March 27, 2006 1:38 PM PST

Neighborhood watch for phishing launches

Whenever phishing e-mail came in, security professional Alex Eckelberry would check it out and often find that the fraudulent Web sites advertised in the spam were still online, waiting for victims.

So, starting a few months ago, Eckelberry began taking some time out of his day to take action. He would analyze the phishing e-mail and contact the owner of the site hosting the scam, typically a hacked Web site on a server somewhere in the U.S.

"I was very surprised to find out that, pretty much in all cases, I was the only person reporting the site," said Eckelberry, who is president of Clearwater, Fla.-based anti-spyware toolmaker Sunbelt Software. "You would think a lot of stuff like this goes on, but it actually doesn't."

Eckelberry's frustration was shared by Paul Laudanski of CastleCops, an online security community. The two joined forces and this week, Sunbelt and CastleCops are officially launching a volunteer group, dubbed the Phishing Incident Reporting and Termination squad, or PIRT.

In the round-the-clock PIRT operation, the volunteer "handlers" around the world take in reports from consumers of suspected phishing Web sites and work to take the sites offline. On Friday, before its official launch, the group received 100 phishing reports, and 30 of those were shut down in a few hours, Laudanski said.

"We want to give the average consumer a way to jump in and help," Eckelberry said. "It is a personal passion because I know my mom is the kind of person who will click on this phishing link, no matter how many times I warn her."

Phishing outline
Phishing is a prevalent type of online scam in which attackers attempt to steal sensitive data such as user names, passwords and credit card details. The attacks typically combine spam e-mail and fraudulent Web pages that look like legitimate sites. That spells easy money for criminals, who sell the data they steal or use it to buy goods for resale, for example.

There are already a couple of places people can report suspected Web sites. There are add-on toolbars or built-in features in Web browsers that let people click and submit a URL. If these check out, they're added to a blacklist used by the company that provides the toolbar. That means the phishing information can be scattered among different software providers.

Alternatively, scam e-mails can be submitted to the Anti-Phishing Working Group, which stores the information in a database used by makers of security software and others, but takes no further action. The APWG, an effort backed by security companies, financial services providers and others, includes Symantec, McAfee and Microsoft as sponsors.

Despite industry efforts, phishing is still on the rise, and experts predict that scams will become increasingly sophisticated. A record 9,715 phishing Web sites were spotted in January, according to an Anti-Phishing Working Group paper (PDF here). The PIRT group aims to get consumers more involved in the phishing fight and bring down malicious sites more quickly.

The PIRT handlers, who must all have an established security track record, will analyze phishing e-mails and contact the host of the Web site, usually an Internet service provider, as well as the company whose customers are being targeted, Eckelberry said.

Additionally, the volunteers will share phishing reports with security companies, the Anti-Phishing Working Group and other efforts that exist to fight the scams, he said.

"We do not want to discount any of those efforts," Eckelberry said. "This is an additional layer to pick up any reports that were not submitted. We are seeing a large number of cases where phishing attacks are not reported."

Fighting fraud
Phishing hasn't gone unnoticed by the security industry. Companies such as MarkMonitor and RSA Security's Cyota take down phishing Web sites, but only for those that hurt paying customers of their antifraud services.

Industry efforts have reduced the average time a phishing Web site is online--five days in January 2006, compared with 6.1 days in July 2004, according to Anti-Phishing Working Group data. Still, some phishing Web sites were online for at least a month in both periods, according to the group.

PIRT hopes to be able to take down phishing Web sites in a matter of hours after receiving the report, Eckelberry and Laudanski said.

CONTINUED: Too hard a task?…
Page 1 | 2

See more CNET content tagged:
phishing, volunteer, online scam, scam, Sunbelt Software

3 comments

Join the conversation!
Add your comment
The neighbors are deadbeats
Since the very beginning of the phishing phenomenon I've been reporting the fake pages to every real company I could find which was being spoofed. To their credit, eBay and Paypal and Earthlink all made provisions for receiving such information from strangers and processing it. Ominously, the parties least interested in or equipped to handle reports were banks and credit card companies. A couple of the banks had the nerve to reply to me that I should be reporting spoof attacks on them to the FTC directly--as though they had no responsibility or interest in lifting a finger to protect their customers or their reputation! I would suggest reporting all spoof attacks to the business involved and if they ignore you or take no action, send nasty email directly to their ceo. They need to know that spoofs using their name damage their customers and shareholders and they have a fiduciary obligation to take positive action to stop them.
Posted by Razzl (1318 comments )
Reply Link Flag
Spamcop works for us
After we inadvertently hosted a phishing server (hacked machine spoofing 3 laptop addresses)
I was quite impressed by the reports from
SpamCop, which parsed the site URL out of the
spam message and automatically contacted
the site abuse contact

(the site received about 2000 hits and harvested
about 80 credit card numbers, a quarter of them bogus. We got about 40 SpamCop reports plus
mabye a dozen personal ones)
Posted by adaviel (2 comments )
Reply Link Flag
Who is checking that the whistle blower is clean
A year ago on the Internet, I read an FBI report on how cyber scammers turned on each other to prove they were good guys as in fact they were merely two doors to the same house of abuse.

Lets say I was about to use an ATM machine and someone said the one over there has been compromised showing me he reported it. I might at first say thanks and then ask him which ones are OK. Ahh there's the trick online.

Crooks can spoof the site of a government agency and create a false sense of trust.

How do I know you are just a good citizen and not someone trying to trick me into trusting you. Yes people should participate but on a reportage level to official or industry reporting authorities but there has to be cross checking since vigilantes are often crooks in disguise.

Or worse, there is a safe door and they advertise by false reportage that the safe door is unsafe keeping people vulnerable to their attacks.

Basically, the day of the Minuteman who heard a horn or a call and ran to the common defense is over. However, the history like in Switzerland where every house is armed is a better metaphor.

If people have a technology or a solution that relies upon their compliance and keeping their PINs and code secrets then that would be perfect wouldn't it. Anyway thats what I think. Ciao now. Janet.
Posted by Iohagh (54 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.