Feeds

Anti-phishing group backs email authentication

Still rising

  • alert
  • submit to reddit

High performance access to file storage

A group attempting to stop the new scourge of phishing fraud on the Web says email authentication technology could do the job, a concept backed by Microsoft.

The Anti-Phishing Working Group (APWG), which includes Internet service providers (ISPs), banks and on-line retailers, said that 95 per cent of phishing attacks in May came from spoofed email addresses. Were technology that forces email senders to reveal their true identity to become common, it would be much harder for those behind the attacks to hide in the cyber shadows.

Phishing attacks are usually email based and they tend to consist of messages that lure users to fake corporate websites. Once on the real-looking but phoney site, users are prompted to enter sensitive information such as bank account details, PIN numbers or credit card information, leading to identity theft and financial loss.

In May, APWG members recorded a six per cent rise in new phishing attacks, amounting to 1,197 new incidents, with 848 cases targeting the financial services sector.

"As hackers, identity thieves, and virus writers continue to join forces, these attacks are increasing and becoming much more sophisticated - to the point of being literally indistinguishable from legitimate email, even for technically savvy recipients," said Dave Jevans, chairman of the Anti-Phishing Working Group and senior vice president at Tumbleweed Communications, which helps to carry out the survey. "This continues to pose a significant threat to the financial services and retail sectors."

The organisation noted that email authentication technology, if widely deployed, could go a long way in stopping phishing attacks. It's an idea that Microsoft backs and on Monday the software giant's top man, Bill Gates, issued an update on its plans in this area.

Gates said Microsoft would look to proliferate new technical standards for email authentication and added that the firm would work closely with service providers and law enforcement officials to help end spam, which is considered the infuriating but less dangerous predecessor of phishing emails.

"Since I sent a message to customers on this subject a year ago, we've made significant advances against spam," Gates said. "It's still a major problem - an invasion of privacy, a costly drain on time and resources and, as a carrier of worms and viruses, a significant threat to computer security. The good news is that billions of junk emails are being blocked every day, and spamming has become a more difficult and less rewarding business."

"Clearly, we must find additional ways to counter spam," he added, pointing to the recent creation of the Anti-Spam Technical Alliance as a step in the right direction. "Wide agreement on the need to check messages for signs of forgery is a key step toward eliminating a favourite spammers' trick - one used to defeat spam filters and entice unwary recipients into opening attachments that may contain harmful worms and viruses. Domain spoofing is involved in half of all of today's spam."

Specific technologies in the works include Microsoft's Sender ID standard, which verifies an e-mailer's Internet Protocol (IP) address, which is more difficult to fake, he said.

© ENN

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.