We rarely encounter brand-new products or brand-new technologies in security, but Pixm Anti-Phishing brings both to the table.
Where most antiphishing solutions rely on a combination of blacklisting and heuristic analysis, Pixm relies on a technique all its own.
In testing, though, this technique both missed verifiable fraudulent sites and cast suspicion on perfectly legitimate sites.
It has promise, but that promise hasn't yet been realized.
For businesses, Pixm offers centrally controlled protection against phishing attacks, as well as a higher-cost version dedicated to defending against spear phishing.
Where a typical phishing site tries to fool lots of people into giving away their credentials, a spear-phishing attack is focused on fooling one individual, or individuals in one company.
Consumers don't have to pay anything for the free Pixm antiphishing tool, which is what we're reviewing here.
The Pixm Premise
Webmasters of phishing sites eschew the fancy coding required to slip malware into visiting browsers or sneak around antivirus protection.
Instead, they simply create replicas of sensitive websites, broadcast links to those pages, and wait for fools to log in.
When you log into a fake bank or email system, you've handed over your account to the fraudsters.
Many antivirus products make use of blacklisting to detect and block the most egregious phishing pages.
The problem is, phishing URLs come and go so quickly that any blacklist is always out of date.
Oh, the blacklist catches some frauds, but full protection requires something more, like heuristic analysis of pages in real time.
Briefly, the heuristic component analyzes the page's components for inconsistencies or other evidence that it's not what it purports to be.
As a user, you can engage your own skills to avoid getting fooled by a phishing scam.
The page looks like PayPal, but does the URL in the Address Bar match? Are the colors correct, or subtly off? Do you see any obvious spelling errors? With a little practice you can become a phishing detection expert.
Pixm brings automation to that kind of examination, using what the company calls "computer vision." It identifies the purported source of a page, locates the original, and analyzes any differences.
If the algorithm finds discrepancies, Pixm displays a yellow warning banner; if the page is clearly a fake the yellow banner turns red, and Pixm disables links and other content on the page.
Conversely, when Pixm determines that a page is legitimate, it displays a green banner.
I should point out that Pixm presently works to identify fraudulent versions of "the top 100+ most phished brands." The company's president and co-founder tells me, "We are continuing to increase the brand coverage and will very soon cover 400-500 most phished brands." But this is a limitation not seen with other types of phishing detection.
Hands On With Pixm
Pixm consists of an application and a set of browser extensions for Chrome and Firefox.
The installation took such a long time that I figured it had hung.
I was in the process of composing an email to tech support when it finally came back to life, after 15 minutes seemingly stuck.
Once the installation finished, getting the extensions installed in Chrome and Firefox was a snap.
For testing phishing protection, I start by collecting the latest reported phishing URLs from websites that track such things.
I give preference to those that haven't yet gone through analysis.
With my URL collection ready, I set up four browsers for testing.
Three of them just use the protection built into Chrome, Firefox, and Internet Explorer.
Usually I install the test product in Internet Explorer to make the fourth, but since Pixm doesn't support IE, I used Chrome.
The test itself it simple.
I launch each URL in each of the four browsers at once.
If any of the browsers can't load the page, I discard that URL.
If it doesn't visibly attempt to steal login credentials, or otherwise doesn't clearly fit the profile for a phishing attack, I discard it.
The whole test can take several hours, because many of the URLs, new as they are, have already been taken down.
During the test I had plenty of time to observe Pixm's behavior.
It first displayed an animated "thinking" icon near the browser toolbar button.
A page that it couldn't verify as legitimate got a yellow banner stating, "Pixm could not identify the authenticity of this login page.
Please proceed with caution." In some cases, that's all it said, but for many others, it went on to display a red banner warning, "This page is blocked as the page is a suspected phishing site." With the red banner flying, I couldn't click any links or enter text on the suspect page.
Some of the reported phishing URLs were not actually fraudulent; it happens.
I encountered a couple of green banners stating (somewhat ungrammatically) "The page is verified by Pixm, its a safe page."
Meanwhile, the other three browsers blocked tons of pages that simply returned an error message in the browser protected Pixm.
That implies to me that the three browsers previously blacklisted the page, and that they hadn't yet reacted to the page's demise.
Since Pixm must see the page contents to perform its analysis, it will never flag a defunct page.
I also encountered a surprising number of pages that Pixm simply missed, but that all three browsers detected.
In all, Pixm detected 60 percent of the verified fraudulent websites.
All three browsers beat Pixm's detection rate; Chrome and Firefox beat it by more than 30 percentage points.
Phishing Protection Results Chart
The best standard phishing protectors combine blacklisting with real-time analysis, and this pairing can be very effective.
In their most recent tests, Kaspersky Anti-Virus($29.99 for 1 Year, 3 Devices at Kaspersky) and McAfee both steered the test browser away from 100 percent of the verified frauds.
Both outperformed the protection built into all three browsers.
Another half-dozen antivirus products scored 97 percent or higher.
Bitdefender Antivirus Plus($29.99 for 3 devices / 1 year at Bitdefender), in particular, managed 99 percent protection.
It's clear that the existing technology works.
While running through all the test URLs, I noted that clicking the browser toolbar button brought up a pie chart of protected domains.
The number of protected domains steadily increased, but the chart bore no connection to the actual domains it protected on my system.
Almost half the pie went to Capital One, a site that didn't appear at all in my testing.
And while PayPal fakes made up at least a quarter of the pages blocked by Pixm, PayPal didn't show up in the chart at all.
My company contact explained that the pie chart is slated for removal.
Green Banners and False Positives
It's very clear that my real-world phishing URLs didn't all fit within Pixm's collection of "the top 100+ most phished brands." For another view of the product's abilities, I tried logging into a collection of valid sites, some well-known and some not.
For every banking site I tried, Pixm displayed its green safety banner.
That makes sense; malefactors have the most to gain by capturing your banking logins, so these are important targets.
PayPal is also a huge target, with PayPal fakes making up at least a quarter of Pixm's detected frauds in my test.
Strangely, Pixm didn't react when I visited the real, legitimate PayPal.
No thinking icon, no green banner, no nothing! That's not good.
Things got worse when I dug into my password manager for some less common logins.
Pixm flagged many of these with the yellow warning banner, stating that it couldn't authenticate them.
Among the sites thus flagged were crafts site Etsy, the Science Fiction Book Club, the bookseller Abe Books, and the main Geocaching website.
Many phishing protection tools report both on known frauds and on frauds suspected based on their analysis.
For testing purposes, I give credit for both, though I distinguish them in my internal notes.
Sites considered suspicious (yellow banner only) made up nearly half of Pixm's successful detections, so the fact that it cast the same suspicion on valid sites is worrisome.
Declaring valid websites to be suspect wasn't the worst of it.
I mentioned Abe Books, a purveyor of rare and unusual books.
After flagging it with a yellow banner, Pixm went on to declare the real, valid website to be fraudulent! I didn't find any other false positives as egregious as this, but even one is more than I've seen with other products.
Pixm Responds
The false positive results were problematic enough that I felt I had to check in with my Pixm contact.
He surprised me by asking whether I was talking about Abe Books.
It turns out that my testing caused an unusual spike in server activity, enough that the Pixm folks could identify my IP address and see exactly which sites I was testing.
Since the business version of the product is centrally managed, that kind of tracking makes sense, but it was a surprise.
My contact explained that Pixm's detection relies on artificial intelligence and machine learning.
"Given that this is a deep learning computer vision technology," he said, "we do have occasional false positives.
No artificial intelligence is 100 percent." He did mention an update coming in just a few days that would reduce false positives, so I put testing aside, awaiting that update.
Meanwhle, I installed Editors' Choice NordVPN, so my new tests wouldn't use the same, known IP address.
I just don't like the idea of any company directly watching my interaction with their product during a review.
I checked Etsy, SFBC, and Geocaching again; this time Pixm did not display the yellow warning.
However, it still red-flagged Abe Books as a phishing site.
Next, I started in on a list I made of some sites from my password manager's list, sites that are well-known but perhaps not frequently phished.
For the first six items on the list (23andMe, AAA auto club, Amtrak, Best Buy, Booking.com, and Delta Airlines), Pixm displayed a yellow warning.
It went on to identify the Delta Airlines website as fraudulent.
I didn't feel the need to continue with my list of sites for testing.
My conclusion: this update didn't help at all with false positives.
Not Ready for Prime Time
The concept behind Pixm Anti-Phishing is engaging.
It looks at a page that might be fraudulent, looks at the corresponding verified page, and compares them to identify fakes.
We really wanted to see it succeed, even though it only protects against frauds targeting specific sites (admittedly very popular ones).
If it simply missed frauds against less-popular sites, you could use it to supplement your browser's protection.
However, the fact that it flagged many valid sites as suspect and marked more than one as fraudulent means we can't recommend that pairing.
Perhaps going forward the company will consider supplementing the computer vision approach with other proven methods.
We don't have an Editors' Choice for antiphishing, as there are hardly any tools devoted to that single purpose.
However, all four of our antivirus Editors' Choice products proved extremely effective in our phishing protection testing.
Webroot SecureAnywhere AntiVirus ($18.99 for 1-Device on 1-Year Plan at Webroot) sussed out 97 percent of the frauds, Bitdefender Antivirus Plus caught 99 percent, and Kaspersky Anti-Virus and McAfee AntiVirus Plus both managed 100 percent detection.
If you have one of these installed, you don't need Pixm—not in its current state.