Microsoft, eBay, Visa form Phish Report Network

The information sharing network is being unveiled at this week's RSA Conference

To make it easier to identify and react to new scam Web sites, Microsoft Corp., eBay Inc. and Visa International Inc. are launching a program to share information about online identity theft scams known as "phishing attacks."

The companies plan to use the RSA Conference in San Francisco this week to unveil the Phish Report Network, an antiphishing service that aggregates reports of phishing attacks and issues alerts about new phishing Web sites to subscribers. The service is being sponsored by endpoint security company WholeSecurity Inc., according to a statement from WholeSecurity.

Phishing scams use spam to direct Internet users to Web sites that are designed to look like legitimate e-commerce sites but are actually controlled by thieves. Users are asked to provide sensitive information such as passwords, bank account information or credit card numbers, often under the guise of updating an account.

Reports of online identity theft scams have grown steadily for more than a year. In December, more than 1,700 active phishing Web sites were reported, a 10% jump from the previous month, according to data released by the Anti-Phishing Working Group (APWG).

More than 9,000 unique e-mail messages linked to phishing scams were identified by the APWG in December, an increase of 6% from the month before and a 38% increase over the number reported in July, according to an APWG report.

The scams are notoriously hard to shut down because those behind them often use compromised computers scattered around the globe to host phishing Web sites and to distribute the spam advertising the sites. The average lifespan of a phishing Web site was almost six days in December, with some sites operating for as long as 30 days before being shut down, the APWG reported.

The Phish Report Network is a voluntary, subscription-based service that will help coordinate response to phishing scams between companies targeted by phishers, such as eBay, and organizations that can help shut down the scams, such as Internet service providers and antispam technology companies, according to the group's Web site.

Visa, eBay and Paypal Inc., eBay's online payment division, will report new phishing scams to the Phish Report Network. Those reports will be stored in a central database maintained by WholeSecurity, where the information will be sorted into aggregated "safe lists" and "block lists" of known phishing sites. Internet service providers and other companies will then use those lists to update filters, blacklists and other systems to block traffic to and from the phishing sites, WholeSecurity said.

The network is just the latest industry effort to thwart identity theft scams, which some fear could undermine public confidence in online commerce.

In June 2004, a consortium of companies from across different industries called the Trusted Electronic Communications Forum (TECF) said it was going to tackle the problem of online identity fraud.

That group has representatives from leading retail, telecommunications, financial services and technology companies, including Charles Schwab & Co., Fidelity Investments Inc., IBM and Siebel Systems Inc. The TECF was formed to take on long-term and short-term approaches to combat the phishing problem, including developing new technology, adopting technology standards and best practices, and taking legal action against suspected identity thieves, according to a statement.

The Phish Report Network is available immediately, and companies can sign up by visiting the group's Web site.

Copyright © 2005 IDG Communications, Inc.

Shop Tech Products at Amazon