Open Season on Phishing

Research sponsored by the Dept. of Homeland Security could help firms like Symantec protect consumers from online fraud.

Among the most damaging forms of spam is the "phishing attack" -- e-mails or even instant messages that masquerade as official notices or inquiries, designed to fool Internet users into going to a bogus website and entering personal information, such as account numbers, PINs, social-security numbers, or credit-card numbers.

These ingenious come-ons fool so many people that the resulting thefts added up to as much as $1.2 billion in 2003, according to an estimate by Gartner Research. This puts phishing at or near the top of Internet security problems.

Consumer-level security tools, such as Norton Internet Security, from Cupertino, CA-based Symantec, already filter out many phishing e-mails before they arrive. But a few inevitably get through, and it's what happens after users have clicked on deceptive links and have begun to enter personal information into fraudulent websites that now concerns many security researchers.

Part of the problem is that many people don't have security software on their computers, and the few existing programs that stop people from sending such information to "phishers" work only with specific browsers, such as Microsoft Internet Explorer. Now researchers at BBN Technologies, a contract R&D company in Cambridge, MA, are using funding from the Department of Homeland Security to develop a phishing defense that isn't keyed to specific browsers. While the project is at an early stage, BBN will hand over its results later this year to collaborator Symantec, whose Norton suite of products leads the consumer computer security industry.

"Most existing technologies are tightly bound to one browser, such as Internet Explorer," says Michael Atighetchi, a senior scientist at BBN. "Our goal is to make it support as many browsers as possible."

The system works by intercepting personal information typed into a Web page before it actually leaves a user's computer; it alerts the user if the information is sensitive or if the page has been identified as part of a phishing site.

Atighetchi's colleague Jennifer Chong, who co-developed the technology, says the system identifies phishing sites partly by tracking their traffic characteristics and their age (most phishing sites are only a day or so old).

Until now, Chong says, consumers haven't had access to the latest anti-phishing software, which mainly helps financial institutions crack down on phishers using their business names. "Most of the services out there are geared to protect big names, not necessarily the consumer," she says. "They are focused on taking the domain down, investigating and finding the bad guy."

New protections are critical at a time when phishing e-mails make up a greater portion of all electronic mail. According to tests by Symantec, 0.84 percent of all e-mail messages sent between July 1 and December 31, 2005 were phishing attempts, which works out to 7.92 million attempts per day. And that was up from 0.77 percent for the first six months of 2005.