New sites let users find and report phishing

Security vendors are launching two Web sites aimed at helping people report and avoid phishing attacks. The Phishing Incident Reporting and Termination Squad (PIRT) is as a volunteer effort designed to take down phishing sites, while CipherTrust's PhishRegistry.org site, due to be launched on Tuesday, will be a service designed to warn legitimate Web sites when they are being spoofed by phishers.

The PIRT site is looking for volunteers so it can report on new phishing scams and get in touch with authorities to have the Web sites in question taken down as quickly as possible.

"It's the first public takedown community we know of, and we hope to start nailing these sites," the site's founders said in a statement. PIRT is being managed by antispyware vendor Sunbelt Software and Computer Cops, owners of the CastleCops online security network.

The second effort, backed by security vendor CipherTrust, is a free online notification service where companies can register their Web sites and then be notified whenever CipherTrust's sensors detect that legitimate Web pages are being spoofed by phishers.

Phishregistry.org will use the same "Phisherprinting" algorithms used by the company's CipherTrust Radar service to determine whether a site is being spoofed, said Paul Judge, the company's chief technology officer. "This is an effort to allow a broader set of organizations to benefit from this monitoring."

These two new Web sites represent a growing movement to fight back against the phishers, who send unsolicited e-mail directing users to phony Web sites, all in the hopes of tricking them into revealing sensitive information.

Last week, Microsoft pledged to bring about 100 legal actions against phishers in Europe, the Middle East and Africa (EMEA) over the next few months. Organizations such as the Anti-Phishing Working Group (http://www.antiphishing.org/) and Digital PhishNet (http://www.digitalphishnet.org/) already have been formed to combat this growing problem.

According to a poll of 600 business users conducted by security firm Sophos PLC last month, 22 percent of users receive at least five phishing e-mail messages every day.

That's clearly too much, according to Andrew Jaquith, senior analyst with Yankee Group Research. "Users are mad, and damn it, they're not going to take it anymore," he said.