To make it easier to identify and shut down to new scam websites, Microsoft, eBay and Visa are launching an information-sharing program about online identity theft scams known as "phishing attacks".
The companies used the RSA Conference in San Francisco to unveil the Phish Report Network, an antiphishing service that aggregates reports of phishing attacks and issues alerts about new phishing websites to subscribers. The service is being sponsored by end-point security company WholeSecurity.
Phishing scams are online crimes that use spam to direct internet users to websites designed to look like legitimate e-commerce sites, but which are controlled by thieves. Users are asked to provide sensitive information, such as passwords, bank account information or credit card numbers, often under the guise of updating an account.
Reports of online identity theft scams have been growing steadily for more than a year. In December, more than 1,700 active phishing websites were reported, a 10% jump from the previous month, according to data released by the Anti-Phishing Working Group (APWG).
More than 9,000 unique e-mail messages linked to phishing scams were identified by APWG in December, an increase of 6% from the month before, and a 38% increase over the number reported in July, according to APWG.
The scams are notoriously hard to shut down because those behind them often use compromised computers scattered around the globe to host phishing websites and to distribute the spam messages advertising the sites. The average duration of a phishing website was almost six days in December, with some sites operating for as long as 30 days before being shut down, APWG reported.
The Phish Report Network is a voluntary, subscription-based service that will help co-ordinate responses to phishing scams between the companies targeted by phishers, such as eBay, and organisations that can help shut down the scams, such as ISPs and antispam technology companies, says the group's website, www.phishreport.net.
Visa, eBay and Paypal - eBay's online payment division - will report new phishing scams to the Phish Report Network. Those reports will be stored in a central database of phishing attacks maintained by WholeSecurity, where the information will be sorted into aggregated “safe lists” and “block lists” of known phishing sites. ISPs and other companies will then use those lists to update filters, black lists and other systems used to block traffic to and from the phishing sites, says WholeSecurity.
The network is just the latest industry effort to thwart the identity theft scams, which some fear are undermining public confidence in online commerce.
In June 2004, a consortium of companies from across different industries called the Trusted Electronic Communications Forum (TECF) said it was going to tackle the problem of online identity fraud.
That group has representatives from leading retail, telecommunications, financial services and technology companies, including Charles Schwab & Co, Fidelity Investments, IBM and Siebel Systems. The TECF will look at both long-term and short-term approaches to combating phishing, including new technology and technology standards, best practices and taking legal action against suspected identity thieves.
The Phish Report Network is up and running now and companies can sign up by visiting its website.