Imagine you had a Web browser that said when you typed in a new
address, "The Internet site you're about to visit is known to steal
credit-card numbers and use them in unauthorized ways."
Now imagine that you can actually use such an application today. It's
already been developed and it's being distributed — free.
The company behind this is Earthlink, one of the largest Internet service
providers in the United States. The effort, known as ScamBlocker, is still in
its early days, and its database of sites to warn users about is in its
infancy. But the idea of fingering scam artists before they can do
much damage is fantastic, and there's a very interesting tale behind it.
Going Phishing Is Not a Relaxing Pastime
The origin of ScamBlocker lies in the explosive growth of an identify-theft
crime known as "phishing." Con artists are currently sending out millions of
e-mail messages that look identical to e-mails that might come from an online
bank, e-tailer, or auction site. These messages usually warn the recipients
that "your records need to be updated" or some such nonsense.
The victims are then instructed to click a link to "re-establish your
account information." The Web site that the message links to looks completely
legitimate, just like the original e-mail. But the site is a fraud. It's
collecting credit-card numbers, usernames and passwords, and other information
that the perpetrators of the scam will use or sell to other criminal elements.
How Companies Banded Together to Fight Phishing
Financial institutions and e-commerce sites have formed an organization to
fight back: the Anti-Phishing Working Group. This coalition, led by
Tumbleweed Communications, a software firm, first met in November
2003. It's taking up arms against a geometric growth in identity-theft attacks:
• Phishing Is Big Business.
The working group says there were 402 different phishing messages reported in
April 2004. That's a sharp rise from 282 in February and only 176 in January.
• Banking and E-Commerce Are Targets.
According to APWG, eBay usernames and passwords were most sought-after by
phishers, with 110 separate attacks reported in March 2004. Other popular
targets that month were Citibank (98 attacks), PayPal (63), Fleet Bank (23)
and Barclays (11).
• An International Sport.
The majority of attacks, APWG figures indicate, originate in Asian or
Eastern European countries. This helps to explain the fractured English
that's often found in the widely distributed messages. ("Your bank account
has been temporaily closed cause of explicit fraud activity," reads one
phishing message in APWG's archives.) But the e-mails,
which usually bear exact copies of banking or e-commerce logos, are convincing
enough that APWG says up to five percent of recipients obey the instructions.
The Birth of an Anti-Phishing Toolbar
The collection of phishing messages that APWG collected was studied by
Earthlink in the development of its anti-phishing utility, according to
Dan Mayer, director of product marketing for Tumbleweed and a spokesman for
the coalition. The result is a toolbar that users may download free. It
automatically adds itself to the menu area of Internet Explorer and other
Web browsers. The download is similar to an earlier toolbar developed by
eBay that helps bidders track auctions and avoid known fraudulent sites.
I downloaded and tested ScamBlocker, which also includes an effective pop-up
blocker and a limited search bar powered by Google. When I
tried to visit fraudulent sites that are listed in the APWG's archive of
reported phishing attacks, my browser was redirected to an Earthlink page that
reads, "The Web address you requested is on our list of potentially
dangerous and fraudulent Web sites." Additional helpful information, free from
geek-speak jargon, was also provided.
The Future of Anti-Scam Efforts
The concept of getting a warning before you visit a fraudulent site
— instead of after you get an outrageous credit-card bill —
is one of the most promising improvements in the Web I've seen in a long
time.
I can already envision other messages that browsers could display
regarding certain Web logs: "Warning! The blog you are about to
visit is known to publish large quantities of drivel."
For now, however, Earthlink needs to concentrate its efforts on strengthening
its phishing-site database. "It's nontrivial to identify these things," says
Mayer with obvious understatement. "What eBay and Earthlink are currently
identifying is only the reported phishing attacks, not all
detected attacks."
Mayer explains that Earthlink, a member of APWG,
has signed a contract with Brightmail, a major spam-filtering service, to
detect phishing attacks in real time. But that won't begin until May or June.
In the meantime, phishing has become such a menace that many companies are
joining APWG just to get a handle on how such scams might affect their good
names. The list of corporations on the group's steering committee is private
— "The banks were concerned about being identified because they don't want to become
the poster boys for phishing," Mayer says — but it includes the majority
of the top 20 banks in the U.S. and most major ISPs, he assures me.
Conclusion
Basic individual membership in APWG is free (or $250 for the right to
participate in working group meetings). Corporate membership begins at $2,500,
with higher levels of involvement priced at $5,000 and $12,500. This seems to
me to be a very cheap form of insurance that any company with an online
clientele should seriously consider buying into. Information is available at
Antiphishing.org.
A description of the ScamBuster program and a free 684 KB download of the
browser toolbar is available from
Earthlink.