Huge spike in e-mail phishing attacks reported

By Mark Brunelli, News Writer 21 Apr 2004 | SearchExchange.com

Digg This!     StumbleUpon     Del.icio.us

Two new research reports find that e-mail spoofing attacks are on a steep rise. And one of those reports says that businesses in the financial services sector appear to be most vulnerable to having their corporate identities hijacked.

Phishing, or spoofing attacks, involve the mass distribution of e-mail messages with phony return addresses, links or branding, which make them appear to come from banks, insurance agencies or any other legitimate business.

In reality, those fraudulent e-mails actually come from spammers, senders of unwanted commercial e-mail, who hope to trick end users into giving up credit card numbers and other personal information. The practice can result in stolen money and identity theft.

The new report, "Phishing Attack Trends Report for February 2004," was released by

If you give me your e-mail address, then I could send you an e-mail from God in heaven. Daniel V. Klein, consultant

Tumbleweed Communications Corp., an instant messaging software vendor, and the Anti-Phishing Working Group (APWG), a band of software providers and other companies that was formed to research and share information about spoofing attacks. The findings were based on reports of spoofing attacks made to the APWG Web site.

Two reports, similar findings

The APWG said it received 282 new reports of unique phishing attacks in February, representing a 60% increase over the previous month, and a 163% increase over December.

Similar findings were reported this week by New York-based MessageLabs Inc.

The security software vendor said that over the past six months, the number of phishing e-mails rose from 279 to 215,643. That number had spiked to 337,050 in January before dropping to the most recent figure, which was from March.

The APWG report broke the numbers down further. It found that February averaged 9.7 phishing attacks per day, that eBay was the most frequently spoofed company and that the financial services sector was targeted more often than any other industry.

The identity of Regulations.gov, a government agency, was also spoofed during February in an attack designed to steal consumers' personal information.

Spoofing anyone, anytime

Experts and IT professionals interviewed say there is little that companies can do to avoid having their e-mail addresses spoofed.

"If you give me your e-mail address, then I could send you an e-mail from God in heaven," said ((Content component not found.)) Daniel V. Klein, an independent consultant, proprietor of a small Internet service provider (ISP) and a longtime antispam crusader.

The trick for spammers is getting phishing targets to take the bait. "Attempting impersonation is easy," Klein said. "Succeeding at it is hard."

Analyst Michael D. Osterman described one relatively simple phishing approach. "I could use (Microsoft) Outlook to set up any domain, and I would then supposedly be sending from that domain," said Osterman, of Black Diamond, Wash.-based Osterman Research.

But while protecting your users' e-mail addresses from being hijacked is virtually impossible, there are a couple of ways to avoid receiving spoofed e-mails. Experts say that it's simply a matter of employing technology that detects and then weeds out spoofed e-mails along with the rest of the unwanted spam.

Apply SPF protection liberally

Osterman, along with Nick Shelness, a research analyst with Ferris Research and a former chief technology officer for Lotus Development Corp., explained that the best way to filter out spoofed e-mail is to deploy Sender Policy Framework (SPF) authentication on your mail servers.

SPF is an antispam approach in which the Internet domain of an e-mail sender can be authenticated. SPF and other authentication schemes, such as Yahoo's Domain Keys and Microsoft's Caller ID, work by making it easier for a mail server to determine when a message came from a domain other than the one claimed.

SPF seals a hole in Simple Mail Transfer Protocol (SMTP), the main protocol used in sending e-mail, which doesn't include an authentication mechanism.

"Basically, what happens is that when I receive e-mail, let's say from Microsoft.com, my mail server automatically looks [at a database to find out] if this sender has an authorized IP address for that domain," Osterman said.

"Support one authentication scheme or all of them," Osterman added. "I think they'll be an important weapon in the war on spam."

Tags: Phishing and Email Fraud Protection,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Phishing and Email Fraud Protection Exchange 2007 out-of-office (OOF) feature adds usability and security Microsoft Outlook and Exchange Server 2003 Email Security Guide A Microsoft Outlook email security tutorial -- 8 tips in 8 minutes Microsoft Office 2007's native security and antiphishing tools New tools fight fraud and phishing Phishing protection primer Phishing: A whale of a problem for enterprises Three ways phishers are hooking you New phishing threat outpaces Netsky-P PhishTank casts its net for malicious email

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary greylist  (SearchExchange.com) Sender ID  (SearchExchange.com) Vouch by Reference (VBR)  (SearchExchange.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary