The e-mail begins, “Dear Customer,” and purports to be from a major bank. The message explains how important it is to protect personal information online, particularly when unsavory characters install backdoors and keyloggers through viruses. But help is available, the message concludes, in the form of an attachment called  “antikeylog2004.exe,” which is actually a Trojan horse program.

The message is one of many “phishing” scams (where e-mails purport to originate from legitimate sites) being collected by a new organization called the Anti-Phishing Working Group. The group was founded with seed money and technical expertise by information-security-software producer Tumbleweed Communications, but it is expected to grow into an independent organization.

Membership is open to qualified financial institutions, online retailers, law enforcement agencies, and IT vendors. Tumbleweed’s senior product marketing manager Dan Maier notes that while the group keeps its members’ identities confidential, three of the top Internet service providers and six of the top 10 commercial banks, as well as some major online retailers, are already members.

“Everyone agrees that one standard industry solution that’s based on open standards makes sense, but somebody needs to help pull everyone together,” Routh says. That’s the Anti-Phishing Working Group’s goal.

Maier explains that a common standard is important in part because e-mail spoofing (which allows scammers to make their message appear to originate from a bank or online retailer) is one of the problems that contributes to phishing. There are several competing proposed solutions to this problem, but “none of these solutions will work unless senders and receivers of messages broadly adopt them. To be effective, we need to agree on a common standard approach,” he says.

The working group’s first step toward finding a way to prevent such scams has been to collect information about them. It encourages those who have received fishy e-mails to forward them to the group via its Web site.

According to Jim Routh, Tumbleweed’s vice president of business development, suspect e-mails are examined by forensics experts who analyze attachments and look for clues to where the message originated. If the scam leads to a Web site, the examiners do a series of screen captures (to retain evidence if the site disappears).

But what to do with the information gathered is not yet clear, says Routh. Just alerting the legitimate companies is one step, but that’s been tough, in part because it’s been hard to find the right contact. “We’d put six, eight, ten calls into a bank to find out who’s in charge of responding to fraudulent acts, and we could rarely get a hold of the right folks,” he says.

The result of this effort has been to create “a roster of folks at the major financial institutions and e-commerce companies who were in charge of fraud prevention so that we could at least get in touch with them,” Routh explains. The Working Group is explained to these people so that they may become members. “We have also been investigating a notification/alert system that would allow us to let these people know when phishing attacks occur, but that’s a future project,” Maier says. 

So far, law enforcement is not part of this initiative. Though Routh says he’s had some discussions with some agencies, he thinks it’s better for the companies at risk to decide how to involve the authorities. “We don’t want to set a precedent for the group and find out that it doesn’t work for the banking community,” he says.

A paper available from the group discusses phishing in more detail and provides some preventive solutions, which include having e-banking sites use strong authentication methods such as smart cards or tokens.