Hot Take [Updated 29/12/2018] Browser extension comparison: Malwares and Phishings

[Evjl's Rain]

Comparison between browser extensions

Test 29/12
Q&A - [Updated 29/12/2018] Browser extension comparison: Malwares and Phishings

Test 24/11
Q&A - [Updated 24/11/2018] Browser extension comparison: Malwares and Phishings

Test 12/11
Q&A - [Updated 12/11/2018] Browser extension comparison: Malwares and Phishings

Test 7/11
Q&A - [Updated 7/11/2018] Browser extension comparison: Malwares and Phishings

Test 6/9
Q&A - [Updated 3/9/2018] Browser extension comparison: Malwares and Phishings

Test 3/9
Q&A - [Updated 3/9/2018] Browser extension comparison: Malwares and Phishings

Test 2/9
Q&A - [Updated 25/7/2018] Browser extension comparison: Malwares and Phishings

Test, quick 1/9
Q&A - [Updated 25/7/2018] Browser extension comparison: Malwares and Phishings

Fun test 25/7/2018
Q&A - [Updated 24/7/2018] Browser extension comparison: Malwares and Phishings

Updated 24/7/2018 (most comprehensive, as possible)
Q&A - [Updated 24/7/2018] Browser extension comparison: Malwares and Phishings

Updated 19/7/2018
Q&A - [Updated 10/7/2018] Browser extension comparison: Malwares and Phishings

Updated 18/7/2018
Q&A - [Updated 10/7/2018] Browser extension comparison: Malwares and Phishings

Updated 10/7/2018
Q&A - [Updated 10/7/2018] Browser extension comparison: Malwares and Phishings

Updated 7/6/2018
Q&A - [Updated 7/6/2018] Browser extension comparison: Malwares and Phishings

Updated 3/6/2018
Q&A - [Updated 3/6/18] Browser extension comparison: Malwares and Phishings

Updated 25/4/2018
Poll - [Updated 25/4/18] Browser extension comparison: Malwares and Phishings

Update: 23/3/2018
Poll - [Updated 23/3/18] Browser extension comparison: Malwares and Phishings


Browser: Google Chrome 65 x64
Malware and phishing links: 10 malc0de, 10 vxvault, 10 openphish, 10 verified phishtank, 10 unverified phishtank
Total: 50 links

Spoiler: Links

Dropbox - link test 17-3-2018.txt

Extensions: recently downloaded from Chrome Web Store
- Google Safe Browsing (built-in chrome's protection)
- AdGuard AdBlocker: default settings, uses Google Safe Browsing (delayed) and their own database
- Avira browser safety: default settings
- Norton Safe Web: default settings
- Bitdefender Trafficlight: default settings, it rarely blocks any malware links, just old ones
- Avast Online Security: default settings, only has phishing protection, expected to score 0 against malwares
- Netcraft Extension: default settings, only has phishing protection, expected to score 0 against malwares
- uBlock Origin with some additional filters

Spoiler: ublock origin filters

http://hosts-file.net/emd.txt
http://hosts-file.net/exp.txt
http://hosts-file.net/pup.txt
http://hosts-file.net/psh.txt
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt
https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt
https://ransomwaretracker.abuse.ch/downloads/RW_URLBL.txt

NOTE: the result can vary from day-to-day. Tomorrow with different links, the result can be very different. All are live links but they can be dead a few minutes after the test. No duplication

Results:

Winner: Google Safe Browsing

 

[Nikos751]

Last month I tested 5 security products and 5 browser addons against new phising and malwaresites.

Phishing sites:

Mcafee add-on	85.09%
Norton add-on	66.29%
Bitdefender add-on	65.42%
Trend Micro IS	63.81%
Trend Micro add-on	55.90%
Emsisoft	54.06%
F-Secure Safe	50.00%
G-Data IS	49.55%
Malwarebytes add-on	41.18%
Sophos Home Pro	30.53%

Malware sites:

Bitdefender add-on	77.13%
McAfee add-on	71.50%
Malwarebytes add-on	66.52%
G-Data IS	65.18%
Trend Micro IS	62.37%
F-Secure Safe	57.53%
Sophos Home Pro	52.01%
Emsisoft	41.62%
Norton add-on	41.16%
Trend Micro add-on	30.65%

That’s a great ranking!
Whats noticeable though, is that phishing detection can go downhill for some vendors depending on the region. For example most phishing websites in greek language have poor detection rates from vendors that are pretty good on non region specific websites.

 

[Nikos751]

That’s right. The in-product blocking abilities (Web Shield) are based on technology that was acquired by AVG from Exploit Prevention Lab. This technology was developed to detect drive-by downloads and other attempts to exploit browser vulnerabilities. In the beginning, it used to scan all sites in real time one by one as they are displayed on Google searches.
This quickly caused outrage and headlines such as this:

AVG scanner blasts internet with fake traffic

You're not that popular after all

www.theregister.com

It was then changed to Just-in-Time (JIT) analysis as users open the website to reduce complaints from web admins.
This analysis is based on heuristics and other data and is more powerful than just using a blacklist as the extension or the mobile products do.

Interesting! I thought it was just their db. Nice to see such technologies that can detect new phishing sites without the need to be already known.
I wonder if other big players such as NortonLifelock, Kaspersky &. ESET do the same.
Norton for example I think uses its IPS for finding malicious patterns in traffic that’s also not db based (provided their addon is not installed).
Phishing is going to become an even bigger problem according to predictions and vendors are still mediocre at that concerning that AI based content will thrive. 2/3 is not good. but it’s already a difficult war

 

[Trident]

Interesting! I thought it was just their db. Nice to see such technologies that can detect new phishing sites without the need to be already known.
I wonder if other big players such as NortonLifelock, Kaspersky &. ESET do the same.
Norton for example I think uses its IPS for finding malicious patterns in traffic that’s also not db based (provided their addon is not installed).
Phishing is going to become an even bigger problem according to predictions and vendors are still mediocre at that.

More or less all of them use the same technology.

They use crawlers and automated analysis that will look for brand impersonation, suspicious Whois data and other signs. Many of them perform JIT (also called on-the-fly) analysis but there are several factors that will divide products in winner and loser groups:

• How effective the heuristics are (depends on researchers and data scientists there)
• How well the security vendor knows banks around the world
• How effective and resistant to “fooling” the automated analysis is
• How many users the product has — the more users, the more websites will be submitted for analysis
• How big is the “honeynet” that captures phishing and SPAM
• Other proprietary technologies such as page fingerprinting, etc.

Symantec/Norton use page fingeprinting, IPS (Deep Packet Inspection), reputation, heuristics, denylist and others.
I would assume Kaspersky uses all that too (excluding IPS). Eset boosts the phishing detection by adding heuristics to the antivirus engine.

Yes, it is not possible to identify 100% of all Phishing pages, just like it’s not possible to identify 100% of all malware or SPAM due to the lack of predictability.

Users should be looking at the URL carefully and should ensure that they enter their information on the correct page. A bank or an institution will never send them an email asking for personal information — any bank knows more about its clients than they know about themselves.
It’s always better to contact an institution directly over the phone or through their mobile app.

Solutions like F-Secure with its banking protection that adds a green border are useful as well - users can make sure they use genuine website by looking for the green border.

 

[Nikos751]

Fake eshops are also a problem. I have found like 8 Timberland fake estores (with bad greek translation - Later on, accessible AI will help with automated precise translation) that have very small detection rates from most vendors. Kaspersky, Norton, Fsecure , Safe Web addon (not IPS) & BitDefender (traffic light & AV) detect almost all of them. Eset detects one or two, McAfee 3, Avast about half.

 

[Trident]

Fake eshops are also a problem. I have found like 8 Timberland fake estores (with bad greek translation - Later on, accessible AI will help with automated precise translation) that have very small detection rates from most vendors. Kaspersky, Norton, Fsecure , Safe Web addon (not IPS) & BitDefender (traffic light & AV) detect almost all of them. Eset detects one or two, McAfee 3, Avast about half.

I created a video on this topic:


What’s interesting is that scammers have definitely seen this video. They took the sites displayed there down and attempted to do slightly better. They failed.

 

[Nikos751]

I created a video on this topic:


What’s interesting is that scammers have definitely seen this video. They took the sites displayed there down and attempted to do slightly better. They failed.

Great educating video, but my conceen is that AI will very soon “fix” most abnormalities that can make the average user not fall victim. There are already fake shops with normal prices & product categories for example. So, attention to technical things, flags & code vs code aka anti phishing (man vs code is a lost war already) is the only way to go for me.

 

[Trident]

Great educating video, but my conceen is that AI will very soon “fix” most abnormalities that can make the average user not fall victim. There are already fake shops with normal prices & product categories for example. So, attention to technical things, flags & code vs code aka anti phishing (man vs code is a lost war already) is the only way to go for me.

There will always be abnormalities that AI can not fix. For example, AI will hardly help them build a real shop - upon Googling the address, I’ve seen supermarkets, libraries, cafes and houses.
It won’t help them with the phone number either - they always leave invalid phone numbers.

So the war is not really lost, but users need to observe.

 

[Nikos751]

There will always be abnormalities that AI can not fix. For example, AI will hardly help them build a real shop - upon Googling the address, I’ve seen supermarkets, libraries, cafes and houses.
It won’t help them with the phone number either - they always leave invalid phone numbers.

So the war is not really lost, but users need to observe.

We agree here

 

[tsunami]

DNS over HTTPS (DoH) - Free Protective DNS Service | Avast

www.avast.com

 

[Alexai]

Is btl now ok on chrome?

I need the tick near links in search engine (ddg) for my mum.

 

[Moonhorse]

@Trident do you do any comparing still? Kinda wondering how will avast dns do against avast itself or against controld/dns0

DNS over HTTPS (DoH) - Free Protective DNS Service | Avast

www.avast.com

ill try to do some comparing myself but dont have many sources for phishing/malware

 

[Trident]

@Trident do you do any comparing still? Kinda wondering how will avast dns do against avast itself or against controld/dns0

DNS over HTTPS (DoH) - Free Protective DNS Service | Avast

www.avast.com

ill try to do some comparing myself but dont have many sources for phishing/malware

For a solution to accurately identify phishing, it will be better to have access to the page content so it can check for brand impersonation. Because Avast doesn’t mention anywhere to offer newly registered domains blocking, you can expect to see lowered anti-phishing performance compared to the full package. Avast recently introduced DGA (domain generation algorithm) blocks to the web shield but it is not mentioned to be offered in the DNS. All in all, NextDNS and their sister service, Quad 9 and Control D will remain better options in terms of DNS protection.

 

[Moonhorse]

Can someone test this url with controld or nextdns, does it get blocked as new domain since dns0 wont block it.

VirusTotal

VirusTotal

www.virustotal.com

This url has been going for 4 days already and police yesterday annouanced this scam is going on

Poliisi varoittaa Omaveron nimissä tulevista huijausviesteistä - Poliisi

Poliisi varoittaa Omaveron nimissä tulevista huijausviesteistä

poliisi.fi

I have reported url to trend micro, netcraft, google and nothing has happened

Also wich way is easiest to block .info domains?

 

[Kongo]

Can someone test this url with controld or nextdns, does it get blocked as new domain since dns0 wont block it.

VirusTotal

VirusTotal

www.virustotal.com

This url has been going for 4 days already and police yesterday annouanced this scam is going on

Poliisi varoittaa Omaveron nimissä tulevista huijausviesteistä - Poliisi

Poliisi varoittaa Omaveron nimissä tulevista huijausviesteistä

poliisi.fi

I have reported url to trend micro, netcraft, google and nothing has happened

Also wich way is easiest to block .info domains?

 

[Kongo]

Also wich way is easiest to block .info domains?

I blocked the .info TLD in NextDNS settings

 

[Moonhorse]

I blocked the .info TLD in NextDNS settings

Seems NextDNS is better than dns0 zero

 

[Kongo]

Seems NextDNS is better than dns0 zero

More customizable for sure.

 

[Moonhorse]

More customizable for sure.

Site been up for 3 days and doesnt count as Newly registered domains for Dns0

Yeah i should get nextDNS but the free doesnt fit me and i can only pay with paysafecards , i woulda need to buy crypto to pay with crypto

 

[Kongo]

Site been up for 3 days and doesnt count as Newly registered domains for Dns0

Yeah i should get nextDNS but the free doesnt fit me and i can only pay with paysafecards , i woulda need to buy crypto to pay with crypto

Did you test Avast DNS?

 

[Moonhorse]

Did you test Avast DNS?

Im on it

Edit:
avast dns
adguard dns
cloudflare dns
opendns family shield
google dns
quad9
Nextdns basic
Controld malware filter
verisign dns
neustar

doesnt block it