New tool identifies 'phishy' Web sites

A new software tool from WholeSecurity Inc. can spot fraudulent Web sites used in online cons known as "phishing" scams, according to a statement from the company.

The new product, called Web Caller-ID, can detect Web pages dressed up to look like legitimate e-commerce sites. WholeSecurity is marketing the technology to banks, credit card companies and online retailers as a way to prevent unwitting customers from accessing false sites, to reduce fraud and increase confidence in online commerce, the company said.

Phishing scams are online crimes that use unsolicited commercial, or "spam," e-mail to direct Internet users to Web sites controlled by thieves, but are designed to look like legitimate e-commerce sites. Users are asked to provide sensitive information such as a password, Social Security number, bank account or credit card number, often under the guise of updating account information.

A version of Web Caller-ID is already being used by eBay Inc. in a feature called Account Guard, part of an eBay Web browser toolbar that users of the online auction site can download for free. The feature detects suspicious behavior, such as Web URLs (uniform resource locators) that disguise the true Internet address of the site the user is visiting.

Companies can license a Web browser plug-in WholeSecurity, which can then be distributed to customers directly or as part of a Web browser toolbar. Alternatively, companies can sign up for an e-mail processing service from WholeSecurity that harvests information on phishing scams from spam e-mail or customer complaint e-mail sent to the company, WholeSecurity said.

A Web browser-based management console lets administrators view suspected phisher sites, file complaints against spoof Web sites or fine-tune the Web Caller-ID technology to adapt to their company's Web site.

Reports of phishing attacks have skyrocketed in recent months, according to the Anti-Phishing Working Group (APWG), a joint industry-law enforcement group. There were 1,422 new, unique attacks reported to the APWG in June, a 19 percent increase over the previous month. Since the beginning of 2004, reports of the attacks have grown by 52 percent a month on average, the group said.

A survey of 5,000 adult Internet users by research firm Gartner Inc. released in April found that the number of phishing attacks spiked in the last year and that around 3 percent of those surveyed reported giving up personal financial or personal information after being drawn into a phishing scam. The results suggest that as many as 30 million adults have experienced a phishing attack and that 1.78 million adults could have fallen victim to the scams, Gartner said.

Web Caller-ID is not a cure-all for the phishing problem, but is a good first step to provide comprehensive protection from the scams said Howard Schmidt, former White House cybersecurity advisor and the current chief information security officer at eBay.

"These are some of the things we need to do moving forward -- getting technology built into the Web browsers themselves to do these things," he said.

However, better user education and stronger security from online retailers, banks and financial institutions is also needed to protect technically unsophisticated consumers from complex online cons like phishing attacks, Schmidt said.

"You can't put somebody in a car and tell them to drive, but not tell them what the brake and gas pedal are for," he said.