As businesses continue to struggle with criminals trying to hijack their online content in order to dupe people with so-called phishing schemes, one company has created a directory designed to help firms defend their interests.
In response to a security landscape where thousands of new phishing attacks are reported each month, many of which target large financial services institutions or popular online business such as eBay, messaging security software maker CipherTrust has launched a new resource known as PhishRegistry.org meant to help companies identify and protect their legitimate online operations.
PhishRegistry.org promises to monitor the content of legitimate Web sites and alert companies when attempts are made to duplicate their pages.
Companies can also register their official Web page URLs and share information about attacks in the name of helping consumers identify attempted fraud and shutting down phishing sites more quickly.
CipherTrust said companies that register for the site can even use the system to send e-mail alerts to customers when an attack has been identified.
Phishing attacks involve the use of e-mail campaigns that attempt to lure people to fraudulent Web sites, most often designed to appear to be the actual sites of well-known companies. Once a user is directed to a phishing-oriented Web page the sites typically ask for the users log-in and password data, which can then be used to commit crimes such as identity theft.
“Online fraud is a race between the bad guys, who rush to post false sites to snare unsuspecting users, and the good guys—legitimate businesses protecting their brand and their customers,” Dr. Paul Judge, chief technology officer at CipherTrust, based in Alpharetta, Ga., said in a statement.
“Think of PhishRegistry.org as a neighborhood watch that dramatically speeds the pace at which organizations are notified of phishing attempts—a significant advantage in the race to ensure trust in the Internet and in online communications,” Judge said.
As most successful phishing attacks are based on some form of copying or re-engineering a legitimate site to fool people, CipherTrust is using a behavior-detection technology it calls “Phisherprinting” to analyze sites that appear to be fakes of URLs saved in the registry.
A similar anti-phishing effort was recently launched by security researchers at CastleCops and Sunbelt Software, dubbed the PIRT (Phishing Incident Reporting and Termination) Squad. The PIRT online community also asks for businesses and other people to register with it in order to help share information on new phishing attacks.
According to the latest figures reported by industry consortium Anti-Phishing Working Group, the number of reported phishing attacks increased dramatically in January 2006, compared to the same time last year. APWG said it received reports of nearly 18,000 unique phishing schemes for the month, compared to roughly 13,000 in January 2005.
The total also stands as the highest number of attacks recorded by APWG over the last twelve months.
The group said it received reports of over 9,700 unique phishing Web sites in January, which targeted a total of roughly 100 different corporate brands. The United States remains the top source of phishing attacks with sites that were visible online for an average of five days, according to APWG.
In addition to a growing sophistication in the appearance of phishing e-mail campaigns and fraudulent Web sites, many of which carry the name of the targeted company in their URLs, APWG has reported that criminals are beginning to find more creative ways to lure users.
One trend has been the rise in attacks using the names of businesses such as regional banks whose customers may be less wary of being attacked than those of massive organizations such as eBay.