Tech giants join forces for anti-phishing scheme

Google, Facebook, Microsoft, Yahoo and 11 other big tech companies are jointly designing a system for combating phishing email scams that try to trick people into giving up passwords and other personal details.

The scams, for which hundreds of millions of emails are sent every year, make emails look as if they come from legitimate businesses, and direct users to fake sites — often on compromised computers — copied from the original bank or company. But when the victims enter details such as their user name, password or date of birth, they are captured by the “phishers”.

Fifteen major technology and financial companies have formed an organisation to design a system, called DMARC — short for Domain-based Message Authentication, Reporting and Conformance — to authenticate emails from legitimate senders and weed out fakes.

The Anti-Phishing Working Group (APWG) says that more than 300 brands are hijacked by phishers every month.

DMARC builds upon existing techniques used to combat spam, such as the Sender Policy Framework (SPF) system that has been evolving over the past 10 years. Those techniques are designed to verify that an email actually came from the sender in question. The problem is there are multiple approaches for doing that, and no standard way of dealing with emails believed to be fake or whose origin cannot be verified but which might be authentic.

The new system addresses the issue by asking email senders and the companies that provide email services to share information about the email messages they send and receive.

In addition to authenticating their legitimate emails using the existing systems, companies can receive alerts from email providers every time their domain name is used in a fake message. They can then ask the email providers to move such messages to the spam folder or block them outright.

‘Don’t need to worry’
According to Google, about 15% of non-spam messages in Gmail come from domains that are protected by DMARC. This means Gmail users “don’t need to worry about spoofed messages from these senders,” Adam Dawes, a product manager at Google, said in a blog post.

“With DMARC, large email senders can ensure that the email they send is being recognised by mail providers like Gmail as legitimate, as well as set policies so that mail providers can reject messages that try to spoof the senders’ addresses,” Dawes wrote.
Industry standard
Work on DMARC started about 18 months ago. From this week, other companies can sign up with the organisation, whether they send emails or provide email services. For email users, the group hopes DMARC will mean fewer fraudulent messages and scams reaching their inbox.

The APWG says in its report on the first half of 2011, published last November, there were more than 112 000 unique phishing attacks worldwide in the period — though that was lower than in 2009, when phishing peaked due to the use of botnets to send out emails and host fake sites. Part of the rise was by China-based phishers, whose targets lay both inside and outside the country. A total of 520 institutions were targeted in the six months, including banks, e-commerce sites, social networking sites such as Facebook and Twitter, lotteries, government tax bureaux and stockholding securities companies.

The group’s founders are email providers Microsoft, Yahoo, AOL and Google; financial service providers Bank of America, Fidelity Investments and PayPal; online service companies Facebook, LinkedIn and American Greetings, and the security companies Agari, Cloudmark, eCert, Return Path and the Trusted Domain Project.

Google uses it already, both in its email sender and email provider capacities. The weight of the companies that have already signed on to the project certainly helps, and its founders are hoping it will be more broadly adopted to become an industry standard. —

Subscribe to the M&G

These are unprecedented times, and the role of media to tell and record the story of South Africa as it develops is more important than ever.

The Mail & Guardian is a proud news publisher with roots stretching back 35 years, and we’ve survived right from day one thanks to the support of readers who value fiercely independent journalism that is beholden to no-one. To help us continue for another 35 future years with the same proud values, please consider taking out a subscription.

Charles Arthur
Charles Arthur works from Tranquility Base Hotel & Casino. Journalist, speaker, moderator. The Guardian’s Technology editor 2009-14. Coming May ‘18: Cyber Wars, on hacking. Prev: Digital Wars: Apple v Google v Microsoft Charles Arthur has over 74656 followers on Twitter.

Related stories

Is WhatsApp shaping democracy in Africa?

A study shows that the social messaging platform is both emancipatory and destructive, particularly during election campaigns

Beware of Big Business bearing gifts

Large corporates whose business has thrived because of inequalities, could be hijacking the anti-racist movement by offering money and not tangible changes

Smokers’ fight to light up moves online

‘Sweeties’ (cigarettes) for R150, and marching on Parliament — an insight into the social-media groups popping up to push back against lockdown regulations

Inside Facebook’s big bet on Africa

New undersea cables will massively increase bandwidth to the continent

The writing was on the wall for SA newspapers long before Covid-19

Publications have cut salaries and frozen posts in a bid to survive the disease, but most owners failed to take appropriate steps when problems emerged in the late 1990s

Australia to force Google, Facebook to pay for news content

Australia's new regulations will also cover the sharing of data, and the ranking and display of news content, to be enforced by binding dispute resolution mechanisms and penalties

The PPE scandal that the Treasury hasn’t touched

Many government officials have been talking tough about dealing with rampant corruption in PPE procurement but the majority won't even release names of who has benefited from the R10-billion spend

ANC still at odds over how to tackle leaders facing...

The ANC’s top six has been mandated to work closely with its integrity committee to tackle claims of corruption against senior party members

press releases

Loading latest Press Releases…

The best local and international journalism

handpicked and in your inbox every weekday