Neighborhood watch for phishing launches

A search is on for volunteers to handle reports of suspected online scams and to help take down fraudulent Web sites.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
5 min read
Whenever phishing e-mail came in, security professional Alex Eckelberry would check it out and often find that the fraudulent Web sites advertised in the spam were still online, waiting for victims.

So, starting a few months ago, Eckelberry began taking some time out of his day to take action. He would analyze the phishing e-mail and contact the owner of the site hosting the scam, typically a hacked Web site on a server somewhere in the U.S.

"I was very surprised to find out that, pretty much in all cases, I was the only person reporting the site," said Eckelberry, who is president of Clearwater, Fla.-based anti-spyware toolmaker Sunbelt Software. "You would think a lot of stuff like this goes on, but it actually doesn't."

Eckelberry's frustration was shared by Paul Laudanski of CastleCops, an online security community. The two joined forces and this week, Sunbelt and CastleCops are officially launching a volunteer group, dubbed the Phishing Incident Reporting and Termination squad, or PIRT.

In the round-the-clock PIRT operation, the volunteer "handlers" around the world take in reports from consumers of suspected phishing Web sites and work to take the sites offline. On Friday, before its official launch, the group received 100 phishing reports, and 30 of those were shut down in a few hours, Laudanski said.

"We want to give the average consumer a way to jump in and help," Eckelberry said. "It is a personal passion because I know my mom is the kind of person who will click on this phishing link, no matter how many times I warn her."

Phishing outline
Phishing is a prevalent type of online scam in which attackers attempt to steal sensitive data such as user names, passwords and credit card details. The attacks typically combine spam e-mail and fraudulent Web pages that look like legitimate sites. That spells easy money for criminals, who sell the data they steal or use it to buy goods for resale, for example.

There are already a couple of places people can report suspected Web sites. There are add-on toolbars or built-in features in Web browsers that let people click and submit a URL. If these check out, they're added to a blacklist used by the company that provides the toolbar. That means the phishing information can be scattered among different software providers.

Alternatively, scam e-mails can be submitted to the Anti-Phishing Working Group, which stores the information in a database used by makers of security software and others, but takes no further action. The APWG, an effort backed by security companies, financial services providers and others, includes Symantec, McAfee and Microsoft as sponsors.

Despite industry efforts, phishing is still on the rise, and experts predict that scams will become increasingly sophisticated. A record 9,715 phishing Web sites were spotted in January, according to an Anti-Phishing Working Group paper (PDF here). The PIRT group aims to get consumers more involved in the phishing fight and bring down malicious sites more quickly.

The PIRT handlers, who must all have an established security track record, will analyze phishing e-mails and contact the host of the Web site, usually an Internet service provider, as well as the company whose customers are being targeted, Eckelberry said.

Additionally, the volunteers will share phishing reports with security companies, the Anti-Phishing Working Group and other efforts that exist to fight the scams, he said.

"We do not want to discount any of those efforts," Eckelberry said. "This is an additional layer to pick up any reports that were not submitted. We are seeing a large number of cases where phishing attacks are not reported."

Fighting fraud
Phishing hasn't gone unnoticed by the security industry. Companies such as MarkMonitor and RSA Security's Cyota take down phishing Web sites, but only for those that hurt paying customers of their antifraud services.

Industry efforts have reduced the average time a phishing Web site is online--five days in January 2006, compared with 6.1 days in July 2004, according to Anti-Phishing Working Group data. Still, some phishing Web sites were online for at least a month in both periods, according to the group.

PIRT hopes to be able to take down phishing Web sites in a matter of hours after receiving the report, Eckelberry and Laudanski said.

But not everyone believes the group will be successful. Marc Wagner, a technology specialist at Indiana University, Bloomington and a ZDNet contributor, was skeptical that a volunteer effort could fix the problem, which he described as one of the greatest threats to personal security on the Internet.

"While the intent is noble, it is naive to believe that 100 volunteers could deal with the sheer volume of phishing scams."
--Marc Wagner, technology specialist, Indiana University

"While the intent is noble, it is naive to believe that 100 volunteers could deal with the sheer volume of phishing scams," he said. Wagner said several scam e-mails land in his in-box everyday, and another two dozen or so are blocked by the university's spam filers.

The PIRT team is taking on the most difficult part of the phishing fight in trying to persuade the Web host to take suspicious sites offline, said Peter Cassidy, the secretary general of the Anti-Phishing Working Group. "Getting the message for action to the party that had its technology co-opted (to host the phishing Web site) has always been the challenge," he said.

Cyota employs about 40 people whose full-time job is to try to take down phishing sites that target customers of its own customers--companies such as E*Trade Financial, Washington Mutual and ING Direct. The service costs those companies several thousand dollars a month, said Amir Orad, vice president of marketing at the RSA Security subsidiary.

It's a tough job because the sites can be located anywhere in the world. This means language and legal barriers as well as multiple time zones to deal with, Orad said.

Still, the Cyota executive believes the volunteers can be a part of the phishing solution. "I think it will be relevant to some people and fill some gaps in this space," he said. "It will have some impact, but I don't think they can get to the same level and skills of a commercial entity."

However, the volunteer effort could help organizations that can't afford antifraud services such as those offered by Cyota, Orad said. Smaller banks, which are now being targeted more by fraudsters, are likely users.

Eckelberry and Laudanski acknowledge that removing phishing sites isn't easy. They expect to be able to shut down between 40 percent and 50 percent of those reported to the team of handlers. PIRT is looking especially for handlers who have experience in dealing with Asian Internet service providers, they said.

Johannes Ullrich, chief research officer at the SANS Institute, believes the community initiative makes sense. Ullrich has experience with similar efforts, particularly the SANS Internet Storm Center, where about 40 volunteers monitor Internet threats.

"It makes sense for volunteers to do it, because there is basically no money to be made with this," he said.

The PIRT group faces an uphill battle, Cassidy said, noting that the Anti-Phishing Working Group receives tens of thousands phishing reports a week. "Phishing can be a black hole. The biggest threat these guys will have is burnout."