This Company Wants to Use the Blockchain to Stop Phishing

MetaCert has classified 10 billion URLs as either safe, a suspected source of phishes, or unknown.
Image may contain Armor
Getty Images

Phishing just won’t go away. Nearly three-quarters of organizations polled by security company Proofpoint saw phishing attacks last year. Sometimes attackers are able to fool even security-savvy users.

A company called MetaCert is trying to fight phishing emails with an extraordinarily simple method. The company has spent seven years compiling a database of web addresses known to be used by phishers, and the company and its users are constantly reporting more. Just as important, it also has a database of known "safe" addresses used by the companies hackers like to spoof: banks, payment services like PayPal, and online retailers. MetaCert's software uses those databases to check the links in your email and place a little green shield next to known good links, a little red shield next to known phishing sites, and a gray shield next to unknown sites.

Of course, there are plenty of other tools for blocking phishing scams, ideally before they hit your inbox, typically through a combination of user reports and algorithms. For example, the security company Agari uses machine learning to understand what a typical email from the people you interact with looks like. It can then filter messages from imposters that exhibit odd behavior. But some phishing attacks will inevitably make it through even the best protections.

MetaCert wants to augment, not replace, tools designed for blocking phishing attacks, acting as a last line of defense. That’s why the gray shields are crucial to the system. The hope is that flagging a link as unknown can help users spot the difference between a real link to, say, Apple's website, and a fake one, even if the fake link is one that MetaCert has never seen before.

"We're not telling you to uninstall your other email security software," founder and CEO Paul Walsh says. "We just want you to stop and think when you see the gray shield."

MetaCert is already available for the native iOS email app, where it will work with major email providers, including Gmail and Microsoft. A version for the desktop Apple Mail application will be available Thursday. The software is free for now, but Walsh says the company will eventually charge for it. The company plans to release versions of the software for other email applications such as Gmail and Microsoft Outlook.

There are downsides to its approach to phishing protection. Like many other third party email apps, MetaCert acts as an proxy, meaning that your email will pass through its servers as it checks for bad links. For Gmail and Outlook.com, MetaCert doesn’t need to store a user’s password, you can simply tell Google and Microsoft that it’s OK for MetaCert to access your email. But for services that don’t support this type of third-party access, MetaCert will need to store your email password locally on your device in order to function. Some email providers, including Apple and Yahoo, offer the option to use what’s called an “application specific password” instead of handing over your main password. MetaCert Chief Product Officer Sean Gocher says it only stores your password locally, and then passes that along to the server without ever storing it on MetaCert’s servers. Likewise, Gocher says your mail is only processed by the company’s servers and isn’t stored. That could reduce the risks, but in any case, using MetaCert means giving the company access to your email account.

MetaCert also offers a Google Chrome browser extension that warns users when they try to visit a site that contains links to known phishing sites, as well as bots that flag and delete messages with phishing links from the chat applications Slack, Skype, and Telegram, all powered by the same database.

Agari CEO Ravi Khatod says something like MetaCert could be helpful as an additional defense, but cautions that trying to catalog and rate every site on the web is an impossible task for one company.

But Metacert doesn’t want to go it alone. The company has classified over 10 billion URLs, some of them gathered from users via crowdsourcing. But it's also planning to use blockchain technology, similar to the concept that underpins the digital cryptocurrency bitcoin, to encourage people to submit and categorize links.

Walsh, MetaCert’s CEO, thinks the blockchain will help users trust MetaCert, since the company won’t control the decentralized database. That would prevent MetaCert employees from abusing their power by flagging sites they don’t like. Over time, the company says, submitters and reviewers will develop reputation scores that will be used to weigh their contributions.

MetaCert started indexing the web in 2011 to support its original product, a porn blocker for mobile phones. Walsh says Apple and Samsung both considered bundling MetaCert's software with their devices, but ultimately decided against it. The team realized the company needed a new plan, so in 2014 it turned their attention to mobile applications and settled on building phishing protection tools for messaging apps like Slack. That's how Walsh found out about the cryptocurrency community.

Last year a rash of phishing schemes hit the cryptocurrency world, says Matt McGivern, community manager of SingularDTV, a blockchain based crowdfunding and rights management company. Scammers were sending direct messages to people on cryptocurrency-related Slack communities and convincing users to click phishing links designed to steal passwords for digital wallets. McGivern found MetaCert through the Slack app directory, but at the time, the MetaCert bot wouldn't block phishing links sent through direct messages. So McGivern emailed Walsh asking for help.

MetaCert responded by expanding the features of the bot. "It was a perfect solution for us at the time," says McGivern, though SingularDTV no longer has a public Slack system.

Walsh was unfamiliar with cryptocurrency, but he saw a chance for MetaCert in a community that desperately needed help. He also saw another way to build and expand its link database.

MetaCert’s blockchain protocol is useful for more than just cataloging phishing sites. TrustedNews, a browser plugin that attempts to spot fake news, uses the protocol to rate content based on its trustworthiness. Next, MetaCert is adding a system to reward people who submit and review links to the database with tokens that they can use to pay for MetaCert's paid products.


More Great WIRED Stories