At first glance, it’s quite inspiring. The Anti-Phishing Working Group crowns itself “The global pan-industrial and law enforcement association focused on eliminating the fraud and identity theft that result from phishing, pharming and email spoofing of all types.”
The list of sponsors includes addicts companies we admire for their work in other areas, like eBay, Visa, Mastercard and Microsoft along with a laundry list of great, near-great and questionable security outfits.
APWG’s membership claim is equally impressive:
- 1900+ members
- 1300+ companies & agencies worldwide
- 8 of the top 10 US banks
- 4 of the top 5 US ISPs
- Hundreds of technology vendors
- National & provincial law enforcement worldwide
From what we’ve seen to date, the club busies itself counting phishing attacks, wagging its finger, counseling both Pre- and Post-Phishing Victims, pointing the afflicted to its Vendor-Member Curatives, cluck-clucking about the General State of Things, and patting itself on the back whenever a positive butterfly takes wing across the WorldWide Web.
Amidst the fluttering and clucking, we missed the admonishments instructing its phish-sensitive members, like eBay, banks, eBay, credit card companies and eBay, to send customers strictly plain text messages free of clickable links. Why?
Because they apparently weren’t circulated. Many members of the APWG are addicted to HTML-infested messaging. They love the pretty pictures, hidden counters, enhanced response rates, and masking of poor advertising copy. They just can’t get enough.
Encouraging these addicts are the Enabler-Member-Sponsors: “Don’t you worry. We’ll sort it out.”
Never mind that victims are being fleeced while the addicts and enablers sort it out. Price of Progress, and all that rot.
Meanwhile, savvy network managers worldwide are setting filters to disable the counters, webbugs and suspicious HTML infesting their email systems, often rendering the messages unreadable. This leaves legitimate e-marketers trolling in the ever-shrinking pool of unprotected prospects.
When the APWG tells its members not to send HTML email, we’ll believe it’s serious about solving E-Crime. Until then, the way we see it, the APWG is just enabling a bunch of addicts.
See Also:
1 comment
Comments feed for this article
November 2nd, 2005 at 4:07 pm
Ian G
I am told that the APWG does work hard to spread the information. But unfortunately, I have to agree that it remains infected with suppliers and purchasers and that salivating market place destroys any chance of good information being supplied.
For my money, you’ll find much better information [than that provided by APWG] over at the anti-fraud-coffee-room:
http://wiki.cacert.org/wiki/AntiFraudCoffeeRoom
There, we collect serious researchers together and battle out each other’s proposals. It’s an open forum, and commercial activity is treated rudely; which means that the participants are focused on protecting users, not phishing their wallets.
Ian G
Financial Cryptography
www.financialcryptography.com