Waging War Against Email Phishing with DMARC
An abundance of channels exist today to communicate through online messaging, yet email remains the most mature method to do so and is an integral part of people’s daily activity. However, despite the maturity of email, it is still seen as the best weapon that spammers and hackers have in their arsenal to gain access to a user’s valuable information.
In fact, cybercrime is estimated to cost the global economy nearly $113 billion a year. Research firm The Ponemon Institute estimates that, in 2012, hackers cost American companies $277 for each customer account put at risk. Today, we send and receive 183 billion emails per day (statistics from 2013) and with figures this high, you’d think that corporations have done everything they can to prevent cybercrime, but unfortunately, that’s not the case.
While most people are aware of the primary weapons that are used by today’s modern hackers such as “phishing” or “spoofing” email attacks, most people don’t know that the technology to prevent them already exists. Sadly, this technology has not become ubiquitous, leaving corporations in particular vulnerable to unnecessary security and financial risks.
The Evolution of Email Phishing:
The first email was sent in 1971 over a network known as ARPANET (Advanced Research Projects Agency Network). A little over 10 years later in 1982, the first standardized email protocol known as SMTP (Simple Mail Transfer Protocol) was finally implemented. However, it took another decade for email to mature beyond these tools.
Although phishing attacks first began to appear in the 1990s, they have been the most common form of email attacks for the past five years. New sophisticated phishing attacks are now a daily occurrence, with banks or larger well-known brands usually being the target. These organizations, such as Skype, Netflix, Apple and Target, usually have a large amount of clients, so spammers can go after millions of users knowing that a strong percentage of recipients will be customers and be exposed to malicious phishing attacks.
The purpose of phishing email attacks is to fool recipients into believing that the message is legitimate, so that users will click on the phishing email and be prompted to download malware in an effort to hack their computer and steal personal information. Phishing scams look identical to normal emails, and they are sent by familiar email addresses one would typically receive messages from. Phishing attacks are often so well crafted that not even savvy computer engineers can manually detect the difference between a trusted sender (the supposed sender) or a phishing scammer.
The usual infection caused by these attacks is malware being installed on targeted computers, enabling hackers to hijack sensitive user data, bank information, credit card details or login credentials. Phishing emails commonly contain Web links that look accurate on first inspection, but ultimately fool users into clicking on links that redirect them to a proxy website containing malware, viruses or scripts. In some cases, these proxy websites look identical to the website they are replicating, so these attacks usually catch unsuspecting users. Today, we see that these attacks are increasingly common and extremely difficult to identify.
Another common technique that spammers use during phishing attacks is known as
“spoofing.” Email spoofing is used to fake the “from address” with any other type of address, as the SMTP standardization process allows for the “from address” to come from any source. By spoofing the “fromaddress,” it is nearly impossible for recipients to determine if senders are legitimate or malicious through manual detection.
“DMARC” (Domain-based Message Authentication, Reporting and Conformance) is an open-source technology founded in 2007 by a group of household names (Paypal, Yahoo, Google) who have consistently fallen victim to phishing and spoofing attacks. DMARC was developed to eradicate phishing and spoofing issues by ensuring that users never have to ask themselves: “Do I trust this sender?”or “Has this message been tampered with?”
Instead, DMARC helps to authenticate senders and enable receivers to reject unsolicited messages so that users never have to second-guess what is showing up in their inboxes. DMARC is a combination of DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework), making both message signatures and email origins trustworthy. In addition, built-in reporting capabilities enable systems to interact with DMARC and build policies based on learned behaviors. In order for DMARC to be 100-percent effective, it needs to be adopted by every email provider, making it mandatory for both senders and recipient email systems to verify for DMARC.
The fact of the matter is that phishing attacks would not occur if most organizations (companies, government and other domain owners) would start using DMARC, specifically for validating emails. An example of this would be deliberately misspelling the ‘from address’which can easily be mistaken, by using zero “0” instead of the letter “o.” This technique is known as “spoofing.” These spoofing methods will explode in popularity once DMARC is used more widely, preventing spammers from phishing and using fake, yet seemingly official email addresses from brands. Through educating users, we can spot a spoofing attack with the naked eye, however phishing attacks require DMARC, as even skilled computer technicians find it difficult to identify sophisticated phishing attacks.
For those wishing to implement DMARC for a brand or corporation, the first step is to visit http://dmarc.org/resources.html,which provides users with a complete list of training tips, articles, support tools, products and services, as well as message gateways, filters, or hosted mailbox services that all support and provide information about DMARC.
The Future of Email Security:
Fighting malicious spammers is a cat and mouse game that requires security vendors to constantly innovate and build smarter detection techniques, set new standards for the security industry and continually improve their solutions. New phishing threats have become part of the daily news cycle. Astonishingly, phishing emails currently infect more than 40 million users every year, yet we already have the technology to eradicate the threat with DMARC.
Twitter Postmaster Josh Aberant recently stated that after implementing DMARC for Twitter in February 2013, Twitter branded phishing emails dropped from 110 million per day down to just a few thousand. We can be sure that those few thousand emails that have slipped through the net have come from corporations with an email system that doesn’t implement DMARC.
For DMARC to work effectively, corporations, enterprises and Cloud Hosting providers must adopt DMARC across the board – only then will we see a complete end to phishing attempts. If these organizations do not recognize DMARC, then malicious phishing emails will get through to them.Corporations and hosting providers are lagging behind as they generally use their own email system, which does not integrate DMARC. Just ask Target, which last year was exposed by a phishing email that infiltrated 40 million customer accounts.The security industry is traditionally slow to adopt new protocols, but there is no reason that all security vendors, brands, corporations and businesses cannot apply DMARC in their email systems to recognize the brands that have already applied DMARC.
It is inevitable that spammers will continue to evolve and find new ways to infect our computers, phones, tablets and next, our “Internet of Things” applications. While household names like Gmail, Yahoo, and PayPal have implemented DMARC, this in turn has pushed spammers to begin targeting corporations that do not use DMARC. In fact, we discovered that of the Fortune 1000 companies, only 5.1 percent had implemented DMARC. However, the good news is that phishing and spoofing emails are something we can easily prevent and the only thing stopping us from doing so is everyone’s willingness to adopt DMARC as the ultimate solution.