• United States



sarah d_scalet
Senior Editor

Killing Phish

Feb 14, 20054 mins
CSO and CISOData and Information Security

If youre counting on education and awareness to protect your customers against phishing scams, youre wasting your time. Phishing artists have already moved on to increasingly sophisticated schemes for which customer education wont do squat. Theyre using worms, spyware and domain name hijacking to redirect users from legitimate sites to bogus ones without the users knowledge.

Its a desperate situation that calls for desperate measures: a take-down strategy that reduces the window of exposure by getting a bogus site shut down as quickly as possible. Any company thats a target for phishing scamsbasically, any company that gathers financial information onlineshould have one.

Reactionary? Sure. But these are the times in which we live.

And so, in a sort of Valentine to you, dear reader, this week instead of my normal grousing, I offer up a straightforward three-point plan on how to kill phish. The advice comes compliments of Dave Jevans, the ever-present chairman of the Anti-Phishing Working Group.

If you do nothing, Jevans warns, any given phishing site is likely to stay up for one to three weeks, harvesting customer details and causing your help desk and fraud department endless agony. But if you react quickly, you just might be able to get the site shut down in days or (if youre really lucky) even hours. Heres how.

Step 1. Know when a phishing attack has occurred. This is the easy part. As soon as a phishing e-mail goes out, youll probably start getting deluged with bounce-back e-mails and calls from wary customers. Gather all the details about the attack that you can. Most important: Whats the IP address of the offending website, and whos hosting it?

Step 2. Call the ISP. Contact the ISP by phone or e-mail, explain the situation and ask that the site be shut down. If you have good relationship with the ISP, you can get the site down in a matter of hours, Jevans says. Sometimes. Other times you wont be so lucky. Seventy percent of phishing sites are hosted outside of the United States, so you may need a translator. You also may need to do some delicate negotiations to convince the ISP to throw the switch on a paying customer. If the representative hems and haws and says that policing the Internet is not his job, Jevans says, Rattle a few sabers and threaten to call law enforcement. If that doesnt work, go to step three.

Step 3. Call law enforcement. This isnt necessarily the most effective way to get the site shut down quickly. The FBI and Secret Service are more concerned with patterns and big busts than individual ones, and until a customer has fallen for a scam and suffered damages, there may have been no law broken. Nevertheless, agents may be able to intervene on your behalf and call the offending ISP. The threat of subpoena alone may be enough to do the trick. And who knows, your case may be part of the bigger picture needed to shut down a given fraudster. (This has happened. Last May, a 20-year-old Texan was sentenced to almost four years in prison for phishing.)

Does all this sound like too much for your company? Then pay someone else to do it for you. The marketplace is brimming right now with companies that will do the dirty work. Cyota, Internet Identity, MarkMonitor, NameProtect and Watchfire all offer take-down services, and they also help monitor for domain name registrations similar to your own URL, which could signal a pending attack. Expect to hear more about these services in the coming months. Lots of times people do the first few [take-downs] themselves, Jevans says. As attacks ramp up, they go, Hey, instead of having someone working on this full-time, I could outsource it.

Dont get me wrong. Even the best take-down strategy wont solve the problem. It may just mean that phishers launch more attacks, more quickly. Long-term, Jevans is pinning his hopes on a new portal his group is developing where companies will be able to report bogus phishing sites, triggering a response by ISPs, spam block lists and Web filtering products. For now, though, the best you can do is try to chase fraudsters to an easier target.

Whats your take-down strategy? Tell me by e-mailing