Open Season on Phishing

Among the most damaging forms of spam is the “phishing attack” – e-mails or even instant messages that masquerade as official notices or inquiries, designed to fool Internet users into going to a bogus website and entering personal information, such as account numbers, PINs, social-security numbers, or credit-card numbers.

These ingenious come-ons fool so many people that the resulting thefts added up to as much as $1.2 billion in 2003, according to an estimate by Gartner Research. This puts phishing at or near the top of Internet security problems.

Consumer-level security tools, such as Norton Internet Security, from Cupertino, CA-based Symantec, already filter out many phishing e-mails before they arrive. But a few inevitably get through, and it’s what happens after users have clicked on deceptive links and have begun to enter personal information into fraudulent websites that now concerns many security researchers.

Part of the problem is that many people don’t have security software on their computers, and the few existing programs that stop people from sending such information to “phishers” work only with specific browsers, such as Microsoft Internet Explorer. Now researchers at BBN Technologies, a contract R&D company in Cambridge, MA, are using funding from the Department of Homeland Security to develop a phishing defense that isn’t keyed to specific browsers. While the project is at an early stage, BBN will hand over its results later this year to collaborator Symantec, whose Norton suite of products leads the consumer computer security industry.

“Most existing technologies are tightly bound to one browser, such as Internet Explorer,” says Michael Atighetchi, a senior scientist at BBN. “Our goal is to make it support as many browsers as possible.”

The system works by intercepting personal information typed into a Web page before it actually leaves a user’s computer; it alerts the user if the information is sensitive or if the page has been identified as part of a phishing site.

Atighetchi’s colleague Jennifer Chong, who co-developed the technology, says the system identifies phishing sites partly by tracking their traffic characteristics and their age (most phishing sites are only a day or so old).

Until now, Chong says, consumers haven’t had access to the latest anti-phishing software, which mainly helps financial institutions crack down on phishers using their business names. “Most of the services out there are geared to protect big names, not necessarily the consumer,” she says. “They are focused on taking the domain down, investigating and finding the bad guy.”

New protections are critical at a time when phishing e-mails make up a greater portion of all electronic mail. According to tests by Symantec, 0.84 percent of all e-mail messages sent between July 1 and December 31, 2005 were phishing attempts, which works out to 7.92 million attempts per day. And that was up from 0.77 percent for the first six months of 2005.

Symantec would not comment on the specifics of the new software, but said the browser-neutral nature of the technology should hasten adoption. “A lot of these defenses are more than 98 percent effective, but the problem is, they are not rolled out to 98 percent of the population,” says Brian Witten, director of government research for Symantec. “If they were, the populace wouldn’t have the billion-dollar scale of the problem today.”

Symantec has a multi-pronged security system in place already, he says. The system includes an extensive effort at scanning e-mails for phishing characteristics. “We very quickly find out about bad sites that are phishing sites, and disseminate new protective capabilities, based on this intelligence, through the Phish Report Network we operate and our mail security products, such as Symantec Brightmail,” he says. That allows browsers or ISPs to block the Web addresses of the phony institutions.

Since late 2004, the Department of Homeland Security has committed approximately $13.8 million to Internet security research, including about $750,000 for the BBN project. Witten says the anti-phishing system represents one early payoff from this funding.

“Going against threats like that is a strong motivation for a public-private partnership,” Witten says. “The core motivation for engaging with BBN for long-term, multi-year research collaboration is that the threat is evolving so quickly. It is a billion-dollar, transnational criminal threat.” The collaboration with BBN will likely last for several years, he says.