Phish This, You Scum

Imagine you had a Web browser that said when you typed in a new address, 'The Internet site you're about to visit is known to steal credit-card numbers and use them in unauthorized ways.' Imagine no more -- such an application already exists and is being distributed for free.
Imagine you had a Web browser that said when you typed in a new address, "The Internet site you're about to visit is known to steal credit-card numbers and use them in unauthorized ways."

Now imagine that you can actually use such an application today. It's already been developed and it's being distributed — free.

The company behind this is Earthlink, one of the largest Internet service providers in the United States. The effort, known as ScamBlocker, is still in its early days, and its database of sites to warn users about is in its infancy. But the idea of fingering scam artists before they can do much damage is fantastic, and there's a very interesting tale behind it.

Going Phishing Is Not a Relaxing Pastime

The origin of ScamBlocker lies in the explosive growth of an identify-theft crime known as "phishing." Con artists are currently sending out millions of e-mail messages that look identical to e-mails that might come from an online bank, e-tailer, or auction site. These messages usually warn the recipients that "your records need to be updated" or some such nonsense.

The victims are then instructed to click a link to "re-establish your account information." The Web site that the message links to looks completely legitimate, just like the original e-mail. But the site is a fraud. It's collecting credit-card numbers, usernames and passwords, and other information that the perpetrators of the scam will use or sell to other criminal elements.

How Companies Banded Together to Fight Phishing

Financial institutions and e-commerce sites have formed an organization to fight back: the Anti-Phishing Working Group. This coalition, led by Tumbleweed Communications, a software firm, first met in November 2003. It's taking up arms against a geometric growth in identity-theft attacks:

Phishing Is Big Business. The working group says there were 402 different phishing messages reported in April 2004. That's a sharp rise from 282 in February and only 176 in January.

Banking and E-Commerce Are Targets. According to APWG, eBay usernames and passwords were most sought-after by phishers, with 110 separate attacks reported in March 2004. Other popular targets that month were Citibank (98 attacks), PayPal (63), Fleet Bank (23) and Barclays (11).

An International Sport. The majority of attacks, APWG figures indicate, originate in Asian or Eastern European countries. This helps to explain the fractured English that's often found in the widely distributed messages. ("Your bank account has been temporaily closed cause of explicit fraud activity," reads one phishing message in APWG's archives.) But the e-mails, which usually bear exact copies of banking or e-commerce logos, are convincing enough that APWG says up to five percent of recipients obey the instructions.

The Birth of an Anti-Phishing Toolbar

The collection of phishing messages that APWG collected was studied by Earthlink in the development of its anti-phishing utility, according to Dan Mayer, director of product marketing for Tumbleweed and a spokesman for the coalition. The result is a toolbar that users may download free. It automatically adds itself to the menu area of Internet Explorer and other Web browsers. The download is similar to an earlier toolbar developed by eBay that helps bidders track auctions and avoid known fraudulent sites.

I downloaded and tested ScamBlocker, which also includes an effective pop-up blocker and a limited search bar powered by Google. When I tried to visit fraudulent sites that are listed in the APWG's archive of reported phishing attacks, my browser was redirected to an Earthlink page that reads, "The Web address you requested is on our list of potentially dangerous and fraudulent Web sites." Additional helpful information, free from geek-speak jargon, was also provided.

The Future of Anti-Scam Efforts

The concept of getting a warning before you visit a fraudulent site — instead of after you get an outrageous credit-card bill — is one of the most promising improvements in the Web I've seen in a long time.

I can already envision other messages that browsers could display regarding certain Web logs: "Warning! The blog you are about to visit is known to publish large quantities of drivel."

For now, however, Earthlink needs to concentrate its efforts on strengthening its phishing-site database. "It's nontrivial to identify these things," says Mayer with obvious understatement. "What eBay and Earthlink are currently identifying is only the reported phishing attacks, not all detected attacks."

Mayer explains that Earthlink, a member of APWG, has signed a contract with Brightmail, a major spam-filtering service, to detect phishing attacks in real time. But that won't begin until May or June.

In the meantime, phishing has become such a menace that many companies are joining APWG just to get a handle on how such scams might affect their good names. The list of corporations on the group's steering committee is private — "The banks were concerned about being identified because they don't want to become the poster boys for phishing," Mayer says — but it includes the majority of the top 20 banks in the U.S. and most major ISPs, he assures me.

Conclusion

Basic individual membership in APWG is free (or $250 for the right to participate in working group meetings). Corporate membership begins at $2,500, with higher levels of involvement priced at $5,000 and $12,500. This seems to me to be a very cheap form of insurance that any company with an online clientele should seriously consider buying into. Information is available at Antiphishing.org.

A description of the ScamBuster program and a free 684 KB download of the browser toolbar is available from Earthlink.






0 Comments (click to add your comment)
Comment and Contribute

 


(Maximum characters: 1200). You have characters left.