PhishFarm Block List Latency Monitoring

Brad Wardman, PayPal
Program Principal Investigator
Adam Oest, PayPal
Program Principal Investigator


Browser block list efficacy is one of the greatest shared-infrastructure challenges on the World Wide Web today: Independent, academic studies and industrial analyses have found widely variable block list performance with failure rates (e.g. omission in adding reported URLs) of scale, in a number of scenarios, that apparently leave large proportions of users open to the most deviously designed phishing websites.

Hitachi Systems
APWG Thanks PhishFarm's Underwriters For Their Generosity and Vision

Browser block list efficacy is influenced by a number of conditions and attack scenario logistics, most all of which are invisible to stakeholders, leaving reporters and responders without essential data for optimizing their interventions. Most recently, researchers from Arizona State University and PayPal published findings that indicated some emerging cloaking and crawler-evasion techniques were catalyzing catastrophic block list failures2 — potentially exposing a virtually unlimited proportion of the Web user cohort to phishing websites rendered invisible to conventional block list maintenance technologies.

Their findings align closely with experiences of APWG Engineering and APWG members who witness significant proportions of expertly reported URLs never being lodged on browser block lists. Subsequent discussions have engendered new questions about whole-of-ecosystem performance over the years and compelled APWG to act: APWG tenders this proposal for the PhishFarm Block List Latency Monitoring Program with urgency in the knowledge that cybercrime attack techniques — like cloaking and crawler evasion — found to be successfully employed by a minority of cybergangs can quickly become ubiquitously deployed.

Texas A&M

The APWG PhishFarm Block List Latency Monitoring Program would provide insights into the browser block lists that are one of the last lines of defense between workaday users and phishing websites — an enterprise that is essential to understanding the efficiency of the cybercrime response ecosystem. With a reliable system for measuring the latency and efficacy of block list updating, however, stakeholders will have foundational metrics required for:

  • Measurement of blocklist report instantiation efficiency
  • Development of optimization schemes and policies for phishing URL reporting
  • Discovery of sophisticated, high-impact attacks
  • Measurement of mitigation efficacy
  • Whole ecosystem performance assessment.

The principal objectives are to inform and enable whole-of-ecosystem metrics to cultivate the most efficacious data logistics possible; to drive out control failures; and to measure subsequent ecosystem performance changes, just as public health agencies employ purpose-built metrics to view and manage disease propagation.

Rigging APWG eCrime eXchange for Continuous Blocklist Monitoring

APWG PhishFarm Block List Latency Monitoring System will be instantiated on the APWG’s eCrime eXchange (eCX), an NGO-managed cybercrime machine-event data exchange that clears more than a billion data entities per month for APWG members to inform their security applications and forensic routines. eCX has served industry and research communities without interruption since the Spring of 2004.

The PhishFarm monitoring system as it is currently deployed at Arizona State University’s Center for Cybersecurity and Digital Forensics will be substantially augmented for continuous monitoring of latency of block list instantiation for all of the phishing URLs reported through the eCX. Currently, the eCX API endpoint for phishing reports (/phish) marks the report record with a timestamp indicating the time that the report was entered on the eCX’s servers — though the reporter can replace that timestamp with the actual time of discovery for website.

With the addition of PhishFarm block list monitoring, the records will include additional data to indicate the time that has elapsed before a reported phishing site is block-listed (e.g. the browser filter issues a warning of the URL’s association with a malicious website) — if it is indeed block-listed at any time — and the recorded time at which the phishing website is offline and no longer answering http/https requests.

APWG looks forward to the production of PhishFarm data for whole-of-ecosystem assessments — and to the establishment of a common operational vocabulary for technical diplomacy that must be engaged to mitigate control gaps discovered to be impairing response-infrastructure performance. Industry practitioners already use control testing routinely within their enterprises. With common metrics and shared language, pan-industrial management of the shared cybercrime-response ecosystem can begin — and be maintained.

To request a complete program proposal, please contact APWG Secretary General Peter Cassidy –