Phishing steals spotlight at MIT Spam Conference

While the volume of unwanted e-mail ebbs and flows, the nature of unwanted e-mail is steadily becoming more dangerous, say spam experts.

Advances in anti-spam technology and increased use of these products are delivering somewhat cleaner in-boxes and less-annoyed e-mail users, experts say. But no technology has been developed that can effectively protect e-mail users from phishing attacks that steal personal and financial information, and until this form of fraud can be detected and blocked, unwanted e-mail remains a threat.

"The spam problem will get worse, and the reason is phishing," said Bill Yerazunis, senior research scientist with Mitsubishi Electric Research Laboratories, and chairman of the MIT Spam Conference, which held its fourth meeting in Cambridge, Mass., last week. Yerazunis estimates 20% to 30% of all spam messages are phishing attacks. "For people who aren't 'Net savvy, they could lose their retirement money," he said.

The response rate for phishing e-mails is higher than for spam, said Paul Judge, CTO of messaging security maker CipherTrust. So while spammers have to send more unsolicited e-mail, as anti-spam filters get better at identifying and blocking spam, phishing attacks are well enough disguised that a higher percentage of recipients click on them, he said.

Not only is phishing dangerous for potential victims, it is destroying banks' and other companies' ability to communicate with their customers in the most effective way, Judge continued. "Some of the most powerful entities on earth can't talk to their customers over e-mail" because phishing has corroded their customers' trust, he said.

As one of the dozen companies, universities and laboratories presenting papers at the MIT Spam Conference last week, CipherTrust focused its talk on the rising threat of phishing. The company last week also announced PhishRegistry.org, a service designed to warn legitimate Web sites when they are being spoofed by phishers.

Anti-spam products that filter content aren't able to catch phish because the actual theft doesn't happen in e-mail, but at the forged Web site that a phishing message sends recipients to, said Jonathan Zdziarski, research scientist at CipherTrust. The company has developed technology that creates a digital fingerprint of a Web site suspected to be bogus, and of the site it is spoofing, and compares the two.

Once a bogus site is identified, CipherTrust feeds that information into its Radar anti-phishing service and posts a notice at PhishRegistry. org, which Zdziarski defines as a "neighborhood watch for your Web site."

Another company, MarkMonitor, attempts to identify potential phishing sites by these sites' domain names. The company, which is a domain registrar, provides a service that looks for newly registered or altered sites with domain names that are close to legitimate domain names, such as bankofamerica1. com, says Chuck Drake, senior vice president of fraud solutions.

Advance notice of a potential phishing scam lets MarkMonitor's customers work to shut down the fraudulent site through claims such as brand infringement, Drake said. If a phishing attack does happen, MarkMonitor's service also shuts down the fake site by contacting the site's ISP and presenting evidence of fraud.