Microsoft plays 'Detective' to determine phishing frequency

Microsoft's research arm has been quietly collecting data through an add-on service to its Windows Live Toolbar to determine how often Web users actually fall prey to phishing attacks.

The company released findings of and methods used in that research Thursday in a presentation at the Anti-Phishing Work Group (APWG) E-Crimes Summit in Pittsburgh.

Over a three-month time period last year, Microsoft Research tracked password reuse among more than 500,000 Web users who downloaded the Phish Detective, part of the Windows Live OneCare Advisor package for the Windows Live Toolbar, in an attempt to determine how many users with the service were falling prey to phishing attacks, said Cormac Herley, a researcher at Microsoft Research. He presented findings of a paper about the research he co-wrote with fellow Microsoft researcher Dinei Florencio.

The research found that about 0.4 percent of Web users per year give up information to phishing sites, though it is not clear how much money is being lost in those attacks, he said.

In an interview following his presentation, Herley said the challenge researchers have when determining how often phishing occurs is that compared to the number of people that use e-mail and surf the Web safely, phishing is a rare occurrence.

"The problem with phishing is it's easy to get an accurate estimate of people who are going to vote one way or the other, but when you're trying to estimate something that's rare it gets hard," he said.

Tracking password reuse between sites is a logical way to try to determine phishing attacks because it mimics what happens when a user falls into a phishing trap, Herley said. When users are successfully phished, they will sign into a phishing site with the typical user name and password they would use if they actually were on the site being faked -- for example, a Bank of America site. A phisher would immediately reuse that information to sign in to the actual banking site to gain access to the users account.

Phish Detective sends URL information to servers at Microsoft when users with Phish Detective use the same password to sign in at two different sites. Some of these sites are legitimate instances of reuse -- many Web users have the same password for more than one Web site they commonly visit. However, some are not, and this is the activity used to detect phishing, Herley said.

It was easy to track which re-use seemed legitimate -- for example, when a user would sign in with the same password at eBay and then sign in to a Yahoo Mail account, Herley said. It was also fairly simple to determine when a password was being reused at a likely phishing site because the password would be used at a "site you've never heard of before," he said.

Microsoft took great pains to ensure it is not violating users' privacy by collecting data through Phish Detective, Herley said. The company does not extract specific user or password information through the tool; it only tracks instances of password reuse and logs URL information. Microsoft also had the tool audited by a third party to maintain privacy standards.

Herley declined to comment on if Microsoft would expand its use of Phish Detective to other products, such as Internet Explorer (IE), which also has anti-phishing capabilities. IE 7, the browser's current version, includes an anti-phishing filter that sends information about phishing sites to Microsoft. IE 8 is due out in late 2008 or early 2009, according to Microsoft's current schedule for the product.