Tech giants join forces for anti-phishing scheme

Google, Facebook, Microsoft, Yahoo and 11 other big tech companies are jointly designing a system for combating phishing email scams that try to trick people into giving up passwords and other personal details.

The scams, for which hundreds of millions of emails are sent every year, make emails look as if they come from legitimate businesses, and direct users to fake sites — often on compromised computers — copied from the original bank or company. But when the victims enter details such as their user name, password or date of birth, they are captured by the “phishers”.

Fifteen major technology and financial companies have formed an organisation to design a system, called DMARC — short for Domain-based Message Authentication, Reporting and Conformance — to authenticate emails from legitimate senders and weed out fakes.

The Anti-Phishing Working Group (APWG) says that more than 300 brands are hijacked by phishers every month.

DMARC builds upon existing techniques used to combat spam, such as the Sender Policy Framework (SPF) system that has been evolving over the past 10 years. Those techniques are designed to verify that an email actually came from the sender in question. The problem is there are multiple approaches for doing that, and no standard way of dealing with emails believed to be fake or whose origin cannot be verified but which might be authentic.

The new system addresses the issue by asking email senders and the companies that provide email services to share information about the email messages they send and receive.

In addition to authenticating their legitimate emails using the existing systems, companies can receive alerts from email providers every time their domain name is used in a fake message. They can then ask the email providers to move such messages to the spam folder or block them outright.

‘Don’t need to worry’
According to Google, about 15% of non-spam messages in Gmail come from domains that are protected by DMARC. This means Gmail users “don’t need to worry about spoofed messages from these senders,” Adam Dawes, a product manager at Google, said in a blog post.

“With DMARC, large email senders can ensure that the email they send is being recognised by mail providers like Gmail as legitimate, as well as set policies so that mail providers can reject messages that try to spoof the senders’ addresses,” Dawes wrote.
Industry standard
Work on DMARC started about 18 months ago. From this week, other companies can sign up with the organisation, whether they send emails or provide email services. For email users, the group hopes DMARC will mean fewer fraudulent messages and scams reaching their inbox.

The APWG says in its report on the first half of 2011, published last November, there were more than 112 000 unique phishing attacks worldwide in the period — though that was lower than in 2009, when phishing peaked due to the use of botnets to send out emails and host fake sites. Part of the rise was by China-based phishers, whose targets lay both inside and outside the country. A total of 520 institutions were targeted in the six months, including banks, e-commerce sites, social networking sites such as Facebook and Twitter, lotteries, government tax bureaux and stockholding securities companies.

The group’s founders are email providers Microsoft, Yahoo, AOL and Google; financial service providers Bank of America, Fidelity Investments and PayPal; online service companies Facebook, LinkedIn and American Greetings, and the security companies Agari, Cloudmark, eCert, Return Path and the Trusted Domain Project.

Google uses it already, both in its email sender and email provider capacities. The weight of the companies that have already signed on to the project certainly helps, and its founders are hoping it will be more broadly adopted to become an industry standard. —

Subscribe to the M&G

These are unprecedented times, and the role of media to tell and record the story of South Africa as it develops is more important than ever.

The Mail & Guardian is a proud news publisher with roots stretching back 35 years, and we’ve survived right from day one thanks to the support of readers who value fiercely independent journalism that is beholden to no-one. To help us continue for another 35 future years with the same proud values, please consider taking out a subscription.

Charles Arthur
Charles Arthur works from Tranquility Base Hotel & Casino. Journalist, speaker, moderator. The Guardian’s Technology editor 2009-14. Coming May ‘18: Cyber Wars, on hacking. Prev: Digital Wars: Apple v Google v Microsoft Charles Arthur has over 74656 followers on Twitter.

Related stories


Subscribers only

How lottery execs received dubious payments through a private company

The National Lottery Commission is being investigated by the SIU for alleged corruption and maladministration, including suspicious payments made to senior NLC employees between 2016 and 2017

Pandemic hobbles learners’ futures

South African schools have yet to open for the 2021 academic year and experts are sounding the alarm over lost learning time, especially in the crucial grades one and 12

More top stories

What the Biden presidency may mean for Africa

The new US administration has an interest and much expertise in Africa. But given the scale of the priorities the administration faces, Africa must not expect to feature too prominently

Zuma, Zondo play the waiting game

The former president says he will talk once the courts have ruled, but the head of the state capture inquiry appears resigned to letting the clock run out as the commission's deadline nears

Disinformation harms health and democracy

Conspiracy theorists abuse emotive topics to suck the air out of legitimate debate and further their own sinister agendas

Uganda: ‘I have never seen this much tear-gas in an...

Counting was slow across Uganda as a result of the internet shutdown, which affected some of the biometric machines used to validate voter registrations.

press releases

Loading latest Press Releases…