March 27, 2006 1:38 PM PST
Neighborhood watch for phishing launches
So, starting a few months ago, Eckelberry began taking some time out of his day to take action. He would analyze the phishing e-mail and contact the owner of the site hosting the scam, typically a hacked Web site on a server somewhere in the U.S.
"I was very surprised to find out that, pretty much in all cases, I was the only person reporting the site," said Eckelberry, who is president of Clearwater, Fla.-based anti-spyware toolmaker Sunbelt Software. "You would think a lot of stuff like this goes on, but it actually doesn't."
Eckelberry's frustration was shared by Paul Laudanski of CastleCops, an online security community. The two joined forces and this week, Sunbelt and CastleCops are officially launching a volunteer group, dubbed the Phishing Incident Reporting and Termination squad, or PIRT.
In the round-the-clock PIRT operation, the volunteer "handlers" around the world take in reports from consumers of suspected phishing Web sites and work to take the sites offline. On Friday, before its official launch, the group received 100 phishing reports, and 30 of those were shut down in a few hours, Laudanski said.
"We want to give the average consumer a way to jump in and help," Eckelberry said. "It is a personal passion because I know my mom is the kind of person who will click on this phishing link, no matter how many times I warn her."
Phishing is a prevalent type of online scam in which attackers attempt to steal sensitive data such as user names, passwords and credit card details. The attacks typically combine spam e-mail and fraudulent Web pages that look like legitimate sites. That spells easy money for criminals, who sell the data they steal or use it to buy goods for resale, for example.
There are already a couple of places people can report suspected Web sites. There are add-on toolbars or built-in features in Web browsers that let people click and submit a URL. If these check out, they're added to a blacklist used by the company that provides the toolbar. That means the phishing information can be scattered among different software providers.
Alternatively, scam e-mails can be submitted to the Anti-Phishing Working Group, which stores the information in a database used by makers of security software and others, but takes no further action. The APWG, an effort backed by security companies, financial services providers and others, includes Symantec, McAfee and Microsoft as sponsors.
Despite industry efforts, phishing is still on the rise, and experts predict that scams will become increasingly sophisticated. A record 9,715 phishing Web sites were spotted in January, according to an Anti-Phishing Working Group paper (PDF here). The PIRT group aims to get consumers more involved in the phishing fight and bring down malicious sites more quickly.
The PIRT handlers, who must all have an established security track record, will analyze phishing e-mails and contact the host of the Web site, usually an Internet service provider, as well as the company whose customers are being targeted, Eckelberry said.
Additionally, the volunteers will share phishing reports with security companies, the Anti-Phishing Working Group and other efforts that exist to fight the scams, he said.
"We do not want to discount any of those efforts," Eckelberry said. "This is an additional layer to pick up any reports that were not submitted. We are seeing a large number of cases where phishing attacks are not reported."
Phishing hasn't gone unnoticed by the security industry. Companies such as MarkMonitor and RSA Security's Cyota take down phishing Web sites, but only for those that hurt paying customers of their antifraud services.
Industry efforts have reduced the average time a phishing Web site is online--five days in January 2006, compared with 6.1 days in July 2004, according to Anti-Phishing Working Group data. Still, some phishing Web sites were online for at least a month in both periods, according to the group.
PIRT hopes to be able to take down phishing Web sites in a matter of hours after receiving the report, Eckelberry and Laudanski said.
3 commentsJoin the conversation! Add your comment