Leading Companies Banding Together to Fight Phishing

Today begins a coordinated effort by fifteen of the leading email service and technology providers including AOL, Bank of America, Facebook, Google, LinkedIn, Fidelity Investments, Microsoft, PayPal and Yahoo to reduce phishing emails and spam.

According to a press release by DMARC.org (DMARC stands for Domain-based Message Authentication, Reporting & Conformance), this group of companies and others has been working on developing an email authentication technical framework standard based on the Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) standards for the past 18 months.

The press release states that:

"The DMARC specification addresses concerns that have traditionally hindered widespread deployment of an authenticated, trusted email ecosystem. Today, email receivers lack a reliable way to know the extent to which an email sender uses standards like SPF and DKIM for authenticating their messages. As a result, providers must rely on complex and imperfect measurements to separate legitimate unauthenticated messages sent by the domain owner from fraudulent phishing messages sent by a scammer."

"By introducing a standards-based framework, DMARC has defined a more comprehensive and integrated way for email senders to introduce email authentication technologies into their infrastructure. For example, a sender could set policies to easily request a provider to discard unauthenticated email in order to block phishing attacks. The specification also creates a mechanism for email providers to send detailed reports back to email senders to help catch any gaps in the authentication system. This feedback loop raises the trust level within the email ecosystem and makes it easier to detect and stop phishing attempts."

According to a story in the Wall Street Journal, PayPal has been using email authentication technologies since 2007, and is now blocking some 200 000 phishing-type emails a day.

By using the DMARC standard, a company could send an email to a customer with a link embedded within it, and the customer could actually trust that clicking on the link won't send them to some malware site. Currently, companies—especially banks such as Bank of America —tell customers that they don't send emails with such embedded links, and to never click on them.

The press release goes on to say that DMARC intends to send its authentication framework standard to Internet Engineering Task Force (IETF) for standardization after further field testing.  

DMARC.org obviously hopes that other email senders will sign up to the standard, which will make it increasingly hard for phishers and spammers to operate. However, it will take a while before a critical mass is reached, and it may take some time for email recipients to begin trusting links in company emails even if the DMARC standard takes off. I, for one, will still be highly suspicious of any email I get from a company telling me to click on a link, DMARC standard or not.

The WSJ story also points out that even if every email sender were to follow the standard, it won't totally eliminate email fraud. However, "it will mean that scammers [will] need to find new addresses with which to launch their attacks. Instead of crafting an email that looks like it comes from paypal.com, for instance, it would need to come from 'paypalpayments.com' or some other fake site."

Forcing spammers and phishers in that direction will also make it easier for search engines to detect them as well. However, I suspect what will also happen is that spammers and phishers will start using the good old-fashion telephone more to try to find victims.

Advertisement

Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Contributor
Willie D. Jones
 
Advertisement