Windows Vista's Phishing Filter: A User's Guide

Tuesday Apr 17th 2007 by Tony Piltzecker

Windows Vista’s Phishing Filter analyzes URLs presented to the user and compares them to a local copy of the blacklists, among other upgrades.

“Phishing” is when an e-mail is sent with the intent of extracting personal information from the recipient. Typically, the information being sought is both personal and financial. As such, the authors of these phishing efforts typically disguise the e-mail as a very professional and courteous correspondence from a trusted source such as a bank, insurance company, or even educational institution. Within the body of the e-mail is a hyperlink to a fraudulent Web site which will present a similarly trusting face to the ensnared victim and then require perhaps two or three pieces of information to “update their database” or “process their re-enrollment.”

In addition to posing as a familiar face to the victim, these Web sites portray themselves as extremely security-conscious and require great levels of “authentication” before continuing. It is in the information provided for validation that the scammers reach their goal in gaining passwords, Social Security numbers (SSNs), and account numbers. Their ploy is to present themselves as everything that they’re not; secure, professional, and out for your best interests.

Windows Mail now boasts an additional tool to the typical arsenal of antimalicious mail weaponry, and that is the integration of Microsoft’s Phishing Filter. Initially a part of Internet Explorer and the MSN toolbar, the Phishing Filter automatically analyzes URLs presented to and clicked by the user in Windows Vista and compares them to a local copy of the blacklists maintained at Microsoft (these local copies are updated as part of Microsoft Update).

Windows Mail can take the Phishing Filter service even further by analyzing incoming messages to not only see whether the URLs listed in the body of the message are known for phishing, but also whether the actual links in HTML messages are the same as the URLs displayed to the user. Messages caught by the Phishing Filter can be accepted or rejected.

Scanning from the Start

In accordance with Microsoft’s continued effort to provide applications and platforms that are secure out of the box, the Phishing Filter built into Windows Mail is enabled by default. In fact, very few settings are available to the user. The only place to adjust settings for the filter is within the settings for the Junk Filter. You can access these settings via Tools | Junk E-mail Options.

Five tabs are exposed for configuring all junk-mail-related options, the last of these being the Phishing Filter.

The Phishing Tab

By default, the Phishing Filter is set to protect the user’s Inbox against “phishing,” though not to move the mail in any way out of the Inbox. The options available to the user are to accept this protection, remove the protection altogether, or choose to have the protection enabled and all detected e-mails moved into the Junk E-mail folder.

Because the updates for the Phishing Filter take place within Windows Update and have little to do with human interaction, there are no settings to modify this within the Windows Mail user interface. Rather, Windows Vista handles the security and the updating for the utility on behalf of the user.

It is important to understand that the default behavior of the Phishing Filter is not regulated by Windows Mail, but by Internet Explorer. If the Phishing Filter is not set to automatically check in with Microsoft’s blacklists (which is the default setting), the filter (which is enabled automatically within Windows Mail) checks URLs in messages only against the local copy of the blacklist.

A point for clarification is the distinction between junk e-mail and phishing e-mail. Junk e-mail is mail identified as having a certain level of content that is sinister, erroneous (smart speak for “bogus”), advertisement-related, and so on. Phishing, on the other hand, is very specific and typically requires that the user take action to be forwarded to a Web site or form. Windows Mail handles these two types of electronic garbage differently. If a message has a high probability of being junk mail and is considered to be only “potentially” fraudulent, that message will be moved over to the Junk E-mail folder.

The settings for junk e-mail on the Options tab take precedence as the e-mail is not actually considered to be a phishing attempt. A message is classified as a phishing attempt if the sender, subject, or content/URL in the body of the e-mail is verified with the local copy of the Microsoft blacklist. The Phishing Filter service performs these checks in real time, allowing for a very high degree of security before messages are even opened.

Working with Filtered Mail

When Windows Mail receives a potentially malicious message, it immediately scans the message for any fraudulent links. If it does not detect such a link, Windows Mail will determine whether the message should go to the Inbox or to the Junk E-mail folder.

The first action that is actually visible to the user is the pop-up security window, where the user is given the opportunity to navigate to the Junk E-mail folder (where the message resides), navigate to the Junk E-mail Options page, or set Windows Mail such that it will never prompt on such an occurrence again.

A Suspicious E-Mail Alert

Unless told to no longer display the message (via the “Please do not show me this dialog again” checkbox), Windows Mail will display this alert at every instance of suspicious mail. If the user chooses the default option (Close), he is redirected to the Junk E-mail folder where the suspect message is awaiting review.

The Junk E-Mail Folder Populated with a Suspicious Message

At this point, the user can fully view the “suspect” message and give it a “not Junk” status. If the Phishing Filter confirms that a message is malicious, it behaves slightly differently. First, it does not move the message to the Junk E-mail folder. Second, it displays it in the Inbox with a red header/banner that provides the user with a very clear warning that the link or sender is known for phishing (see Figure 8.16). The message header information is set to a bold red font and the now familiar Security Shield (first introduced in Windows XP) is appended to the message displayed in the Inbox.

Notification of a Confirmed Phishing Threat

Lastly, Windows Mail removes all images and hyperlinks, further shielding the user who chooses to investigate the e-mail from the dangers of accidental enabling or browsing. Although this may initially seem somewhat restrictive, consider that many unwise users may not be up-to-date on matters such as antivirus, leaving them very vulnerable to the threats brought about by accidentally launching a Web site.

Program Improvement

It is only a matter of time before a Windows Mail user receives a message that contains a link to a Web site that is fraudulent and wonders why the great and powerful Phishing Filter has not caught it. The answer has less to do with a deficiency in Microsoft code and more to do with today’s electronic culture.

At the time of this writing, Microsoft has averaged an addition of 17,000 URLs per month to the Phishing Filter service. These are updates provided by the users of Hotmail and Live Mail who sent suspicious URLs to Microsoft for research. Since the release of Internet Explorer 7, users of the program have reported close to 4,500 potential phishing sites per week. Needless to say, the rate at which new scams and forms of spam are released into the Internet is truly staggering, and there are simply no applications that can boast 100 percent effectiveness at providing security and detection.

To ensure that the Phishing Filter can continue to provide you with accurate information, you have the option to report suspicious Web sites to Microsoft. This feature, however, is not on by default, and you must configure it from within Internet Explorer. In fact, to ensure that your Phishing Filter is checking more than just the local copy of the Microsoft blacklist, you need to enable the full functionality of the feature. To do this, simply go to Internet Explorer and choose Tools | Phishing Filter.

Adjusting the Phishing Filter via Internet Explorer Tools | Phishing Filter

The options available to you are:

Check This Website This establishes a connection to Microsoft’s blacklist to query the URL for the Web site you are presently on. If the Web site is found, you will be alerted that the site is known for phishing.

Turn ON/OFF Automatic Website Checking This option must be set to On to ensure that the Phishing Filter goes beyond the local copy of the Microsoft blacklist. With this setting off, Windows Mail can incorporate filtering only against your local copy of the Microsoft which is updated only on occasion.

Report This Website This is where you can send Microsoft a notification that the Web site you are currently visiting seems suspicious and request that the site be researched. Microsoft does not offer a guarantee of when you can expect to find the site you’ve reported on its list.

Phishing Filter Settings This brings you to Internet Explorer’s traditional Advanced Settings window, where you can toggle Automatic Website Checking on or off or disable the Phishing Filter altogether.

The Advanced Tab of Internet Options for the Phishing Filter

It has taken a great deal of “group” effort for perpetrators of phishing campaigns to become as successful as they have. It stands to reason, then, that the user community will need to meet the effort with as solid a unifying effort to combat their assault. The Microsoft Phishing Filter is a phenomenal tool, but one that is only as good as its updates. Taking the time to enable the feature and the communication is definitely worthwhile.

Although the Phishing Filter offers you little granular control over the application and virtually none via Windows Mail, it is still an incredible tool for securing the e-mail experience for Microsoft Vista users. Now, the security once regulated only to Microsoft’s Hotmail and MSN servers is available for free to Windows Mail users, and this means fewer add-ons, no third-party applications, and a more streamlined experience for all.

Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved