Google, Facebook, Microsoft, Yahoo and 11 other big tech companies are jointly designing a system for combating phishing email scams that try to trick people into giving up passwords and other personal details.
The scams, for which hundreds of millions of emails are sent every year, make emails look as if they come from legitimate businesses, and direct users to fake sites — often on compromised computers — copied from the original bank or company. But when the victims enter details such as their user name, password or date of birth, they are captured by the “phishers”.
Fifteen major technology and financial companies have formed an organisation to design a system, called DMARC — short for Domain-based Message Authentication, Reporting and Conformance — to authenticate emails from legitimate senders and weed out fakes.
The Anti-Phishing Working Group (APWG) says that more than 300 brands are hijacked by phishers every month.
DMARC builds upon existing techniques used to combat spam, such as the Sender Policy Framework (SPF) system that has been evolving over the past 10 years. Those techniques are designed to verify that an email actually came from the sender in question. The problem is there are multiple approaches for doing that, and no standard way of dealing with emails believed to be fake or whose origin cannot be verified but which might be authentic.
The new system addresses the issue by asking email senders and the companies that provide email services to share information about the email messages they send and receive.
In addition to authenticating their legitimate emails using the existing systems, companies can receive alerts from email providers every time their domain name is used in a fake message. They can then ask the email providers to move such messages to the spam folder or block them outright.
‘Don’t need to worry’
According to Google, about 15% of non-spam messages in Gmail come from domains that are protected by DMARC. This means Gmail users “don’t need to worry about spoofed messages from these senders,” Adam Dawes, a product manager at Google, said in a blog post.
“With DMARC, large email senders can ensure that the email they send is being recognised by mail providers like Gmail as legitimate, as well as set policies so that mail providers can reject messages that try to spoof the senders’ addresses,” Dawes wrote.
Industry standard
Work on DMARC started about 18 months ago. From this week, other companies can sign up with the organisation, whether they send emails or provide email services. For email users, the group hopes DMARC will mean fewer fraudulent messages and scams reaching their inbox.
The APWG says in its report on the first half of 2011, published last November, there were more than 112 000 unique phishing attacks worldwide in the period — though that was lower than in 2009, when phishing peaked due to the use of botnets to send out emails and host fake sites. Part of the rise was by China-based phishers, whose targets lay both inside and outside the country. A total of 520 institutions were targeted in the six months, including banks, e-commerce sites, social networking sites such as Facebook and Twitter, lotteries, government tax bureaux and stockholding securities companies.
The group’s founders are email providers Microsoft, Yahoo, AOL and Google; financial service providers Bank of America, Fidelity Investments and PayPal; online service companies Facebook, LinkedIn and American Greetings, and the security companies Agari, Cloudmark, eCert, Return Path and the Trusted Domain Project.
Google uses it already, both in its email sender and email provider capacities. The weight of the companies that have already signed on to the project certainly helps, and its founders are hoping it will be more broadly adopted to become an industry standard. —