The average phishing URL catch rate in the top four browsers jumped from 46 percent in 2009 to 92 percent in 2012, a new study said.
In addition, the average time it took to block a new phishing URL also improved from 16.43 hours to 4.87 hours. Although all four browsers have improved, some still did better than others: Google Chrome took first place, followed by Microsoft’s Internet Explorer 10, Apple’s Safari, and finally Mozilla’s Firefox bringing up the rear.
The latest results come from a 16-page report titled “Browser Security Comparative Analysis – Phishing Protection” by NSS Labs, which evaluated the phishing protection offered by the four leading browsers during a 10-day test period. Chrome 21 caught 94 percent of phishing URLs, IE10 stopped 92 percent, Safari thwarted 91 percent, and Firefox denied 90 percent.
Yet the most important thing is this test shows browsers, the second line of defense (the first is the user), have significantly improved their ability to detect and block malicious phishing sites, forcing attackers to create and rotate phishing URLs far more frequently to be effective.
While the number of reported phishing attacks peaked in 2009, the average number of phishing sites detected has been on the rise from under 40,000 per month in 2011 to over 50,000 per month in 2012.
As such, NSS Labs said browsers need to focus on speeding up blocking response times. The average uptime for sites linked to phishing attacks in 2012 is around 23 hours; down from a high of 73 hours in 2010.
NSS Labs gives its results a margin of error of about 2 percent, but even then, the block rate for all four browsers was quite close. As such, the security firm recommends choosing your browser based on more than just its anti-phishing capabilities. For example, the last test showed that IE10 was significantly better at blocking malware when compared with Chrome, Safari, and Firefox.
“Recent advances in reputation-based blocking systems are reaching maturity and now afford consumers and enterprises significant protections against the less sophisticated attacks,” said Randy Abrams, research director at NSS Labs. “Still, the availability of cheap and disposable domains allows criminals to rapidly change the location of phishing sites. The result is that even a site that is live for only a few hours can evade detection and ensnare enough unwary consumers to be a profitable criminal endeavor.”