The answer isn't all that satisfying … or, unfortunately, unique to Yahoo.
Michael Sutton, security evangelist for SPI Dynamics, raised the question last week in his widely circulated blog post "A tour of the Google blacklist." So I put the question to Yahoo and this morning received the company's reply.
First, Sutton's observation:
Phishers are apparently cheap as many utilize free hosting sites such as Geocities, Tripod and FreeSpaces to host their phishing sites. While the hosting providers are catching some of these sites, they're clearly not working hard enough as several remained active. Somewhat amusing is that Yahoo Geocities is commonly used to host pages designed to harvest Yahoo login IDs. Why Yahoo can't catch phishing pages that they host is beyond me. Below are a handful of such pages that remained active as of this (Jan. 4) posting.
Those pages are dead now.
As for why Yahoo can't seen to prevent phishers they host through Geocities from targeting Yahoo users, here's what company spokeswoman Kristen Wareham told me in an e-mail:
Yahoo takes a multi-faceted approach to protect consumers against phishing scams, including the use of enhanced technologies, industry collaboration, public policy efforts, and increasing consumer awareness. As part of these ongoing efforts, Yahoo has a team that takes action very quickly on every phishing report we receive, in addition we proactively scan hosted sites for potential phishing activity and deactivate suspicious sites.
We are continually improving and modifying our efforts to remain at the forefront of the industry. That said, we do not publicly discuss the specifics of our security efforts, as that would provide information that could enable bad actors to modify their tactics accordingly.
In other words, they do a lot of stuff -- most apparently after any given site is activated -- but it's not enough to prevent even their own customers from being exposed to the scam artists.
The heart of the matter was kicked around here last month after Mikko Hypponen, chief research officer for security vendor F-Secure, called out registrar directNIC for granting a "Craig Smith" a domain name that was quite obviously intended to bamboozle eBay customers.
DirectNIC CEO Sigmund Solares ducked in behind the same explanation offered by Yahoo: We're doing the best we can under the circumstances.
And, according to the head of an anti-phishing organization, that position isn't necessarily without merit. Dave Jevans, chairman of the Anti-Phishing Working Group, calls the issue "complex":
Unfortunately, it is not possible for a registrar to know a-priori whether a site is going to be used for phishing or not. There are many "squatters" who may have every right to register domain names with other companies' trademarks in them, per ICANN policy. They may have to relinquish those domains should a trademark infringement be shown by the brand holder, per ICANN policy.
However, if someone creates a site such as realbank-sucks.com, and uses it as a parody site or to complain about realbank's services, that is fully within their legal rights to do so (at least in the U.S). Therefore, how can a domain name registrar, who may register tens of thousands of domains per day, make such a determination?
Vetting every site to a higher level will cost money. The price of domain names will rise. There are those in the free-speech community who are of the opinion that this is a bad thing, as it will prevent individuals and small businesses from registering domain names.
Ah, money. Now that's getting closer to an answer to the questions raised by Sutton and Hypponen.
Welcome Farkers, regulars and assorted passersby. If you have the time, here are a few recent Buzzblog items that either drew a crowd or didn't and should have:
Congressional aide admits trying to hire hackers -- to boost his college GPA.
Battery fires, rootkits and what they mean to a brand name like Sony.
Google News offers 'fond farewell' to … President Bush?
134 reasons why Google's visitor numbers are surpassing Yahoo's.
Interview interrupted by 'flying penises' … sure, it was in Second Life, but still.
The Leader in Network Knowledge
Why can't Yahoo block Yahoo-targeting phishers?
Paul,
Just wanted to let you know that I've posted a follow-up article to the Google Blacklist post that you'd blogged about. After that post I received several questions about a separate encoded/hashed blacklist that Google also maintains which is about 14x larger than the plaintext blacklist which was the subject of the initial blog. Anyway, I spent some time learning about the structure and have made the following entry discussing what it's purpose is and how it can be decrypted.
http://portal.spidynamics.com/blogs/msutton/archive/2007/01/10/Decoding-the-Google-Blacklist.aspx
Regards,
Michael