In-Depth

Web Caller-ID Arrests Spoof Sites

New technology in a user-friendly toolbar intercepts users from visiting such sites

• By Mathew Schwartz
• 08/18/2004

So-called phishing attacks involve HTML e-mails or Web sites masquerading as well-known sites in order to steal personal information from consumers. The result is often identity theft.

One way to block phishing attacks: pre-scan each Web page a consumer visits for fraud. The latest tool to use this approach is the eBay Web browser toolbar, which is free. While the toolbar offers eBay-oriented auction alerts, search, and tracking, it also guards against fraudulent Web sites, a feature eBay dubs Account Guard. “Given the increasing intensity of phishing attacks, it becomes imperative to detect and block previously unknown sites via browser-based solutions like toolbars,” notes Howard Schmidt, chief information security officer of San Jose, Calif.-based eBay Inc., and the former White House cybersecurity czar.

According to Gartner Group, over 1.4 million people have been victims of identity theft, with banks paying $1.2 billion over the past year to cover the losses. In the past year, 57 million people think they’ve received a phishing e-mail, and 19 percent report clicking on at least one of those e-mail’s links.

The anti-phishing technology used by eBay is Web Caller-ID, from Austin, Texas-based Wholesecurity Inc. The toolbar has two anti-phishing components: “the ability to detect the fake Web site at some point, and then to prevent users from going there,” says Scott Olson, senior vice president of marketing at WholeSecurity. The company also produces technology—in use by eBay—to scan users’ e-mail for phishing attacks.

eBay first began testing the Wholesecurity technology, using a blacklist, in September 2003. In February 2004, it began testing the toolbar’s dynamic spoof-site detection technology, which updates the list of spoof sites—used by every toolbar—with every new site it finds. Then in March, eBay began beta testing a toolbar with the technology, finally making an updated eBay toolbar available for general release in June 2004.

Here’s how Web Caller-ID works. First, it intercepts a Web page, which it tests for spoof-site risk factors, including the URL, the depth of the Web site, and whether the domain name was recently registered. Then the page gets scored, and if it fails, a report gets sent to toolbar customers—such as eBay—immediately.

“In production environments over the past year, Web Caller-ID has consistently identified over 98 percent of spoof Web sites,” says Olson. On the false-positive front, “it’s a fraction of a percent, and most of the false positives are related to marketing partnerships,” he says. For example, a Web site hosted by a marketing firm but with another company’s branding might trip alarms. Since customers get immediate reports about any blocked sites, however, should a false positive occur, he says customers can immediately clear them up.

For end users attempting to access a known spoof-site, or a site the toolbar determines to be a spoof, the eBay toolbar immediately turns red, with the words “Potential Spoof Site.” The toolbar also opens a dialog box above the browser. “One of the design philosophies we had … was for this to be in addition to the browser, as opposed to something that was in the same window, because all the spoof sites we’ve seen have the same logos and windows, and anything can be spoofed,” says JT Keating, vice president of product marketing at WholeSecurity. Having a dialog box pop up over the Web page shows users it’s not part of the spoof site, and also makes them choose one of three options before they can resume: close the browser, report the site, or visit the site anyway. “The user cannot interact with any part of the browser until they make these decisions,” he says.

While users can report the potential spoof site, customers (such as eBay) automatically get such information from WholeSecurity anyway. Far from being a placebo, however, the “report a site feature” accomplishes two things. First, users expect a way to report a spoof site; just the presence of the feature—whether or not it does anything—makes them comfortable. (Think of the “close door” button in an elevator.) Second, the feature ensures user feedback—“I found a spoof site”—uses an appropriate channel. In other words, eBay doesn’t get deluged by e-mails and phone calls.

The Web Caller-ID name bears a remarkable resemblance to a current trusted-sender and anti-spam initiative: Caller-ID for E-mail. The Caller-ID profusion shouldn’t cause confusion, says Keating; they’re actually closely related. “The primary people who have been out talking about the concept of Caller ID for some time … their big vision was to authenticate the sender and the site.” In other words, authenticating not only e-mail senders but also Web sites can cut down on both spam and phishing attacks. “We’re working on the authenticate-the-site equation,” notes Keating.

Related Articles:

Digital Certificates Secure Web Services, Mobile Communications
http://www.esj.com/security/article.asp?EditorialsID=1079

IT Turns to SMTP-Level E-mail Blocking
http://esj.com/security/article.asp?EditorialsID=1041

Heading Off Phishing Attacks
http://www.esj.com/security/article.asp?EditorialsID=1035