washingtonpost.com  > Technology > Tech Policy > Security

Tech Heavyweights Agree to Share 'Phishing' Data

Experts Question Whether Subscription Service Will Be Effective in Combating Online Scams

By Brian Krebs
washingtonpost.com Staff Writer
Monday, February 14, 2005; 5:38 PM

Microsoft Corp., eBay Inc. and Visa USA said Monday they will begin working with a private company in Texas to identify and track "phishing" attacks, online scams that lure people into giving up personal and financial information at counterfeit bank and retail Web sites.

The three companies, along with eBay's online payment subsidiary PayPal, said they will capture data on phishing e-mails and Web sites and submit it to a network operated by Austin, Tex.-based WholeSecurity. Any organization currently targeted by phishing schemes can register to feed fraud data into the system, but only paying customers will be allowed to draw alerts from it.

Microsoft Touts Anti-Spyware Programs (Associated Press, Feb 15, 2005)
Break-In At SAIC Risks ID Theft (The Washington Post, Feb 12, 2005)
Microsoft Still Patching Software Security Holes (The Washington Post, Feb 9, 2005)
More Security News

The e-commerce heavyweights that have agreed to provide data to WholeSecurity are among the top targets of phishing schemes, which increased more than 8,000 percent in the past year, according to the Anti-Phishing Working Group, a coalition of banks and technology companies. The group identified 9,019 phishing scams in December 2004, up from 107 in December 2003.

J.T. Keating, WholeSecurity's vice president of marketing, said the company plans to market a phishing alert service to Internet service providers and security companies, particularly those that produce anti-phishing "toolbars" -- software that works with a Web browser to prevent users from visiting known phishing sites. The company helped to build the "account guard" portion of eBay's toolbar, which bars users from visiting fake eBay and PayPal sites.

Microsoft will be the network's first big customer. Microsoft spokeswoman Sam McManus said the company hopes to use the information to weed out phishing attacks targeting users of its Hotmail and MSN e-mail services. Microsoft may eventually integrate the technology into its Internet Explorer Web browser if enough companies sign up to provide fraud data to the network, McManus said.

But some information security experts said the service represents little more than a bid to cash in on the types of informal information sharing relationships that already exist between ISPs, banks and e-commerce companies.

Ken Mirell, a systems manager at Reliable Hosting, a Web hosting and e-mail provider based in San Francisco, said he suspects Microsoft and eBay likely would benefit more from the service than his company.

"I don't see anyone other than [the largest] ISPs paying for it," Mirell said of the service, which WholeSecurity said will cost $15,000 a year. "It seems like everyone is trying to sell us something these days to react to these scams, but they don't stop them from being launched in the first place."

Dave Jevans, chair of the Anti-Phishing Working Group, called the service a "good, early step," but said WholeSecurity needs to think through how it will integrate the data into the technologies and markets it is targeting.

"I think there is still a long way to go on this, because if it just stands on its own it's not going to be super-helpful," he said.

Jerry Grasso, spokesman for the Atlanta-based ISP Earthlink, welcomed the new service, but declined to say whether his company would consider using it.

"Certainly, our view is anything that helps thwart these phishing scams is a good thing," he said.

Howard Schmidt, chief security officer at eBay and a former top ranking cyber-security official in the Bush administration, said the new service is useful because much of the information sharing and fraud alert efforts between ISPs, banks and e-commerce companies is redundant and inefficient.

"Lots of companies have been taking their own individual steps to deal with this problem, but this program allows companies to identify the sites and e-mails once and block them everywhere," Schmidt said.

© 2005 TechNews.com