Browsers block substantially more phishing sites within first 24 hours of detection, however selective and sophisticated phishing attacks remain a severe threat for targeted organizations

AUSTIN, Texas – November 28, 2012 − NSS Labs today released the latest results and analysis from its web browser security comparative series which evaluated the phishing protection offered by the four leading browsers – Apple Safari, Google Chrome, Microsoft Internet Explorer, and Mozilla Firefox. During the 10-day test period, the average phishing URL catch rate ranged from 90% for Firefox 15 to 94% for Chrome 21 – a significant improvement from 2009 testing where the average block rate was 46%. The average time it took the tested browsers to block a phishing URL also improved to 4.87 hours versus 16.43 hours in 2009 tests.

These test results show that web browsers, an important first line of defense, have improved their ability to detect and block malicious phishing sites sufficiently promoted through fraudulent messages to be more quickly logged in reputation-based systems updating browsers’ blocking features. As a result, attackers must create and rotate phishing URLs far more frequently in order for them to be effective. Browsers’ reputation-based defenses, as a rule, offer less protection from more narrowly targeted phishing attacks, such as those aimed at government and financial services organizations and likely launched selectively in an effort to evade reputation system recognition.

Key browser security test conclusions for phishing protection include:

    • The number of malicious, phishing-linked URLs is growing significantly: Phishing continues to be one of the top attack vectors used by cybercriminals to gain access to systems and sensitive data: While the number of reported phishing attacks peaked in 2009, the average number of phishing sites detected has been on the rise from under 40,000 per month in 2011 to over 50,000 per month in 2012.
    • Seconds count in the war on phishing: The new challenge for web browsers is to quicken blocking response times. With phishing sites now rotating at a much faster pace, it is critical for browsers to identify and block sites more rapidly. The average uptime for sites linked to phishing attacks in 2012 is around 23 hours; down from a high of 73 hours in 2010. The zero-hour block rates for the browsers tested against brand new malicious URLs ranged from Chrome 21 at 53.2% to Safari 5 at 79.2%. Firefox 15 had the fastest average block time at 2.35 hours, while all other browsers ranged from 5.38 to 6.11 hours. While all the browsers blocked over 83% of the phishing URLs used in testing by end of day one; it took 3 – 5 days for each to reach its maximum block rate.
    • Phishing protection is just one of many browser security factors to consider: While all browsers average above a 90% block rate for phishing, end-users and enterprises should also take protection against other threats – such as malware and drive-by downloads – into consideration when selecting a browser. Although Firefox and Safari performed well in phishing response times, separate NSS Labs testing shows they lag behind Internet Explorer and Chrome in blocking socially-engineered malware. In overall malware testing, Internet Explorer blocked over 99.1% of malicious downloads, while Chrome was a distant second blocking only 70.4%, followed by both Firefox and Safari blocking less than 6%. Results of all previous browser security tests performed by NSS Labs can be found online at

Commentary: NSS Labs Research Director Randy Abrams

“Phishing has been a pernicious threat for several years and the variety of measures designed to mitigate the problem have yet to decrease the prevalence of such attacks. Recent advances in reputation-based blocking systems are reaching maturity and now afford consumers and enterprises significant protections against the less sophisticated attacks,” said Randy Abrams, Research Director at NSS Labs. “Still, the availability of cheap and disposable domains allow criminals to rapidly change the location of phishing sites. The result is that even a site that is live for only a few hours can evade detection and ensnare enough unwary consumers to be a profitable criminal endeavor. Sophisticated spearphishing campaigns continue to be highly problematic to defend against. It is important that developers harden browsers to block not only phishing attacks, but also other threats, such as socially engineered malware and drive-by downloads as these remain popular and effective attack vectors for cybercriminals.”

The products covered in this test were:

      • Apple Safari 5
      • Google Chrome 21
      • Microsoft Internet Explorer 10
      • Mozilla Firefox 15