Google Joins ISP-Level Anti-Phishing Scheme

Search giant Google has signed up to a new scheme designed to block phishing and spoofing emails at the service provider level, preventing them from reaching consumers’ inboxes.

Google joins Yahoo, Tucows and Cloudmark in supporting the service, called Domain Assurance, which was created by email certification and reputation management services company Return Path.

“Return Path’s commitment to helping organisations authenticate their outgoing mail more easily is a positive step toward further reducing phishing and other fraudulent email,” said Google product manager Adam Dawes.

Keeping spam out of the inbox

The service, known as Domain Assurance, helps protect companies by blocking fraudulent emails before they reach the consumer’s inbox. Email senders’ domains must be verified using email authentication methods like SPF and DKIM, and they can then add their domains and sub-domains to the Domain Assurance Registry list. This allows ISPs to automatically reject all mail coming from these registered domains that fail authentication.

Users can also review authentication results using the Domain Assurance Dashboard, allowing them to detect any malicious activity and take steps to mitigate any damage.

“Currently companies can only react to a phishing attack. Domain Assurance changes the game by blocking phishing emails before they get delivered to the customer mailbox.” said George Bilbrey, President at Return Path.

However, according to Chester Wisniewski, senior security advisor at Sophos, Return Path’s Domain Assurance program won’t solve the spam problem, as it still leaves a lot of holes for criminals to continue to prey on innocent email users.

“Many phishing attacks originate from compromised or fake Yahoo/Gmail/Hotmail/Comcast accounts. So even if they are verified to be coming from Gmail, etc. they can still be delivered,” Wisniewski told eWEEK Europe.

He also pointed out that, without the participation of a large percentage of global brands, it only provides better defences to its members. “While Yahoo and Google may be able to reduce the impact on their users, it doesn’t eliminate the threat, nor help stop attacks targeting eBay, PayPal, Facebook, Bank of America or other highly targeted brands,” he said.

McAfee’s EMEA president Gert-Jan Schenk added that, in general, ISPs and the industry at large has been very successful stopping spam from “known” spamming servers. “The real challenge is stopping spam from ‘unknown’ spamming servers,” he said.

Phishing scams still rife

According to RSA, more than 260 million malicious emails are sent to consumers every day, pretending to be from a trusted company in an attempt to lure them into downloading malware or submitting private account information to fraudulent websites.

As well as making the email channel less secure and damaging consumer trust, phishing can also have cost impacts, particularly for financial services companies who often bear the cost when fraud is carried out against their customers. Analyst group Gartner estimates that the direct cost of repairing the damage from phishing and spoofing amounts to $3.6 billion (£2.2bn) annually.

Last year, a report by “life assistance” company CPP found that more than 420,000 scam emails are sent every hour in the UK. Meanwhile in May, a single cyber-gang known as Avalanche was identified by the Anti-Phishing Working Group as being responsible for 66 percent of the phishing attacks in the second half of 2009.

Last month, UK citizens in a hurry to get their tax returns in before the final deadline were warned to look out for email phishing scams, as organised cyber criminals tend to seize on opportunities where large numbers of people are in unfamiliar online situations and under pressure. There was a rash of such scams in 2010, when the HMRC’s computer system was revealed to have miscalculated 1.5 million people’s tax.

Social networks are also a prime target, with targeted email “spear phishing” seem to be the “weapon of choice” for establishing a foothold on social networking sites and services, according to security firm Mandiant. Twitter, for example, suffered two major phishing attacks in a month in Fabruary last year.