Don't take the bait!

Phishing is the attempt to trick people into revealing valuable personal information online, such as credit card numbers, passwords, and other account information. Operating since the mid-1990s, phishers send out hundreds of thousands, if not millions, of fraudulent e‑mail messages in the hopes of ensnaring a few unsuspecting victims.

The scam begins when you receive an e‑mail message that appears to come from a trusted, legitimate company—typically eBay, PayPal, Amazon.com, or a well-known bank. The message often describes an urgent issue affecting your account. When you click the provided link, you're taken to what appears to be an official company site—which is actually a phony or "spoofed" site belonging to the con artists—and presented with a form to enter your personal data.

Even if you don't divulge your personal information, the mere act of visiting the spoofed site can be dangerous. The site might try to install malicious software (or malware) onto your computer, including keyloggers and Trojan horses that allow the bad guys to get what they want in other ways.

Many times I am told by victims of phishing that they were surprised by just how "real" phishing looks. Just last week I overheard a finance manager justify clicking on a phishing link by saying "But they sent me a bill—what was I supposed to do?" Let's examine a phishing e‑mail message I received just the other day so that you can see just how real this stuff can look. I chose this particular message because the service in question, eBay, has taken extra steps to protect us from such shenanigans, as you'll see later in this column.

This e‑mail message I received looks like the real thing—but it's a fake

In this example, the sender e‑mail address appears legitimate and the entire message looks like it could be the real thing. I haven't sold anything on eBay for a while, but how I can be sure that someone hasn't broken into my account or that there hasn't been some sort of mistake?

Let's look closely at something suspicious: the link provided in the message. When I move the mouse pointer over the Respond Now button, a URL (website address) appears in the status bar at the bottom of the message (in some e‑mail programs, the URL is revealed by a pop-up box). Now, it just so happens that the IP address shown in the URL, 83.234.183.44, belongs to a server in Samara, Russia, even though the message purports to be from eBay in the United States. That's a strong clue that this isn't really from eBay. In addition, most legitimate websites don't use IP addresses in the first part of the URL—another warning sign.

If you deal regularly with an online merchant or bank, I encourage you to learn about its e‑mail policies so that you can better identify phishing messages. For example, eBay never asks for personal information via e‑mail (see the spoof e‑mail tutorial on eBay's website). For more tips on spotting phishing e‑mail, visit Recognizing phishing scams and fraudulent e‑mail on the Microsoft website.

I want to show you what happens in Internet Explorer 7 if you click a link in a phishing message, so I'm going to click the Respond Now button in the fake eBay message. (Warning: Please don't be tempted to copy this experiment with phishing e‑mail you receive. The computer I am using has state-of-the-art antivirus and anti-malware protection, and it's a "disposable" system—I won't lose anything if something goes wrong and I have to reformat it.)

When I click the button, Internet Explorer immediately warns me that I'm visiting a reported phishing website, and the Address bar turns red. That's Phishing Filter in action. New in Internet Explorer 7, Phishing Filter automatically blocks access to known bad sites, and alerts you when you visit suspicious sites. More on how it works in a moment.

If you see this page, please, heed the warning!

Bearing in mind that I'm using a very well-protected computer, that this is all in the interest of science, and that it really doesn't matter if the computer turns into a quivering pile of ash, I'm going to click "Continue to this website (not recommended)." Internet Explorer opens the phishing site, which turns out to be a remarkably good copy of eBay's sign-in page. Every single hyperlink on the page points to a legitimate eBay page. There is even a TRUSTe site privacy statement logo. The one and only purpose of this fake page is to record every eBay user ID and password entered.

Take away the red Address bar and what do we have? A nearly perfect copy of an eBay page

I've come this far—I may as well see this through to the end. I enter a fake user ID and password (anything will be accepted) and click the Sign In Securely button. Deviously, I'm whisked away to the real eBay site.

How clever—now that the bad guys have my user name and password, they happily shunt me off to the real eBay site. End of phish.

There are often clues at phishing sites that can warn visitors that something might be wrong, but they are sometimes subtle and require some experience to spot. Phishing Filter in Internet Explorer 7 can help protect us by using strong visual cues to warn us about dangerous sites.

Phishing Filter, when enabled, helps detect phishing sites through a combination of real-time analysis and comparisons with lists of known safe and unsafe sites. Here's how it works.

• Safe sites list. As you surf to a website, the first thing Phishing Filter does is check a "safe sites" list that's stored locally on your computer. The list is made up of the highest-traffic websites in major markets around the world, as identified by sources such as Nielsen NetRatings and internal Microsoft data. If the URL is on that list, Phishing Filter does nothing more, and Internet Explorer opens the site. The safe sites list is kept up to date through Windows Update.

• Phishing sites list. If a website isn't in the safe sites list or in a local cache of previously checked sites, it's checked against the Microsoft URL Reputation Service, the backbone of Phishing Filter. This service includes a list of known phishing sites, updated at least hourly with reports from non-Microsoft data providers and from ordinary users. If the URL is on the list, Internet Explorer blocks access to the site, displays a warning webpage, and turns the Address bar red.

• Real-time analysis. If a website isn't identified as a safe site or a phishing site, and it isn't in your "Trusted sites" security zone or in a local intranet zone, Phishing Filter analyzes the site using heuristics, checking to see whether the site has characteristics common to phishing websites. If the site is suspicious, Internet Explorer displays a warning and turns the Address bar yellow. However, it doesn't block access to the site.

Danger! Proceed with caution! Possible bad guys ahead!

Phishing Filter is built into Internet Explorer 7, but automatic checking (comparing websites you visit to the list of known phishing sites) isn't turned on by default. Unless you enable automatic checking the first time that you run Internet Explorer 7, Phishing Filter is silent until you visit a site that isn't on the safe sites list. Even then, you must give your specific permission before Internet Explorer will transmit URL data. (For more information about Phishing Filter and privacy, see the "Phishing Filter" section of the privacy statement for Internet Explorer 7 on the Microsoft website.)

It's a good idea to let Phishing Filter check websites automatically

You can turn Phishing Filter on or off at any time. On the Tools menu, click Phishing Filter, and then click Turn On (or Off) Automatic Website Checking. Click the option you want, and then click OK.

If you prefer to turn off automatic checking, you can still check websites on a case-by-case basis. Click the Phishing Filter icon on the status bar, and then click Check This Website.

A good part of the success of Phishing Filter comes from the participation of millions of Internet Explorer 7 users, who can report suspected phishing sites directly to Microsoft. Each reported site is checked by a human being and, if found to be a phishing site, is added to the URL Reputation Service within hours.

To report a suspected phishing site to Microsoft, click the Tools menu, click Phishing Filter, and then click Report This Website. A new browser window will open; follow the instructions on the page to submit the URL. You can use this same method to report websites that you think have been incorrectly blocked or flagged as suspicious.

Report suspecting phishing sites—it feels good to score a win against the crooks

To give you an idea of just how great the impact of user reports can be, let's have a look at some statistics. Starting in June 2006, before Internet Explorer 7 was released to the public, about 6,000 confirmed phishing sites were being added to the URL Reputation Service per month. Internet Explorer 7 was released to the public in October 2006, and by January 2007 had been installed more than 100 million times. By March 2007, the number of confirmed phishing sites being added to the URL Reputation Service had increased to 10,000 phishing sites per week.

High-profile financial sites such as eBay, Paypal, and the larger banks remain the most popular phishing targets, although phishers are also attacking non-financial websites, including social networking sites and web-based e‑mail providers. It isn't possible to find and block all of the phishing sites out there, but individual sites can now prove their bona fides through an industry-wide initiative called Extended Validation SSL (Secure Socket Layer) certificates, or EV certificates.

EV certificates are issued to a website only after the site owner passes rigorous checks of its legal identity and business licensing. Therefore, when you visit a site with an EV certificate, you can be sure that it's a legitimate website with a real business behind it. Internet Explorer 7 lets you know you're at a website with an EV certificate by turning the Address bar green. In addition, the right side of the Address bar alternates between displaying the name of the legal entity controlling the website and the name of the certifying authority.

Just like traffic lights, green means we're good to go

Several major sites have started using EV certificates on their sign-in pages, including eBay, PayPal, SecureTrust, and GoDaddy. For more information, see the Extended Validation SSL Certificates page on the Microsoft website.

I believe that phishing will eventually die away as the effectiveness of Phishing Filter continues to improve, as the number of people reporting phishing sites continues to increase, and as more and more sites obtain Extended Validation certificates to prove their identities to visitors. The bad guys won't go away, and will undoubtedly try new tricks, but it's no longer so easy for them to take advantage of unwary users.

About the author

Sandi Hardmeier is a Microsoft MVP specializing in Internet Explorer, Outlook Express, and Windows Mail. She is the IT coordinator for a mid-sized law firm, as well as the creator of www.ie-vista.com, the first dedicated Internet Explorer 7 support site to go live on the Internet.

Have a comment for this columnist? Enter your feedback using the tool below. (You'll see the comment box after you click one of the buttons.) Note that although the columnist will read your feedback, personal replies are not possible due to the volume of feedback received.