eBay, Visa, Microsoft join security network to fight phishing

With more than 1,700 “phishing” web sites hijacking 55 brands in December alone, eBay Inc., PayPal, Visa and Microsoft Corp. have agreed to participate in an anti-phishing network designed to help web site operators and e-mail gateways block phishing attacks, the companies said this week.

The Phish Report Network is based on a database operated by Austin, TX-based WholeSecurity Inc. As web site operators and e-commerce service providers like eBay, PayPal and Visa become aware of phishing attacks, they’ll report fraudulent web sites and e-mail campaigns to the Phish Report Network database. Other companies that subscribe to the network can then take steps to block future phishing attacks by the same fraudulent sites.

Phishing attacks use stolen images of brands and what appear to be legitimate web site and e-mail addresses to fool consumers into providing personal information, including credit card numbers, legitimate web site log-in names and passwords. Recent phishing attacks attempting to steal account information from eBay users, for example, have used addresses “security@eBay.com” and "ebayconfirm@eBay.com"; subject headings “eBay account verification!” and “eBay Verify Accounts;” and messages signed by “Safeharbor Department at eBay Inc.”

IRCE 2008 Conference Multi-Media CD-ROM

Phishing e-mails try to persuade recipients to divulge account information by stating that their accounts will no longer be usable after a certain date unless the information is updated. eBay, however, says that it will never request its users to update account information through an e-mail message.

The number of such attacks, which frequently start in e-mail in-boxes, grew by an monthly average of 24% from August to December of last year, resulting in 1,707 attacks in December, according to the Anti-Phishing Working Group.

Using information gathered in the Phish Report Network, web sites and ISPs like Microsoft can take steps to thwart future attacks, such as configuring their e-mail gateways to block phishing e-mails.

“Phishing is the fastest-growing segment of spam being sent worldwide today, victimizing both legitimate online companies whose brands are being hijacked and consumers who are unwittingly providing their personal information to criminals,” said Ryan Hamlin, general manager of the Safety Technology and Strategy Group at Microsoft. “The data that the Phish Report Network will provide can help Microsoft immediately better defend our millions of users worldwide against these phishing attacks.”

Howard Schmidt, chief security strategist for eBay and its payments unit, PayPal, said the Phish Report Network is one of several steps eBay is taking to increase e-commerce security. “As we co-develop technologies, educate online users and work with law enforcement, we can help significantly reduce the effect of cyber criminals,” he said.