Google, Yahoo Form Group to Tackle Phishing

Google, Yahoo, Microsoft and AOL have joined forces to thwart purveyors of phishing — those emails that attempt to trick users into giving up personal information.

The companies, along with financial services providers Bank of America and Fidelity Investments have created DMARC.org— also known as Domain-based Message Authentication, Reporting & Conformance, a technical specification that will provide consistent authentication results across Gmail, Hotmail, Yahoo Mail and AOL.

The group’s website blames the rise of phishing on the growth of social media, among other factors.

“With the rise of the social Internet and the ubiquity of e-commerce, spammers and phishers have a tremendous financial incentive to compromise user accounts, enabling theft of passwords, bank accounts, credit cards, and more,” reads an explanation on the group’s site. “Email is easy to spoof and criminals have found spoofing to be a proven way to exploit user trust of well-known brands. Simply inserting the logo of a well known brand into an email gives it instant legitimacy with many users.”

DMARC’s method of authentication makes SPF and DKIM — two preexisting authentication screening mechanisms — part of an industry standard. To make it through Gmail and the other email systems, senders have to authenticate their emails. The upshot is that email receivers will be certain that an email from IRS.gov, for example, is really from the Internal Revenue Service. Moreover, the IRS would be notified if someone else was using that domain for phishing emails.

Robert Siciliano, a McAfee consultant and identity theft expert, says most phishing emails are already being intercepted and winding up in users’ spam folders.

“What they’re trying to accomplish now is to eliminate them from your spam folder,” he says, noting that some users still click on such emails even when they’re labeled as spam. “The fact is, there’s a sucker born every minute. A non-sophisticated user will be a target until all phishing emails are eliminated.”

Siciliano says he’s optimistic that DMARC will be able to do that: “It’s coordinated efforts like this that could actually solve this problem.”

Nevertheless, Siciliano warns that even if DMARC is successful, clicking on a URL within an email is still a bad idea. For example, if you get an email from the Bank of America, go through the main site to find your link.

“The bad guys are like ants,” Siciliano says. “They’re very consistent and find their way through.”

Posted in: Google,Yahoo