A group of companies concerned about the spread of phishing, including Microsoft Corp., eBay Inc. and WholeSecurity Inc., have banded together to start a service that will serve as an early-warning network for new attacks.
The Phish Report Network is a cooperative effort among all of the involved parties, but the information clearinghouse will be run by WholeSecurity, a provider of client-side security solutions. The company has been involved in anti-phishing efforts for some time, and sells a product known as Web Called-ID that helps customers identify spoofed Web sites.
Members of the network who are being hit by phishing scams can submit information—including the phishing e-mail and fraudulent sites—into the the services secure database. All of the members will have access to the database, and the network also will push out immediate alerts about new attacks. Companies such as Microsoft and WholeSecurity can then add the new information into their products to help prevent customers from visiting fraudulent sites.
Many of the member companies, most notably eBay, PayPal and Visa, each have been victims of numerous phishing attacks that have used the companies logos and brand identities to lure consumers into divulging sensitive personal information. But in recent months scammers have expanded their reach beyond well-known national brands and have begun targeting smaller banks and online retailers. This led many of the networks members to conclude that there was a need for a broad approach to the problem.
"Most of us have been doing independent things to protect customers, but phishing isnt so intense against us anymore, but is moving across a broader spectrum," said Howard Schmidt, chief security officer at eBay, based in San Jose, Calif. "The question was, How do you best protect for everyone? Well provide the service to whoever wants to use it."
To prevent scammers from reporting legitimate sites to the Phish Report Network, the service will only take reports from a small subset of employees at each company, Schmidt said.
The new network is one of several cooperative anti-phishing efforts that have appeared as the industry tries to combat what has become a thorny and persistent problem. Several federal agencies, including the FBI, U.S. Secret Service, Federal Trade Commission and U.S. Postal Inspection Service, recently teamed up with companies in the private sector to form the Digital Phishnet, which aims to help find and prosecute people involved in phishing. And, the Anti-Phishing Working Group, which comprises security vendors, ISPs and financial institutions, has been serving for more than a year as a clearinghouse for data on new attacks and trends.