Phishing Filter in IE7

Hi, my name is Tariq Sharif and I am a Program Manager on the IE Security team. One of the threats users face on the web is phishing. Today, I want to tell you about the Phishing Filter in IE7, a new security feature designed to dynamically warn users if they visit a phishing site.  I’ll cover the filter service communication flow, show you what some of the filter notifications look like, how can you report a phishing site and most importantly I will let you know the process of reporting an incorrectly marked site.

What Phishing Filter does to help protect users

To use Phishing Filter, you will have to decide if you want to automatically check sites you visit against the list of known phishing sites on the Microsoft server, or if you only want to check when you have reason to suspect a site and opt out of automatic checking.

You can get the most protection from Phishing filter by setting it to automatically check sites so I’ll focus on that experience today.

When you go to a known phishing site, Phishing Filter will detect the attack in progress and automatically take you away from the phishing site and show a strong warning.

To determine if a website is a reported phishing website or not, the Phishing Filter will check the address of the website you are trying to visit on a Microsoft server to see if it’s a reported phishing site.

You might visit a phishing website that hasn’t been reported yet, you might even be the first person to find the phishing site. When you visit a site that uses common phishing tactics but isn’t listed on the server as a known phishing site, Phishing Filter will display a strong yellow alert in the Security Status Bar, a new feature area located next to the address bar. Now that you are alerted about the possible phishing site, you will be able to help us fight back.

How you can make help us hook the “phishers”

IE7 has a menu option for you to report any phishing website that you find. Clicking on the warning message will open a menu where you can select a link to begin the process of reporting a phishing site. You can also find this option on the Tools menu at any time. Within a short period of time, reported phishing sites will be evaluated and added to the list of reported sites on the server.

What information is sent to Microsoft for checking a website

Phishing Filter does not check every URL on the Microsoft server. It only sends those which are not on a known list of OK sites or those that appear suspicious based on heuristics. If an URL is checked on the Microsoft server, first the URL is stripped down to the path to help remove personal information, then the remaining URL is sent over a secure SSL connection.  The communication with the Microsoft server is done asynchronously so that there is little to no effect on your browsing experience.

So, for example, if you were to visit https://www.msn.com, nothing will be checked on the Microsoft server because "msn.com" and other major websites are on the client-side list of OK sites. However, let’s say the URL looked like this: https://207.68.172.246/result.aspx?u=Tariq&p=Tariq’sPassword, in this scenario phishing filter will remove the query string to help protect my privacy but it will send "https://207.68.172.246/result.aspx" to be checked by the Microsoft Server because 207.68.172.246 is not on the allow list of OK sites. As it turns out, 207.68.172.246 is just the IP address of MSN.com server, so its not a phishing site but this example should help you understand more about how Phishing Filter checks sites on the server.

To read more about how phishing filter checks sites and how your privacy will be protected, you should check out the privacy statement and also Rob’s recent post on it.

Making sure your website isn’t flagged by Phishing Filter

If you are a site owner and your website is shown as suspicious or blocked, you too can click on the red or yellow warning in the Security Status Bar and click on the link to send feedback about the mistake. On the feedback page you can fill out the necessary information and request to have your website reevaluated.  Once a request has been submitted it is reevaluated by the Phishing Filter team. Based on the reevaluation, the site will either be removed from the list or left as it is.

I want to tell you a little about how Phishing Filter flags some sites as suspicious sites so you can keep your legitimate site from showing up as suspicious.

Phishing Filter has a machine learning filter and it uses heuristics to determine if a particular web site looks suspicious or not by looking for characteristics in the page that are common in phishing scams. Since the Phishing Filter heuristics are based on a learning machine, there might be a case where an actual phishing site may not even be flagged as suspicious (false negatives) and some sites which are legitimate could be marked as suspicious (false positive).

This is another reason that Phishing Filter has to contact a server to detect phishing sites and keep the number of false positives to its lowest. If Phishing Filter was to download a block list every few hours, then Phishing Filter mistakes could not be quickly corrected. To correct the mistake in a timely fashion we would have to push the bits down constantly, and this approach does not scale very well. Therefore to keep the number of mistakes to its lowest and for Phishing Filter to work most effectively it contacts the Microsoft servers to determine if a website is phishing or not.

For more information on this feature, see "Introducing Phishing Filter in IE" and "Anti-Phishing Whitepaper"

 - Tariq