Microsoft enlists security partner in IE update

New version of Internet Explorer, released for testing this week, taps WholeSecurity for antiphishing feature.

Alorie Gilbert Staff Writer, CNET News.com
Alorie Gilbert
writes about software, spy chips and the high-tech workplace.
Alorie Gilbert
4 min read
Microsoft has enlisted some outside help for one of the most anticipated new features of its updated Web browser: the ability to alert people that they may be about to enter a fraudulent Web site.

The company has tapped WholeSecurity, a maker of computer security programs in Austin, Texas, to help Internet Explorer 7, the next version of its browser, identify Web sites designed to trick people into disclosing personal data to identity thieves, the companies said. These "phishing" sites mimic legitimate sites, such as eBay and Citibank, and have contributed to a national identity-theft epidemic.

Microsoft released a beta version of the new browser, also known as IE7, this week to a select group of testers. The company plans to release a second beta version for the general public to test before shipping the final version.

WholeSecurity, which is privately held, is helping Microsoft assemble and maintain a list of verified phishing sites, also known as a blacklist. When people try to visit a Web site on the list, IE7 automatically warns them via a dialog box that the site is fraudulent and suggests they "not continue to this Web site." At that point, people can close the Web page, or continue on if they choose.

WholeSecurity, via a project called the Phish Report Network, has thousands of Web sites in its blacklist and adds more all the time from the hundreds of new sites that contributors flag daily, said John Ball, senior product manager at WholeSecurity. Microsoft helped the company launch the Phish Report Network in February, along with Visa, eBay and eBay's PayPal unit, which all help to build and maintain the list.

Microsoft isn't the first company to build antiphishing features into a Web browser, nor is it the first to tap an outside security company for help with the task. America Online's Netscape unit introduced a new version of the Netscape browser in May with a similar feature. The company has compiled its own blacklist with the input of parent AOL, nonprofit privacy group Truste, VeriSign and security software company Paretologic.

A U.K.-based browser company called Deepnet Technologies claims to have been the first to incorporate antiphishing mechanisms into a browser when it released Deepnet Explorer in December.

But with close to 90 percent market share in the United States, Microsoft is certainly the biggest browser company to attack phishing. Yet, the company doesn't expect its latest efforts to bring an end to these scams.

"Does having a police force wipe out crime?" said Gary Schare, Microsoft's director of IE product management. "The purpose is to contain it. It's a tall order to say this will wipe out phishing."

Other browser companies applauded Microsoft's antiphishing moves and agreed that it's a hard problem to tackle. The Mozilla Foundation has decided not to incorporate antiphishing technology into its increasingly popular Firefox browser, opting instead to focus on the e-mail side of the problem. An upcoming version of Mozilla's Thunderbird e-mail program is designed to alert users to messages containing links to phishing sites, said Chris Hofmann, director of engineering at the Mozilla Foundation. E-mail is the way most phishers lure people to their sites.

Microsoft is doing something similar with its Hotmail service. If a suspicious e-mail arrives, the test version of Hotmail does not display the e-mail but rather warns users that the e-mail appears to be potentially fraudulent and asks if they want to block or allow e-mails from the sender of the message.

The Thunderbird program will rely on a tool that automatically analyzes the attributes of links, rather than on a blacklist, Hofmann added. "The large volume of content, and the dynamic nature of the Web, make managing a list of potential phishing sites an incredibly hard job," he said.

That challenge is one reason Microsoft has signed up with WholeSecurity to manage the blacklist for IE7, Schare said. It will also encourage browser customers to report suspicious sites directly to Microsoft via a button in the new browser. The company has the ability to update the list every 20 minutes, he added. That's critical, because phishing attacks often come and go within a matter of hours.

Microsoft is assembling a "whitelist" of legitimate sites, too, that the browser won't bother sniffing out on a regular basis, which should save on network cycles.

But phishers are already learning how to work around some of the simpler methods being used to thwart them, said Deepnet Chief Executive Yurong Lin. For instance, more phishers are registering domain names for their sites rather than using numeric Web addresses, he said. Lin believes it's a response to the fact that Deepnet's browser has been warning people that sites lacking domain names are suspicious.

"The phishers will find some other way," Lin said. "It's like antispam. There are antispam programs, and spam still exists. We have anti-spyware, and spyware still exists."

CNET News.com's Ina Fried contributed to this report.