MasterCard Goes Fishing For Phishers

It will partner with NameProtect to receive real-time reports of phishing attacks and other scams, then pass the information to law-enforcement agencies.

Thomas Claburn, Editor at Large, Enterprise Mobility

June 22, 2004

4 Min Read

MasterCard International Inc. and digital-fraud-detection firm NameProtect Inc. have joined to fight illegal online activities, principally "phishing" schemes and the online trading of stolen credit-card numbers.

The partnership marks a more-active approach to addressing online fraud. MasterCard will use NameProtect's technology to detect online scams as they unfold and, in conjunction with law-enforcement organizations, shut them down before significant losses can occur.

"The new threat that we are particularly addressing here is the cyberattack, involving phishing, identity theft, and so on," Sergio Pinon, senior VP of MasterCard Global Security & Risk Services, said on a media conference call Tuesday. "We want to insure that the trust remains between our consumers and the financial-payment system."

At the moment, there's ample reason to be wary. Gartner estimates that 57 million Americans have received phishing E-mails in the past year. During two weeks in December 2003, 60 million phishing messages were sent, according to the Anti-Phishing Working Group, an organization to which both MasterCard and NameProtect belong. Identity theft has been the No. 1 consumer complaint for the past four years, according to the Federal Trade Commission.

Pinon noted that it takes eight days from the establishment of a Web address to the time that a phishing attack can be launched using that address. "In order for this to be effective, we have to be able to monitor online phishing attacks, trading of account numbers, identity theft, and so on, on a 24/7 basis," Pinon said.

NameProtect is now monitoring domain names, Web pages, images, auctions, chat forums, spam, and other online formats to identify online fraud. It sends real-time reports to MasterCard, accessible through a Web portal. Within four hours, MasterCard is able inform its 25,000 member financial institutions worldwide of online attacks, using its MasterCard Alerts service.

MasterCard also will be going after Web sites that offer how-to information to those interested in committing fraud, with the help of the United States Secret Service, the Federal Bureau of Investigation, the U.S. Postal Service, and Interpol.

To date, MasterCard can provide no specific instances of sites shut down during the trial portion of this program, which ran from April through June. "We have passed the information on to the affected parties," said Pinon, "and I am sure, having that information in hand, that they have taken the steps."

With regard to domains that masquerade as sanctioned MasterCard sites, Mark McLane, CEO of NameProtect, said that his company has already helped MasterCard shut down a number of such sites, but declined to provide further details.

It's the details that may prove problematic. Gartner VP and research director Avivah Litan says it's not easy to shut down a Web site, especially if it's some country where the U.S. and European Union don't have a lot of pull. "Once you catch them, you can't necessarily stop them," she says. "It's like trying to catch a cockroach."

Still, she says, "It's a practical solution. It's not a slam dunk."

Pavni Diwanji, CEO and founder of anti-spam vendor MailFrontier Inc., echoes the concerns expressed by Litan. While she says she's glad a company as big as MasterCard is trying to deal with this, she cautions that these phishing messages and scam sites don't have to be around for very long to do damage. Often, she says, scammers themselves will take phishing sites down after only a few hours. That's because phishing campaigns can bring in credit-card information in a matter of minutes. Beyond alerting banks, she says, "We have to protect the victims in a timely manner, too."

Andy Klein, anti-fraud product manager at MailFrontier, offers an example of how sophisticated phishers have become: They do market research to determine who's vulnerable to their scams. To identify who might be likely to open mail purporting to be from a certain bank, phishers recently sent a trial E-mail with a Web bug--a link to a graphic file stored on a remote server, used to measure whether or not the message was opened. Receptive recipients were subsequently targeted with a phishing E-mail.

MailFrontier's Phishing Index for May 2004 shows one out of 10 people were duped into following the link provided in phishing E-mail--this despite the fact that the message had been quarantined and labeled suspicious. A May 2004 Gartner report found that 3% of a projected 57 million who believed they had received a phishing E-mail clicked on the links to spoofed Web sites and submitted personal and financial data. Certainly, there's a need for user education.

"This is absolutely a step in the right direction," Diwanji says of the MasterCard initiative. "Is it enough? No."

About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights