart for us and that clicking a phishing email link can be dangerous. So let’s address his concerns:

1. He is correct that clicking a link in a phisher’s email can be hazardous. This is why I’ve posted alternative ways to determine the phisher’s real link. He’s correct that I
should point out that “Option 1” is hazardous, so I’ve updated PhishFighting.com
to make note of this.

2. His premise that Phisher’s are to smart for us, that they all have programs to test and filter false data is a little broad reaching. I’m sure there are some very sophisticated Phishers out there, that won’t be the least bit inconvenienced by receiving false data. But I’m willing to bet that a majority of the Phishers are basically petty thieves and that getting 100’s or 1000’s of fake entries will inconvenience them to some degree. And that’s really the point of PhishFighting.com, to in some small way cause them the inconvenience that they cause us.

3. He say’s “Don’t use services such as phishfighting. Use spamcop to report spam emails (http://www.spamcop.net/)”. His premise is that using spamcop.net or some other reporting agency will stop Phishing, it hasn’t, or will have more impact than PhishFighting.com. Possibly but I haven’t seen any evidence that Phishing is on the decline. I received 4 new phishing emails this weekend. Phishing seems to be growing, not declining.

4. He also states that I don’t offer any alternative ways to fight phishing on my site. That’s true, namely because I have not found any real method that actually has a major impact on Phishing. There are a lot of sites and agencies purporting to offer some solution or impact, but I have not heard of one that can prove it, myself included. I don’t
claim that PhishFighting.com will solve the problem, but then nobody has a
solution. There is no other way for an individual to fight back against Phishers. If PhishFighting.com inconveniences the Phishers in any small way then it’s doing what it is designed to do. Plus there is a certain amount of “Feel Good” factor in being able to do something other than just reporting them.

PhishFighting.com is all about giving the individual a method of striking back,
even if it is in some very small way.

If you have additional questions, tips, suggestions, or just want to tell me I’m a
dipstick, email me at Support@PhishFighting.com Robin

Robin at PhishFighting.com should be congrutulated for at least trying something to fight fishing and it’s sad to see that some people have been piling up on him.

But Sandi at SpywareSucks brings up good points, and one should be careful using such a service. Often, my response to phishing is to report it to eBay, PayPal, or the bank in question; and if a legitimate site is compromised (all too common), I try to alert the siteowner. Phishfighting is another tool in your arsenal, but if used, must be done so with caution.

So in the end, I’ll leave it up to your best judgement.

Alex Eckelberry