There’s something phishy here

My first question to Dan Maier, spokesman for the Anti-Phishing Working Group, was: “How do I know that the e-mail you sent to me is really from the Anti-Phishing Working Group?”

My first question to Dan Maier, spokesman for the Anti-Phishing Working Group, was: “How do I know that the e-mail you sent to me is really from the Anti-Phishing Working Group?”

Maier laughed, but he also had a serious answer to what wasn’t really a serious question:

“As a matter of fact, one of the items we have on our agenda is to start digitally signing all e-mail messages coming from the group,” said Maier, who works for Tumbleweed Communications. “That’s one of the solutions that’s being proposed to banks and everybody else [targeted by phishing attacks]: to digitally sign e-mails so that recipients can trust that they are authentic.”

Such trust is becoming an ever-iffier proposition, as phishing – the spoofing of e-mail and name-brand Web sites to fool consumers into coughing up personal information – continues to grow more common. Founded in November 2003, the group logged 176 discrete phishing attacks last month, up 52% from last December. While Maier acknowledges the numbers might reflect a learning curve as victimized parties recognize they have a forum to log incident reports – www.anti-phishing.org – the evidence of a growing problem is clear.

Less clear is the difference between legitimate and phony e-mail, even through the eyes of the sophisticated Internet user.

“What I’m actually seeing in a lot of the phishing reports coming in to the Anti-Phishing Working Group is some people are sending in authentic e-mail messages from PayPal and from others and saying, ‘Hey, I think this is a spoofed message; I think this is a fraudulent message,’ when it’s actually a valid quarterly financial statement from PayPal, for example,” Maier says.

“It’s telling you that people don’t have a way to differentiate valid messages from non-valid messages.”

According to the group’s January report, the financial industry continues to be hardest hit by the phishing phenomenon, although eBay is the No. 1 target. Eight percent of January phishing attacks exploited a Microsoft browser vulnerability – since patched – that lets Web site addresses be disguised, the group says.

More than 100 companies and a few hundred individuals are involved in the group already, including most of the top banks, ISPs, online retailers and organizations such as the Anti-Spam Research Group and the Information Technology Association of America. Microsoft is on board, as are the Justice Department, FBI and Federal Trade Commission.

Phishing clearly has the attention of the e-commerce world. But one challenge these anti-phishing parties face – aside from thwarting attacks – is balancing the need to warn consumers against the risk of scaring these same consumers completely off the ‘Net.

“In particular, banks have spent a lot of money trying to move a lot of their operations online and make it easier for their customers to do business with them,” Maier says. “This can threaten a significant chunk of that.

“There is still some ongoing discussion about how to educate and inform customers about how to make them comfortable in doing business online. We’re still working on formulating the exact correct message that does balance on that fine line,” he says.

In addition to monitoring and measuring the problem, the group intends to focus on finding technical solutions. AOL is already piloting one called Sender Permitted From, which will allow for the checking of IP addresses of domains sending e-mail against a published list of IP addresses of all the servers authorized to send e-mail from AOL. “If they don’t match, the message was spoofed,” Maier says.

The group has its work cut out for it . . . and nothing less than the future of e-commerce may hang in the balance.

There’s nothing unclear about my e-mail address: buzz@nww.com.