Group pools data to trap phishers
The Anti-Phishing Working Group is building a central clearinghouse of info on online fraud scams to improve defenses and nab crooks.
The group has expanded its simple list of phishing scams into a database that can be used for analyses and to share information with members, said Patrick Cain, a research fellow at the group. Additionally, a standard XML, or extensible markup language, form has been created to facilitate the submission of data on attacks to the organization, he said.
"We're hoping to become a clearinghouse" for phishing data, Cain said in an interview Wednesday at Inbox, a conference on e-mail being held here.
The data could be used in products to protect Internet users and for analyses of attacks, which in turn could help law enforcement track down phishers, Cain said. The group's list already includes data on about 75,000 phishing e-mails, he said.
The Anti-Phishing Working Group was established last year to combat fraud and identity theft resulting from phishing and related attacks. The group's members include banks, Internet service providers, law enforcement agencies and technology vendors.
The online industry has been grappling to fight phishing, a prevalent type of online fraud that attempts to steal sensitive information such as usernames, passwords and credit card numbers. The schemes typically combine spam e-mail and fraudulent Web pages that look like legitimate sites. Related attacks include pharming and e-mail spoofing.
As phishing scams become more complex and harder to track, a single repository with information collected from different sources will help safeguard Internet users, said Joel Smith, chief technology officer at Appriver, a Gulf Breeze, Fla.-based spam-filtering company.
The new database will be accessible only to Anti-Phishing Working Group members. Also, those who submit data can opt to not disclose certain information, Cain said. In some cases, companies that fall victim to phishing attempts don't want that to get public, because it could blemish their reputation, he said.
Security companies and Internet businesses typically collect their own phishing data. There are also group efforts, including the Phish Report Network, announced in February and backed by Microsoft, eBay, PayPal and Visa.
However, the Anti-Phishing Working Group believes its broad membership means that its efforts are valuable because they're not linked to a specific security company, Cain said.
Appriver's Smith agreed. "The repository needs to be vendor neutral, and I think companies should embrace it and share their data," he said.
EarthLink is interested in using the Anti-Phishing Working Group's data for its EarthLink Toolbar, said Kate Trower, a product manager at the Internet service provider. The EarthLink Toolbar is a Web browser plug-in that promises to combat phishing by blocking Web sites known to be malicious and scanning other sites for signs of fraud schemes.
Currently, EarthLink uses data from multiple providers to compile its list of malicious sites, Trower said. "I would rather have a centralized repository, but we're not there yet, so I will take as much data as I can get," she said. EarthLink is also looking into joining the Phish Report Network, she said.
Several other products also use blacklists to protect against phishing attempts. These include the latest Netscape and Deepnet Explorer browsers, and browser plug-ins provided by eBay and Netcraft.
Microsoft, one of the key backers of the Phish Report Network, does not see the Anti-Phishing Working Group as competition. "There are multiple needs of providing real-time data," said Craig Spiezle, a director in Microsoft's technology care and safety group. "We have offered to provide data to the Anti-Phishing Working Group."