Sign Up: Free Daily Tech E-letter  
Technology Home
Tech Policy
Government IT
   -Ask the Computer Guy
   -Fast Forward
   -The Download
   -Web Watch
Personal Tech
Special Reports

Page 2 of 2    < Back   
.com, Leslie Walker
Internet Snagged In the Hooks Of 'Phishers'


E-Mail This Article
Print This Article
_____Online Resources_____
Avoiding Identity Theft: A Primer (, Jun 15, 2004)
For Good or Ill, IPO Market Has Heated Up (The Washington Post, Jul 22, 2004)
Borrowers And Lenders Meet at Moogul (The Washington Post, Jul 15, 2004)
A New Mart for Original Art (The Washington Post, Jul 8, 2004)
.com Archive
_____Web Watch_____
Calling All Phone Sites (The Washington Post, Jul 25, 2004)
Web Watch Archive

_____Message Boards_____
Post Your Comments

"Every time a new phishing attack is launched in EarthLink's name, we get about 40,000 phone calls from our users," said Scott Mecredy, a senior manager at EarthLink Corp.

In April, EarthLink released a special "ScamBlocker" software program that anyone can use to prevent their Web browser from accessing known phisher Web sites. More than 400,000 people are using it so far, Mecredy said.

This week, Internet address-book keeper VeriSign Inc. reported that phishing attacks are increasingly sophisticated.

VeriSign analyzed 490 bogus e-mails and found most did not contain the misspellings often seen in first-generation phishing. Also, 93 percent contained spoofed -- or faked -- return addresses to make them look as though they came from a trusted company. VeriSign found that 37 percent lured people to sites hosted outside the United States, making prosecution difficult.

Today, even cyber-savvy folks can get stung because the bogus e-mails and Web sites look so official, down to perfect replicas of, say, eBay's logo and the real Bank of America Web site.

"We are seeing a pattern of much higher-quality phishing sites," said Jim Maloney, chief security officer for Corillian Corp., which runs legitimate Web sites for a dozen financial institutions.

Corillian recently developed software that has detecting phishing attacks as early as eight days before they occurred, Maloney said, by analyzing activity at corporate Web sites. Detection is possible because phishers spend a lot of time analyzing any site they aim to replicate, he added. Many also link to those real sites from within their bogus e-mails to get high-quality images of corporate logos.

Increasingly, scammers know how to make it look like you are visiting a well-known Web site, often using code that floats a second window on top of the first. They typically host their fake Web sites at other sites which they hack into illegally. The bogus site might appear to say "" in the address bar of your Web browser, even though you are actually visiting another hidden address.

Equally scary, scammers use scripting to make it look like you're in a secure connection by adding an "s" to the address line, as in https:/ And Jones said phishers can also replicate the small padlock at the bottom of your browser window, which is meant to indicate when you are communicating in a secure session.

The top target of phishers in April and May was Citibank, according to the Anti-Phishing Working Group, an industry association. No wonder the financial giant debuted those jarring TV commercials about identity theft last fall, showing burly men yakking in high-pitched voices and petite women growling like truck drivers.

Ebay is another frequent target, which is why in February it started offering users free anti-phishing software. The software installs a toolbar in your Web browser that flashes green when you are communicating with the real eBay.

Of course, it would be impractical to install a different toolbar to authenticate each of your favorite Web sites. What we need are universal tools to verify the authenticity of all e-mail we receive and all Web sites we visit.

While various private and public Internet groups have developed competing authentication standards for e-mail, slowing down implementation, there appears to have been recent progress in getting them to work together. One system known as "sender ID" is favored by Microsoft Corp. and involves identifying the IP address from which e-mail is sent. Separately, Yahoo has proposed a way to verify e-mail known as "domain keys" that involves cryptography.

But there is still no Web-wide tool to help us know we are visiting a legitimate Web site. Gartner analyst Avivah Litan thinks it's partly because no one has figured out how to make money with such an authentication service. And without one, Litan worries that e-commerce could be headed for trouble.

Already, she said, anxiety over Internet security appears to be taking a toll on online commerce, which is growing but not as fast as it likely would if online scams weren't so prevalent.

"I think we will see the slowdown accelerate,'' she predicted. "And if the problems aren't fixed, people will use the Internet for surfing, but they won't transact online."

Leslie Walker's e-mail address is

< Back    1 2
Print This Article Home

© 2004 The Washington Post Company

Company Postings: Quick Quotes | Tech Almanac
About | Advertising | Contact | Privacy
My Profile | Rights & Permissions | Subscribe to print edition | Syndication