It’s a very rare occurrence. But even the worst of tech enemies can agree that phishing is bad.
On Monday, Google, Facebook, Microsoft, Yahoo!, and eleven others outfits announced they had formed a new alliance to combat phishing — a way of fooling email and web users into providing sensitive information, including credit card numbers. The alliance is known as Domain-based Message Authentication, Reporting and Conformance, DMARC for short, and the aim of this sprawling alliance is to lay down new email standards that help stop the nefarious practice.
“One of the worst experiences for a user is being phished,” Adam Dawes, a Google product manager and DMARC representative, tells Wired. “The best way to protect them is to make sure the email never reaches the spam folder at all.”
Phishing is a relatively simple trick. Often, the spammer spoofs the data in the email message so it really looks like it came from a legitimate sender. There’s usually a way to figure out where the message really came from, but it can be hard for the average Joe to spot.
Today, as Dawes points out, phishing messages are often caught by an email client’s spam filters. But even as they check out their spam folders, many users can’t help but open on a message than says its from PayPal. Before they know it, someone has phished their credit card number. With DMARC, the idea is to get the email companies working behind the scenes to prevent phishing emails from ever hitting your inbox or spam folder.
Top box: What you see, normally. Bottom: What you should double check.
About eighteen months ago, PayPal began working directly with Google and Yahoo to set standards for Gmail and Yahoo! Mail that would prevent fake PayPal messages from hitting a user’s inbox. According to Brett McDowell, one of PayPal’s security managers and now chairman of DMARC, the three companies were blocking over 200,000 fake PayPal messages each day.
Eventually, PayPal, Google, and Yahoo! started asking other outfits to get involved. Behind the scenes, new names began using what would become the DMARC protocols, and as more and more companies used the protocols, engineers noticed new flaws — and fixed them. Mike Adkins, a Facebook messaging engineer, says that Monday’s news isn’t a “Coming soon” announcement. “You’ve been protected by DMARC for a while,” he says.
The DMARC protocols are based on existing technologies, including the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). Both are common mail security protocols. SPF verifies the IP address of the email’s sender, while DKIM vets the structure of the email’s content, comparing it to encoded information coming from the sender.
DMARC is hardly the only cross-industry effort to battle phishing. A global non-profit called The Anti-Phishing Working Group encourages businesses to share the latest information about phishing tactics and techniques. Paul Ferguson, a senior threat researcher at anti-virus developer Trend Micro, tells Wired he supports any collaboration that fight malicious software and phishing — up to a point. “The only caution that I would have is that there are too many of these kinds of these of efforts, they start working against each other,” he says. Even inside a single company, he continues, you might have the marketing department backing one anti-phishing group, while the research department backs another.
PayPal’s McDowell reiterates that the goal of DMARC — at least for the moment — is to defend legitimate domains, not to address what’s sometimes called “typo-phishing,” where scammers use something that looks like a common domain but is actually a slightly different spelling.
“Domain-based phishing cannot happen when both parties deploy DMARC,” he says