Neighborhood watch for phishing launches

(continued from previous page)

But not everyone believes the group will be successful. Marc Wagner, a technology specialist at Indiana University, Bloomington and a ZDNet contributor, was skeptical that a volunteer effort could fix the problem, which he described as one of the greatest threats to personal security on the Internet.

"While the intent is noble, it is naive to believe that 100 volunteers could deal with the sheer volume of phishing scams."

--Marc Wagner, technology specialist, Indiana University

"While the intent is noble, it is naive to believe that 100 volunteers could deal with the sheer volume of phishing scams," he said. Wagner said several scam e-mails land in his in-box everyday, and another two dozen or so are blocked by the university's spam filers.

The PIRT team is taking on the most difficult part of the phishing fight in trying to persuade the Web host to take suspicious sites offline, said Peter Cassidy, the secretary general of the Anti-Phishing Working Group. "Getting the message for action to the party that had its technology co-opted (to host the phishing Web site) has always been the challenge," he said.

Cyota employs about 40 people whose full-time job is to try to take down phishing sites that target customers of its own customers--companies such as E*Trade Financial, Washington Mutual and ING Direct. The service costs those companies several thousand dollars a month, said Amir Orad, vice president of marketing at the RSA Security subsidiary.

It's a tough job because the sites can be located anywhere in the world. This means language and legal barriers as well as multiple time zones to deal with, Orad said.

Still, the Cyota executive believes the volunteers can be a part of the phishing solution. "I think it will be relevant to some people and fill some gaps in this space," he said. "It will have some impact, but I don't think they can get to the same level and skills of a commercial entity."

However, the volunteer effort could help organizations that can't afford antifraud services such as those offered by Cyota, Orad said. Smaller banks, which are now being targeted more by fraudsters, are likely users.

Eckelberry and Laudanski acknowledge that removing phishing sites isn't easy. They expect to be able to shut down between 40 percent and 50 percent of those reported to the team of handlers. PIRT is looking especially for handlers who have experience in dealing with Asian Internet service providers, they said.

Johannes Ullrich, chief research officer at the SANS Institute, believes the community initiative makes sense. Ullrich has experience with similar efforts, particularly the SANS Internet Storm Center, where about 40 volunteers monitor Internet threats.

"It makes sense for volunteers to do it, because there is basically no money to be made with this," he said.

The PIRT group faces an uphill battle, Cassidy said, noting that the Anti-Phishing Working Group receives tens of thousands phishing reports a week. "Phishing can be a black hole. The biggest threat these guys will have is burnout."

[Razzl]

The neighbors are deadbeats

Since the very beginning of the phishing phenomenon I've been reporting the fake pages to every real company I could find which was being spoofed. To their credit, eBay and Paypal and Earthlink all made provisions for receiving such information from strangers and processing it. Ominously, the parties least interested in or equipped to handle reports were banks and credit card companies. A couple of the banks had the nerve to reply to me that I should be reporting spoof attacks on them to the FTC directly--as though they had no responsibility or interest in lifting a finger to protect their customers or their reputation! I would suggest reporting all spoof attacks to the business involved and if they ignore you or take no action, send nasty email directly to their ceo. They need to know that spoofs using their name damage their customers and shareholders and they have a fiduciary obligation to take positive action to stop them.

[adaviel]

Spamcop works for us

After we inadvertently hosted a phishing server (hacked machine spoofing 3 laptop addresses)
I was quite impressed by the reports from
SpamCop, which parsed the site URL out of the
spam message and automatically contacted
the site abuse contact

(the site received about 2000 hits and harvested
about 80 credit card numbers, a quarter of them bogus. We got about 40 SpamCop reports plus
mabye a dozen personal ones)

[Iohagh]

Who is checking that the whistle blower is clean

A year ago on the Internet, I read an FBI report on how cyber scammers turned on each other to prove they were good guys as in fact they were merely two doors to the same house of abuse.

Lets say I was about to use an ATM machine and someone said the one over there has been compromised showing me he reported it. I might at first say thanks and then ask him which ones are OK. Ahh there's the trick online.

Crooks can spoof the site of a government agency and create a false sense of trust.

How do I know you are just a good citizen and not someone trying to trick me into trusting you. Yes people should participate but on a reportage level to official or industry reporting authorities but there has to be cross checking since vigilantes are often crooks in disguise.

Or worse, there is a safe door and they advertise by false reportage that the safe door is unsafe keeping people vulnerable to their attacks.

Basically, the day of the Minuteman who heard a horn or a call and ran to the common defense is over. However, the history like in Switzerland where every house is armed is a better metaphor.

If people have a technology or a solution that relies upon their compliance and keeping their PINs and code secrets then that would be perfect wouldn't it. Anyway thats what I think. Ciao now. Janet.

[alek_nedic]

go neighborhood!

http://www.analogstereo.com/vacuum/miele_parquetry.htm