System Uses CallerID Method to Beat Phishers

The new technology from WholeSecurity works to identify the true owner of a Web address, automatically sniffing out sites that could house phishing attacks.

WholeSecurity has teamed up with auction provider eBay to announce a new technology that automatically sniffs out sites that could house so-called "phishing" attacks.

Austin, Texas-based WholeSecurity Inc. on Monday launched Web CallerID, a detection, protection and management package that has been integrated into eBay Inc.s online toolbar. While WholeSecurity is currently marketing Web CallerID at large corporations seeking to protect their brand from phishing scams, executives hinted that a turnkey package aimed at smaller businesses may come later.

The tool debuts against a backdrop of increased phishing attacks, which attempt to dupe customers into divulging personal information such as credit card numbers, bank-account information, passwords, Social Security numbers or other confidential data.

Phishing often works through a combination of social engineering and deceptive Web design. In one common attack, for example, a JavaScript window pops up over the Internet Explorer address bar, obscuring the actual Web address by an almost-undetectable window that replaces the actual URL with a faked JPEG image of the sites actual address. The site appears innocent, luring users to enter personal information. Other dodges use site addresses that look authentic but arent.

The Web CallerID tool works to identify the true owner of a Web address, in much the same way Caller ID identifies the person on the other end of the line. The software cross-checks its own database of corporate customers against tricks that phishers typically use, such as numerical IP addresses instead of domain names and hosting on free Web sites.

In some sense, the software acts like a heuristic filter for phishers, much like a heuristic spam filter detects previously undiscovered spam, said J.T. Keating, vice president of corporate marketing at WholeSecurity.

When the site detects a bad address, the software phones the WholeSecurity home server, adds the site to a blacklist of bad sites and notifies the user with a pop-up screen. A browser-based management interface then reports the phishing site to the customers internal security team, which can send off notices to the phishers ISP to shut the site down.

Even though the software automatically reports the phishing site to the user, that customer also has the option of re-reporting the bad site, just to feel like he or she hooked the phisher, Keating added.

According to Dan Hubbard, director of technology and security research at San Diego-based Websense Inc., the blacklists utility is of limited use, however, because phishing sites remain online for an average of 2.25 days.

/zimages/3/28571.gifFor insights on security coverage around the Web, check out Security Center Editor Larry Seltzers Weblog.

The Anti-Phishing Working Group in June reported a 19 percent increase in unique phishing attacks for a total of 1,422. And the rise in phishers is attracting other anti-phishing solutions anxious to stem the tide.

"Theres a lot of copycatting going on," Hubbard said of the phishing attacks. He participated in the Anti-Phishing Working Group report.

"A lot of people see this as very easy to do and lucrative. These same people actually code one Web site one week and then run a different Web site a week later on the exact same machine."

"The really interesting item is that in all conversations [with customers], were having a huge percentage of people were talking to claim that theyve only been hit by one or two spoof attacks," WholeSecuritys Keating said.

"The real reasons people talk about our solutions is about consumer confidence–we hear customer-care people talking about how people dont trust electronic communications. Even worse, theyre picking up the phone and calling, which adds to help-desk costs."

/zimages/3/28571.gifClick here for six tips from a mutual fund company that fought back against phishing.

But the Anti-Phishing Working Group also has seen a rise in a less-sophisticated form of online fraud, the simple creation of online "stores" that promise to deliver pharmaceutical supplies, sporting equipment or other merchandise but are merely fronts to scam personal information, Hubbard said.

"One of the things I found shocking was that, OK, some of this comes from Azerbaijan or Sudan—thats Azerbaijan, there arent any real laws there," said Peter Cassidy, the secretary-general of the group. "But a quarter comes from the U.S., 50 percent from the Western world—the other 8 percent is in Taiwan! That tells me that … its not all lost. Something can be done."

But as law enforcement evolves, so could phishers, Hubbard warned.

Current phishes are designed to entice consumers to divulge financial information that can later be used against them. Analysts said that the next attempt, however, will likely be corporate, espionage-style attacks aimed at a particular company with the goal of persuading employees to divulge passwords or creating a back door into the network.

/zimages/3/28571.gifCheck out eWEEK.coms Security Center at for security news, views and analysis.


Be sure to add our security news feed to your RSS newsreader or My Yahoo page: /zimages/3/19420.gif