Software And Common Sense Needed To Hook PhishersSoftware And Common Sense Needed To Hook Phishers

As states and the federal government step up their efforts to prosecute cybercriminals who use bogus E-mails to trick unsuspecting computer users into sharing important personal information, IT managers are being encouraged to take matters into their own hands to keep phishers at bay.

A combination of tougher laws, technology advancements, and awareness are needed to effectively reel in phishers, says Dave Jevans, chairman of the Anti-Phishing Working Group, a coalition of financial institutions, online retailers, Internet service providers, and law enforcement formed to prevent identity theft and fraud caused by E-mail spoofing, phishing, and pharming. Pharming software has recently emerged as a cyberthreat that modifies settings on a person's computer so that the user is taken to a fraudulent site even if that user types in a correct Web address.

Sen. Patrick Leahy, D-Vt., in late February reintroduced anti-phishing legislation that would assign phishing and pharming new federal criminal penalties. The bill, which was referred to the Senate Judiciary Committee, would enter two new crimes into the U.S. Code. The first prohibits people from creating Web sites that represent themselves as legitimate businesses but instead attempt to defraud visitors and steal personal information. The second prohibits the use of E-mail that purports to be from a legitimate business but likewise attempts to defraud users. States such as Virginia and New Mexico have already passed laws that classify phishing as a felony.

"The reality of the situation is that these deterrents might make a few teenagers think twice, but the problem is still finding [phishers] and catching them," Jevans says.

Phishing scams are on the rise despite legal deterrents. There were 2,625 active phishing sites in February, growing at an average monthly rate of 26% since July, according to a recent report from the Anti-Phishing Working Group.

That's where new technology and common sense come in. Businesses, financial institutions in particular, can protect themselves from being used as bait for phishing schemes by buying up all domain names similar to their own, Jevans says. Use of similar domain names is a common way for phishers to trick people into giving them bank-account or credit-card information.

Companies likely to be used as phishing bait should also improve their E-mail authentication infrastructure, making it more difficult for criminals to send out E-mails that appear to be from legitimate businesses, Jevans says. Microsoft's Sender ID framework is one such technology protocol that's designed to help address the problem of spoofing and phishing by verifying the domain name from which E-mail is sent. Sender ID validates the origin of E-mail by verifying the IP address of the sender against the purported owner of the sending domain.

The Anti-Phishing Working Group also is looking to aggregate the tens of thousands of malware-tracking reports it gets monthly. In addition to sharing among companies, Jevans calls for different countries to share this information. Ultimately, he'd like to see law enforcement be given the technology it needs to track and investigate malware reports.