Web Caller-ID spots 'phishy' websites

A new software tool from WholeSecurity Inc. can spot fraudulent Web sites used in online cons known as "phishing" scams,...

A new software tool from WholeSecurity can spot fraudulent websites used in online cons known as "phishing" scams.

The Web Caller-ID can detect web pages dressed up to look like legitimate e-commerce sites. The technology is aimed at banks, credit card companies and online retailers as a way to prevent unwitting customers from accessing false sites, to reduce fraud and increase confidence in online commerce.

Phishing scams are online crimes that use unsolicited commercial, or "spam", e-mail to direct internet users to websites controlled by thieves, but are designed to look like legitimate e-commerce sites. Users are asked to provide sensitive information such as a password, Social Security number, bank account or credit card number, often under the guise of updating account information.

A version of Web Caller-ID is already being used by eBay in a feature called Account Guard, part of an eBay web browser toolbar that users of the online auction site can download for free. The feature detects suspicious behaviour, such as web URLs that disguise the true internet address of the site the user is visiting.

Companies can license a web browser plug-in WholeSecurity, which can then be distributed to customers directly or as part of a web browser toolbar. Alternatively, companies can sign up for an e-mail processing service from WholeSecurity that harvests information on phishing scams from spam e-mail or customer complaint e-mail sent to the company.

A web browser-based management console lets administrators view suspected phisher sites, file complaints against spoof websites or fine-tune the Web Caller-ID technology to adapt to their company's website.

Reports of phishing attacks have skyrocketed in recent months, according to the Anti-Phishing Working Group (APWG), a joint industry-law enforcement group. There were 1,422 new, unique attacks reported to the APWG in June, a 19% increase over the previous month. Since the beginning of 2004, reports of the attacks have grown by 52% a month on average, the group said.

A survey of 5,000 adult internet users by research firm Gartner released in April found that the number of phishing attacks spiked in the last year and that around 3% of those surveyed reported giving up personal financial or personal information after being drawn into a phishing scam.

The results suggest that as many as 30 million adults have experienced a phishing attack and that 1.78 million adults could have fallen victim to the scams, Gartner said.

Web Caller-ID is not a cure-all for the phishing problem, but is a good first step to provide comprehensive protection from the scams said Howard Schmidt, former White House cybersecurity advisor and the current chief information security officer at eBay.

"These are some of the things we need to do moving forward - getting technology built into the web browsers themselves to do these things," he said.

However, better user education and stronger security from online retailers, banks and financial institutions is also needed to protect technically unsophisticated consumers from complex online cons like phishing attacks, Schmidt said.

"You can't put somebody in a car and tell them to drive, but not tell them what the brake and gas pedal are for," he said.

Paul Roberts writes for IDG News Service

Read more on IT strategy