So, here you are some ideas for proactive "server side" (not involving client interaction) defenses against phishing: I've got a couple more, but I have to develope them a little.
- Pollute aggressor's data: we generated thousands of fake credentials from hundreds of proxies. The attackers will have an hard time filtering out the fakes, since they're not even logging the ip the request came from.
- Do content tampering: if the attackers left some images with src pointing to your website, change the links in your website and switch their pictures in something else to warn the user. A huge red alert banner will do. If they were clever enough to download the images too, change yours. It won't be a huge gain, but every little bit...
- Do image proofing: have an artist design 365 small images, one for every day. It is not easy to copy someone' style, and if the users are used to see something changing in a regular fashion they will be able to spot anomalies easily. The point is: most banks (and big stores too) websites are static in content, thus an easy prey for phishers.
The next thing I'm thinking about is automatic detection of phishing websites using a proxy. Imagine a squid component able to warn you whenever you hit a phishing site... without the need to mantain a blacklist. Blacklists are a quick, easy way out. Unfrotunately, they just don't work: most hits will take place in the hours close to the phishing attempt, when the blacklist won't be updated.That's why we need more creative, out of the box solutions.