posted on 2006-01-01, 00:00authored byYue Zhang, Serge Egelman, Lorrie Cranor, Jason Hong
There are currently dozens of freely available tools
to combat phishing and other web-based scams, many
of which are web browser extensions that warn users
when they are browsing a suspected phishing site. We
developed an automated test bed for testing antiphishing
tools. We used 200 verified phishing URLs
from two sources and 516 legitimate URLs to test the
effectiveness of 10 popular anti-phishing tools. Only
one tool was able to consistently identify more than
90% of phishing URLs correctly; however, it also
incorrectly identified 42% of legitimate URLs as phish.
The performance of the other tools varied considerably
depending on the source of the phishing URLs. Of
these remaining tools, only one correctly identified
over 60% of phishing URLs from both sources.
Performance also changed significantly depending on
the freshness of the phishing URLs tested. Thus we
demonstrate that the source of phishing URLs and the
freshness of the URLs tested can significantly impact
the results of anti-phishing tool testing. We also
demonstrate that many of the tools we tested were
vulnerable to simple exploits. In this paper we describe
our anti-phishing tool test bed, summarize our
findings, and offer observations about the effectiveness
of these tools as well as ways they might be improved.