Anti-phishing group backs email authentication
A group attempting to stop the new scourge of phishing fraud on the Web says email authentication technology could do the job, a concept backed by Microsoft.
The Anti-Phishing Working Group (APWG), which includes Internet service providers (ISPs), banks and on-line retailers, said that 95 per cent of phishing attacks in May came from spoofed email addresses. Were technology that forces email senders to reveal their true identity to become common, it would be much harder for those behind the attacks to hide in the cyber shadows.
Phishing attacks are usually email based and they tend to consist of messages that lure users to fake corporate websites. Once on the real-looking but phoney site, users are prompted to enter sensitive information such as bank account details, PIN numbers or credit card information, leading to identity theft and financial loss.
In May, APWG members recorded a six per cent rise in new phishing attacks, amounting to 1,197 new incidents, with 848 cases targeting the financial services sector.
"As hackers, identity thieves, and virus writers continue to join forces, these attacks are increasing and becoming much more sophisticated - to the point of being literally indistinguishable from legitimate email, even for technically savvy recipients," said Dave Jevans, chairman of the Anti-Phishing Working Group and senior vice president at Tumbleweed Communications, which helps to carry out the survey. "This continues to pose a significant threat to the financial services and retail sectors."
The organisation noted that email authentication technology, if widely deployed, could go a long way in stopping phishing attacks. It's an idea that Microsoft backs and on Monday the software giant's top man, Bill Gates, issued an update on its plans in this area.
Gates said Microsoft would look to proliferate new technical standards for email authentication and added that the firm would work closely with service providers and law enforcement officials to help end spam, which is considered the infuriating but less dangerous predecessor of phishing emails.
"Since I sent a message to customers on this subject a year ago, we've made significant advances against spam," Gates said. "It's still a major problem - an invasion of privacy, a costly drain on time and resources and, as a carrier of worms and viruses, a significant threat to computer security. The good news is that billions of junk emails are being blocked every day, and spamming has become a more difficult and less rewarding business."
"Clearly, we must find additional ways to counter spam," he added, pointing to the recent creation of the Anti-Spam Technical Alliance as a step in the right direction. "Wide agreement on the need to check messages for signs of forgery is a key step toward eliminating a favourite spammers' trick - one used to defeat spam filters and entice unwary recipients into opening attachments that may contain harmful worms and viruses. Domain spoofing is involved in half of all of today's spam."
Specific technologies in the works include Microsoft's Sender ID standard, which verifies an e-mailer's Internet Protocol (IP) address, which is more difficult to fake, he said.