Simply Security - News, Views, and Opinions from Trend Micro

Posted on March 5th, 2012 in Internet Safety by Simply Security | Be the first to comment | Tags: Internet Safety

Google has joined 14 other companies in a campaign against phishing.

Google, Facebook, Bank of America and Microsoft are just a few of the companies that have enlisted in a new project designed to protect consumers and businesses from phishing and other email-based scams.

These companies join 11 others from the Internet and financial industries to rally behind the newly introduced Domain-based Message Authentication, Reporting and Conformance (DMARC) framework, a set of industry standards intended to prevent cybercriminals from spamming consumers with emails that look like they come from legitimate corporate domains.

Phishing has been a pervasive problem throughout the past decade or so. According to a 2011 study from Cisco, mass phishing has declined in recent years, but targeted attacks – which are often more detrimental- have increased in frequency.

In a mass phishing attack, millions of emails are sent to unsuspecting people. The large majority of these emails are picked up by spam blockers and are never seen by the recipient. However, those few that do get through can be damaging, often costing the victims hundreds or thousands of dollars.

In contrast, a targeted attack, as the name indicates, is much more deliberate in its victims, often directed at a specific user group, such as customers of the same bank or recipients on an email list. Before such an attack is launched, the aggressor will typically research information on its victims, pulling data from social networks and public forums to build a dossier of sorts, Cisco noted.

In typical targeted or spearphishing attack, only 1,000 emails are sent out and only two people are affected, on average. However, the damage is severe, costing each victim as much as $80,000.

These are the types of attacks that the DMARC framework aims to address. Specifically, the standard will help email providers and other companies block domain-based phishing, in which a message comes from seemingly legitimate companies and websites.

“Email phishing defrauds millions of people and companies every year, resulting in a loss of consumer confidence in email and the Internet as a whole,” Brett McDowell, DMARC.org chair and senior manager of customer security initiatives at PayPal, said, according to technology news provider eWeek.

Interestingly, DMARC is not designed to identify whether or not a message is actually spam or not. Instead, it will build upon two other specifications, DomainKeys Identified Mail (DKM) and the Sender Policy Framework (SPF), which have already been developed.

As more companies get on board, the specification will create a loop of sorts, with organizations at both ends – the sender and email service provider. Essentially, if Google receives an email that appears to be from PayPal both ends would verify that the message is authenticated by the DKM and SPF frameworks, or it will not be delivered.

Other DMARC participants include AOL, Comcast, Yahoo, Fidelity Investments, American Greetings, LinkedIn, Agari, Cloudmark, eCert, Return Path and the Trusted Domain Project.

However, it is unclear what the overarching effect of DMARC will entail. For one, it will necessitate the participation of smaller email providers to be truly effective. Additionally, given the rate at which cyberthreats are evolving, it may only be a matter of time before cybercriminals find ways around the framework.

Nevertheless, Google product manager Adam Dawes was especially enthusiastic in a recent blog post about his company’s participation.

“When the right contributors come together to solve real problems, real things happen,” wrote Google product manager Adam Dawes on the company’s official blog. “That’s why we’re particularly optimistic about today’s announcement of DMARC.org, a passionate collection of companies focused on significantly cutting down on email phishing and other malicious mail.”

Security News from SimplySecurity.com by Trend Micro