Catching 'phishers' a WholeSecurity sport

Tool that identifies sites pretending to be connected to banks, eBay and more could help leave "phishing" scammers dead in the water.

Alorie Gilbert
Alorie Gilbert Staff Writer, CNET News.com

Alorie Gilbert
writes about software, spy chips and the high-tech workplace.

2 min read
WholeSecurity, an Internet security firm in Austin, Texas, has released a program to help companies combat a growing form of online fraud known as "phishing," the company said Monday.

Phishing starts with a forged e-mail apparently from a legitimate company, such as eBay or Citibank, telling the recipient that his or her account information has expired--or something of the sort. The recipient is instructed to click on a link that leads to a fake Web site. The site asks for confidential data such as credit card numbers.

WholeSecurity is among a number of companies developing technology to alert consumers to phishing fraud. Its program, called Web Caller-ID, is already in use at eBay. The online auctioneer has incorporated the technology into its Internet toolbar with a feature called Account Guard. It detects fraud sites purporting to be connected to eBay and its PayPal subsidiary with 98 percent accuracy, according to WholeSecurity. The tool notifies users if they enter such a site.

Hundreds of thousands of eBay members have downloaded the free program since the company launched it in February, an eBay representative said.

Now WholeSecurity is trying to license the software to other companies doing business online, allowing them to incorporate it into their toolbars or distribute to their customers as a Web browser plug-in. Banks and other financial institutions are one of WholeSecurity's target markets for the product, said Scott Olson, WholeSecurity's senior vice president of marketing.

The program analyzes Web addresses for clues that might lead to fraudulent sites. For instance, if the URL is long and convoluted, or if it consists of a long string of numbers separated by periods--an IP address--there's a good chance it's a false site, Olson said. The program also checks whether the domain name was registered recently or its operator is using a free Web hosting service--all tell-tale signs of phishing activity, Olson said.

Other companies that offer antiphishing products include EarthLink, Webroot Software and PostX. Microsoft and Yahoo are also working on such programs.

Millions of people have fallen prey to phishing fraud, and the number of spoof e-mails and Web sites in circulation has grown exponentially over the last 12 months, according to numerous experts.