The announcement last week of a new antiphishing consortium that includes financial services firms, Internet service providers, IT vendors and law enforcement agencies represents one of the most concerted efforts yet to curb the growing problem of e-mail data-theft scams.
The Digital PhishNet group includes companies such as Microsoft Corp., America Online Inc., VeriSign Inc. and EarthLink Inc., as well as government institutions such as the U.S. Federal Bureau of Investigation, the U.S. Federal Trade Commission, the U.S. Secret Service and the U.S. Postal Inspection Service.
Phishing attacks use e-mail messages that appear to come from reputable companies to try to convince recipients to go to spoofed Web sites and disclose their credit card numbers and other personal information. The onslaught of attacks has prompted companies such as Barclays Bank PLC and eBay Inc. to adopt new technology designed to detect phishing scams and help consumers verify the authenticity of Web sites.
Better Information Flow
Digital PhishNet’s goal is to enable a better flow of information about phishing attacks between companies and law enforcement agencies, said Dan Larkin, unit chief at the FBI’s Internet Crime Complaint Center. Because phishers can rapidly create and dismantle phony Web sites, “the key to stopping them is to identify and target them quickly,” Larkin said. “Our industry partners have a unique perspective regarding these schemes and how they look early on that we in law enforcement don’t always have.”
Companies have to “spoon-feed” government agencies a lot of the information that’s needed to go after phishers, said Avivah Litan, an analyst at Gartner Inc.
“Law enforcement is not really equipped to deal with these cybercriminals,” she said. “They don’t have the technical skills or the staff.”
Between July and October, the number of known phishing Web sites grew by an average of 25 percent per month, with 1,142 active sites reported in October, according to the Anti-Phishing Working Group (APWG).
Litan said that in the 12-month period that ended last April, fraudulent activities resulting from phishing attacks cost victims a total of US$1.2 billion, with U.S. companies bearing most of those costs.
Digital PhishNet isn’t the first industry group created to fight phishing. The APWG says its membership includes more than 650 companies plus law enforcement agencies from the U.S. and three other countries. In addition, the New York-based Financial Services Technology Consortium (FSTC) in September announced an antiphishing initiative involving nearly 30 financial institutions and IT vendors.
But a key difference is Digital PhishNet’s emphasis on enforcement activities, said Dave Alampi, vice president of marketing at Digital River Inc., an Eden Prairie, Minn.-based company that develops and runs e-commerce sites. “The reason this alliance was formed is not just to raise awareness of the problem but to take a proactive stance in tracking (phishers) and shutting them down,” he said.
Judy Lin, an executive vice president at Mountain View, Calif.-based VeriSign, said Digital PhishNet will also investigate ways of legally using technology to bring down sites used to launch phishing attacks.