Earthweb
Images Events Jobs Premium Services Media Kit Network Map E-mail Offers Vendor Solutions Webcasts
 SUBJECTS:
 FEATURES:
IT Management Webcasts:
The Role of Security in IT Service Management

Preparing for an IT Audit

More Webcasts


Search EarthWeb Network

internet.commerce
Be a Commerce Partner
Domain registration
Cell Phones
Baby Photo Contest
Online Shopping
Boat Donations
Shop
Web Design
Send Text Messages
Shop Online
Build a Server Rack
Promos and Premiums
Home Improvement
Calling Cards
Hurricane Shutters

Linked Data Planet Conference & Expo

IT Management : Columns : Executive Tech: Phish This, You Scum

Install What You Need with Windows Server 2008
Windows Server 2008 is Microsoft's most full-featured server operating system yet, so it's ironic that one of its most exciting new features is an install option that cuts out most of the other features. Paul Rubens explores why a Server Core installation makes a great deal of sense in many instances. »

 
Identify Hardware and Software That Meet Microsoft Standards
The "Certified for Windows. Server 2008" logo identifies hardware and software solutions that meet Microsoft standards for compatibility and best practices with the Windows Server 2008 operating system. »

 
Windows Server Catalog: Certified Hardware Devices
Search the Windows Server 2008 catalog to find solutions to deploy with confidence. »

 
Windows Server Catalog: Certfied Servers
Search the Windows Server 2008 catalog to find servers you can deploy with confidence. »

 
Download the Windows Server 2008 Trial
With Windows Server 2008 you can develop, deliver, and manage rich user experiences and applications, provide a secure network infrastructure, and increase technological efficiency and value within your organization. »

Related Articles
Phishing Scams Increase 1,200% in 6 Months
- ITSMWatch Newsletter -
Tech Focus: Security

Cybersecurity: Laws Only Go So Far

Mozilla Firefox vs. Internet Explorer: Which is Safer?

Is Your Blog Leaking Trade Secrets?

The Las Vegas Counterfeiting Story: Is Your Privacy Worth More Than a Poker Chip?

Stopping Spammers at The Point of Sale

Product Watch
IOGEAR KVM - Includes Audio/Peripheral Sharing
Coverity Prevent / Coverity Thread Analyzer - Analyze Source Code For Defects, Security Vulnerabilities
USSD Series - SDRAM-Based Solid State Drives to 256 GB
UltraSMS - Send SMS From Your PC
Sentinel Sensors - Wi-Fi Based Temperature Monitoring Especially For Cold Storage

more products >>

Datamation Definitions
data mining
ERP
extranet
grid computing
intranet
network appliance
outsourcing
storage
VPN
virus
FREE Tech Newsletters

Case Study: Software Company Increases Storage Utilization by More Than 30 Percent. Learn how to simplify storage management and improve the efficiency of virtual server-based development environment.

Phish This, You Scum
May 3, 2004
By Brian Livingston

Brian Livingston Imagine you had a Web browser that said when you typed in a new address, "The Internet site you're about to visit is known to steal credit-card numbers and use them in unauthorized ways."

Now imagine that you can actually use such an application today. It's already been developed and it's being distributed — free.

The company behind this is Earthlink, one of the largest Internet service providers in the United States. The effort, known as ScamBlocker, is still in its early days, and its database of sites to warn users about is in its infancy. But the idea of fingering scam artists before they can do much damage is fantastic, and there's a very interesting tale behind it.

Going Phishing Is Not a Relaxing Pastime

The origin of ScamBlocker lies in the explosive growth of an identify-theft crime known as "phishing." Con artists are currently sending out millions of e-mail messages that look identical to e-mails that might come from an online bank, e-tailer, or auction site. These messages usually warn the recipients that "your records need to be updated" or some such nonsense.

The victims are then instructed to click a link to "re-establish your account information." The Web site that the message links to looks completely legitimate, just like the original e-mail. But the site is a fraud. It's collecting credit-card numbers, usernames and passwords, and other information that the perpetrators of the scam will use or sell to other criminal elements.

How Companies Banded Together to Fight Phishing

Financial institutions and e-commerce sites have formed an organization to fight back: the Anti-Phishing Working Group. This coalition, led by Tumbleweed Communications, a software firm, first met in November 2003. It's taking up arms against a geometric growth in identity-theft attacks:

Phishing Is Big Business. The working group says there were 402 different phishing messages reported in April 2004. That's a sharp rise from 282 in February and only 176 in January.

Banking and E-Commerce Are Targets. According to APWG, eBay usernames and passwords were most sought-after by phishers, with 110 separate attacks reported in March 2004. Other popular targets that month were Citibank (98 attacks), PayPal (63), Fleet Bank (23) and Barclays (11).

An International Sport. The majority of attacks, APWG figures indicate, originate in Asian or Eastern European countries. This helps to explain the fractured English that's often found in the widely distributed messages. ("Your bank account has been temporaily closed cause of explicit fraud activity," reads one phishing message in APWG's archives.) But the e-mails, which usually bear exact copies of banking or e-commerce logos, are convincing enough that APWG says up to five percent of recipients obey the instructions.

The Birth of an Anti-Phishing Toolbar

The collection of phishing messages that APWG collected was studied by Earthlink in the development of its anti-phishing utility, according to Dan Mayer, director of product marketing for Tumbleweed and a spokesman for the coalition. The result is a toolbar that users may download free. It automatically adds itself to the menu area of Internet Explorer and other Web browsers. The download is similar to an earlier toolbar developed by eBay that helps bidders track auctions and avoid known fraudulent sites.

I downloaded and tested ScamBlocker, which also includes an effective pop-up blocker and a limited search bar powered by Google. When I tried to visit fraudulent sites that are listed in the APWG's archive of reported phishing attacks, my browser was redirected to an Earthlink page that reads, "The Web address you requested is on our list of potentially dangerous and fraudulent Web sites." Additional helpful information, free from geek-speak jargon, was also provided.

The Future of Anti-Scam Efforts

The concept of getting a warning before you visit a fraudulent site — instead of after you get an outrageous credit-card bill — is one of the most promising improvements in the Web I've seen in a long time.

I can already envision other messages that browsers could display regarding certain Web logs: "Warning! The blog you are about to visit is known to publish large quantities of drivel."

For now, however, Earthlink needs to concentrate its efforts on strengthening its phishing-site database. "It's nontrivial to identify these things," says Mayer with obvious understatement. "What eBay and Earthlink are currently identifying is only the reported phishing attacks, not all detected attacks."

Mayer explains that Earthlink, a member of APWG, has signed a contract with Brightmail, a major spam-filtering service, to detect phishing attacks in real time. But that won't begin until May or June.

In the meantime, phishing has become such a menace that many companies are joining APWG just to get a handle on how such scams might affect their good names. The list of corporations on the group's steering committee is private — "The banks were concerned about being identified because they don't want to become the poster boys for phishing," Mayer says — but it includes the majority of the top 20 banks in the U.S. and most major ISPs, he assures me.

Conclusion

Basic individual membership in APWG is free (or $250 for the right to participate in working group meetings). Corporate membership begins at $2,500, with higher levels of involvement priced at $5,000 and $12,500. This seems to me to be a very cheap form of insurance that any company with an online clientele should seriously consider buying into. Information is available at Antiphishing.org.

A description of the ScamBuster program and a free 684 KB download of the browser toolbar is available from Earthlink.

Brian Livingston is the editor of WindowsSecrets.com and the co-author of Windows Vista Secrets and 10 other books. Send story ideas to him via his contact page. To subscribe free and receive Executive Tech via e-mail, visit our signup page.

Tools:
Add itmanagement.earthweb.com to your favorites
Add itmanagement.earthweb.com to your browser search box
IE 7 | Firefox 2.0 | Firefox 1.5.x
Receive news via our XML/RSS feed

Executive Tech Archives



JupiterOnlineMedia

internet.comearthweb.comDevx.commediabistro.comGraphics.com

Search:

Jupitermedia Corporation has two divisions: Jupiterimages and JupiterOnlineMedia

Jupitermedia Corporate Info


Legal Notices, Licensing, Reprints, & Permissions, Privacy Policy.

Advertise | Newsletters | Tech Jobs | Shopping | E-mail Offers

Solutions
Whitepapers and eBooks
Microsoft Article: Will Hyper-V Make VMware This Decade's Netscape?
Microsoft Article: 7.0, Microsoft's Lucky Version?
Microsoft Article: Hyper-V--The Killer Feature in Windows Server 2008
Avaya Article: How to Feed Data into the Avaya Event Processor
Microsoft Article: Install What You Need with Windows Server 2008
HP eBook: Putting the Green into IT
Whitepaper: HP Integrated Citrix XenServer for HP ProLiant Servers
Intel Go Parallel Portal: Interview with C++ Guru Herb Sutter, Part 1
Intel Go Parallel Portal: Interview with C++ Guru Herb Sutter, Part 2--The Future of Concurrency
Avaya Article: Setting Up a SIP A/S Development Environment
IBM Article: How Cool Is Your Data Center?
Microsoft Article: Managing Virtual Machines with Microsoft System Center
HP eBook: Storage Networking , Part 1
Microsoft Article: Solving Data Center Complexity with Microsoft System Center Configuration Manager 2007
MORE WHITEPAPERS, EBOOKS, AND ARTICLES
Webcasts
Intel Video: Are Multi-core Processors Here to Stay?
On-Demand Webcast: Five Virtualization Trends to Watch
HP Video: Page Cost Calculator
Intel Video: APIs for Parallel Programming
HP Webcast: Storage Is Changing Fast - Be Ready or Be Left Behind
Microsoft Silverlight Video: Creating Fading Controls with Expression Design and Expression Blend 2
MORE WEBCASTS, PODCASTS, AND VIDEOS
Downloads and eKits
Sun Download: Solaris 8 Migration Assistant
Sybase Download: SQL Anywhere Developer Edition
Red Gate Download: SQL Backup Pro and free DBA Best Practices eBook
Red Gate Download: SQL Compare Pro 6
Iron Speed Designer Application Generator
MORE DOWNLOADS, EKITS, AND FREE TRIALS
Tutorials and Demos
How-to-Article: Preparing for Hyper-Threading Technology and Dual Core Technology
eTouch PDF: Conquering the Tyranny of E-Mail and Word Processors
IBM Article: Collaborating in the High-Performance Workplace
HP Demo: StorageWorks EVA4400
Intel Featured Algorhythm: Intel Threading Building Blocks--The Pipeline Class
Microsoft How-to Article: Get Going with Silverlight and Windows Live
MORE TUTORIALS, DEMOS AND STEP-BY-STEP GUIDES