Online Merchants Can Block Phishing Attacks for Good. Really.

Last month, Web-security firm MessageLabs said that for the first time ever it had recorded more e-mails bearing phishing attacks than those containing viruses or other malware.

January’s MessageLabs Intelligence Report also found that phishing attacks were becoming increasingly sophisticated, which was attributed to the rise in the number of online merchants and sites requiring users to access their accounts using more than just a login and password.

“We are seeing phishing attacks increase in sophistication and ability to evade many preventative technologies,” said Mark Sunner, MessageLabs’s chief security analyst. “Cybercriminals continue to seek new and more subversive means to launch their attacks.”

Sunner said one out of every 93.2 e-mails, or about 1 percent of all e-mail traffic traced in January, bore evidence of some form of phishing attack.

Gone Phishing

Already, 2007 is shaping up to be a year in which the e-commerce sector in particular takes aim at phishing and subsequent identity theft.

eBay and PayPal, two favorite targets of phishing attacks, have pledged stepped-up security efforts with PayPal offering automated pass code generators it says will foil efforts by third parties to access user accounts.

Meanwhile, various law enforcement agencies have stepped up their pursuit of criminals who use e-mail to perpetrate attacks, utilizing the CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing) Act of 2003 to lower the federal prosecution boom in some cases.

Billions Lost in ’06

Though consumer education has helped explain the risks involved when Web surfers provide account information, phishers have become increasingly adept at creating fake e-mails and spoofed Web sites that are so convincing they can fool even the most experienced Internet surfer.

Indeed, the stakes are high for consumers and criminals alike. A report by Gartner found that the average identity theft victim suffered losses of US$1,000 and that high-income individuals, a favorite target of phishers, lost more than $4,300 in each attack.

All told, Gartner pegged phishing-related financial losses at more than $2.8 billion for 2006.

While many banks and online services are starting to put measures in place to prevent such losses, cybercriminals will continue to seek new avenues for their attacks, Gartner Vice President Avivah Litan predicted.

“Cybercriminals are starting to shift away from attacking online banks directly, and they are leveraging less conventional brands and/or using hard to detect social engineering methods to reap financial gains,” Litan told the E-Commerce Times.

“Countermeasures such as phishing detection and take-down services deployed by banks, Internet service providers and other service providers are obviously not sufficiently widespread or effective,” she added.

No Phishing Allowed

In fact, the security industry continues to seek ways to get a step ahead of identity thieves. Reflexion Networks, a Boston-based e-mail security firm servicing businesses and ISPs, uses an address-based e-mail security solution that could have wider applications in the battle against phishing.

The sheer number of “[phishing] incidents tend to erode public confidence in e-mail which has serious consequences,” Reflexion CEO David Hughes told the E-Commerce Times. “People are more and more automatically deleting messaging from leading brands. People’s first inclination is just to hit the delete button.”

Reflexion’s approach uses what Hughes says is analogous to e-mail PINs (personal identification numbers), in which a user creates an e-mail address that includes a component known only to the recipient and the party to which it has been disclosed.

For instance, the user can create an alphanumeric address that is given only to eBay, PayPal or a bank. Any e-mail received that purports to be from that merchant could then be easily identified — the combination of correct “to” and “from” e-mail pairs is nearly infinite.

Under this scheme, phishers would likely be unable to acquire the correct e-mail address.

For Reflexion users, all qualified e-mails are placed in a common inbox. Users are also given a software-based dashboard that provides a view of e-mails that have been blocked.

Regaining ‘E-mail Confidence’

Beyond the Reflexion user base — it targets large, mid-sized and small businesses — the same technology could be used by merchants directly in order to give their consumers a higher level of confidence in their e-mail correspondence.

Any vendor “could give its customers the opportunity to define an e-mail PIN and the merchant could include that PIN in the ‘from’ address every time they communicate,” Hughes said.

For the scheme to work effectively, users must be willing to define and manage additional e-mail addresses; however, Hughes believes consumers would adapt.

“There was a time when ATM cards were new and there were a lot of questions about whether the public would use them,” he said. “Now, everybody is accustomed to the concept. Our subscribers say [Reflexion is] very intuitive for them and gives them more confidence the messages they are receiving are really from the merchants and partners they trust.”

That is an important issue, as Gartner’s Litan explained that more users are deleting e-mail messages without reading them in order to protect themselves. “The traditional approaches aren’t working,” she said.