Enterprises are banding together in an alliance dubbed Digital PhishNet to share information with one another and with the FBI about phishing schemes and breaches - the second they happen. The alliance's formal announcement came last month.
Stirling McBride, a fraud investigator at Microsoft advanced the effort early on. Microsoft's security team has long been trolling the Internet for anything phishy and forwarding that information to the FBI's Internet Crime Complaint Center (IC3), as have other heavy hitters, including America Online, EarthLink, and Lycos.
PhishNet's primary anti-phishing tool will be a shared database into which members enter information such as IP address, scam site registrant, and site host. The National Cyber Forensics and Training Alliance will analyze the data and create criminal profiles, which they will forward to law enforcers.
"Coordinated information about phishing schemes will help us focus on the most serious offenders," says Dan Larkin, unit chief at the IC3. "Digital PhishNet facilitates critical data collection between a large number of the targets of these crimes and establishes a pipeline directly to law enforcement, in real time, before the phisher has had time to disappear."
Timing is crucial. "We have to move as quickly as the phishers do - and they move very quickly creating phony sites, collecting credit card and other personal information, and then dismantling the site within just a couple of days," Larkin says.
Founding members of Digital PhishNet include AOL, Digital River, EarthLink, Lycos, Microsoft, Network Solutions, VeriSign, the FBI, the U.S. Federal Trade Commission, the U.S. Secret Service, and the U.S. Postal Inspection Service. Enterprises are invited to join by registering at www.digitalphishnet.org.
Although Digital PhishNet won't put an end to phishing, hopefully it will do more than the skeptics expect. Phishing is an international problem, and law enforcers will have to contend with layers of bureaucracy and all the various laws governing online fraud.
Much will depend on whether companies opt to share information about scams openly, something many have been reluctant to do. Shortly after Digital PhishNet was announced, InfoWorld asked EarthLink what countries host the majority of phishing Web sites. EarthLink's PR company provided the response: "The company does not proactively discuss where the largest number of phisher sites are hosted."
Nonetheless, Digital PhishNet is out to prove that security by obscurity is rarely effective.
When going up against hackers and organized crime intent on fraud through phishing, strategy is everything. Here are popular schemes listed (loosely) in order of severity.
Social engineering threat:
Manipulates basic emotions: trust, fear, greed, kindness. Almost every phishing attack has a social-engineering component .Recent ploys urge people to fill out a form to receive a job, prizes, or gift certificates. Just before Christmas, phishers sent e-mails warning that recent online orders might be delayed unless recipients clicked on the URL and provided log-in names as well as passwords. Countermeasure: Ongoing user education
Cross-site scripting threat:
Allows phishers to launch attacks directly from compromised Web sites or to spoof legitimate sites. Greyhats Security Group recently demonstrated a flaw in IE's DHTML Edit ActiveX control that allows phishers to spoof secure e-commerce sites. When users click on a URL within an e-mail, the correct URL of the malicious Web site briefly appears in their browser's address bar and is then replaced by whichever URL the phisher designates. Phishers can also make the SSL padlock icon appear at the bottom of the browser .Countermeasure: Proper filtering and validation of received Web site input and proper encoding or filtering of the output returned to the user (see CERT's "Understanding Malicious Content Mitigation for Web Developers").
Blended Attacks Threat:
Relies on cross-site scripting, but rather than spoofing a legitimate site, scammers send victims to an authentic site by way of an e-mailed URL that contains malicious code. When the target arrives on the site, code embedded in the URL produces a legitimate looking pop-up log-in box that redirects the victim to a page on the phisher's Web site or simply collects log-in information. Countermeasure: Same as that for cross-site scripting
Rewrite and Redirect Threat:
Exploits Windows Scripting and does not require users to click on a link embedded in an e-mail. Instead, a small bit of programming code runs as soon as the e-mail is opened. The code attempts to rewrite the host files of infected machines. If the attack is successful, when users attempt to access online banking sites they are instead automatically redirected to a fraudulent Web site, which then attempts to capture the victim's banking log-on name, password, and other personal information. Countermeasure: Disable Windows Scripting Host.