Microsoft Enhances Its Anti-Phishing Tools

The Internet Explorer 7 browser, available now only in beta tests, features the new filtering technology; Microsoft plans to add the technology to a tool bar for older versions of IE.

Microsoft—seeking to help prevent ID theft—is among the growing list of software companies that are developing new tools that caution consumers when "phishing" attacks are under way on the Internet.

Microsoft Corp.s Internet Explorer 7 browser, which is available now only in beta tests, features the new filtering technology.

The company is planning to add the technology into a tool bar for older versions of Internet Explorer.

Microsoft, however, apparently did not develop the new feature itself.

"WholeSecurity provides the functionality for the phishing component that is part of IE 7," said Ann Taylor, a spokesperson for WholeSecurity Inc., the developer, based in Austin, Texas.

The filter identifies and blocks fraudulent Web sites that try and deceive users in efforts to obtain their bank account details and other personal information.

Last week, an anti-phishing service was announced by the anti-virus software company Sophos plc., based in Abingdon, U.K.

The company announced a fee-based service to notify computer users about phishing attacks.

"Phishing attacks cost companies like financial services and online retailers money and time," said Gregg Mastoras, senior security analyst at Sophos.

"This service will automatically notify users, enabling them to warn their customers and immediately appeal to law enforcement agencies and ISPs to shut down a phishing site."

A July 2005 study by the Ponemon Institute, a data privacy and business ethics research firm, shows 59 percent of consumers reported reducing online transactions as a result of phishing scams.

A June 2005 survey by Gartner Inc. of 5,000 U.S. consumers reported that the number of phishing attack e-mail recipients grew by 28 percent.

"Phishing attacks are not subsiding, despite some industry theories that phishing is a fad that peaked in 2004. An estimated 2.42 million U.S. adults report losing money in phishing attacks," the Gartner study said.

"According to these victims, total financial losses this past year amounted to nearly $929 million. Perhaps the biggest impact for businesses is a newfound and serious consumer distrust of e-mail."

The APWG (Anti-Phishing Working Group), an industry alliance that concentrates on eliminating online fraud and identity theft, reported more than 2,800 active phishing sites in April of this year—double the number reported just last October.

/zimages/4/28571.gifRead more here about Sophos rolling out an early-warning system for phishing attacks.

The Microsoft anti-phishing tool will be available to computer users running the Windows XP operating system with last years Service Pack 2 security upgrade.

The tool was built to stop scammers who try to con unsuspecting computer users into revealing passwords—generally by posing as a legitimate banking or a retail site.

When users encounter a strange site, users of IE 7 and other Microsoft products will soon have the option to forward that address to Microsoft to check against a database of known phishing sites.

A red warning page appears on screen when a known fraudulent site is detected.

The filter also displays a pop-up warning when it sees signs of possible phishing behavior on a site, such as the lack of SSL encryption to protect passwords.

The effort is one of many launched by Microsoft to combat spam, including enhancements to e-mail sender authentication for Microsoft Networks Hotmail accounts, and so-called "postmaster" services for ISPs to track spam sent via their servers.

These efforts seem to be providing tactical intelligence for the filter updates.

"With over 200 million active e-mail accounts worldwide, MSN Hotmail is in a unique position to collect and analyze e-mail activity data," said Kevin Doerr, product unit manager at MSN Hotmail at Microsoft.

"Working together, MSN Hotmail and service providers can make their customers happier and more satisfied with the services we all provide."

The Sophos service—while not integrated into a browser—provides e-mail samples and additional information to help companies respond quickly to phishing attacks and reports on overall phishing activities.

The service also identifies fraudulent Web sites to users of the PhishAlert service, the company said. Other services and technologies are coming to market.

Next week, McAfee is expected to announce the availability of managed e-mail security services for small business and enterprise customers, powered by the Postini Perimeter Manager product line.

The solution will apparently offer e-mail protection against spam, phishing, inappropriate content and viruses for these users, the company told Ziff Davis Internet.

Other, established efforts are continuing in the anti-phishing area, targeting the corporate market.

"WholeSecurity has a phishing solution—Confidence Online Phish Finder—that we sell to companies; we also operate the Phish Report Network, which eBay, Visa, PayPal and Microsoft all were founding members," said Taylor.

/zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.