Google, Facebook, and PayPal team up to fight phishing

Tech heavyweights are coming together to stand behind DMARC, a new system announced today that could block phishing emails before they ever reach your inbox.

“We’ve been active in the leadership of the DMARC group for almost two years, and now that Gmail and several other large mail senders and providers — namely Facebook, LinkedIn, and PayPal — are actively using the DMARC specification, the road is paved for more members of the email ecosystem to start getting a handle on phishing,” said Google’s Gmail product manager Adam Dawes in a blog post.

DMARC, which stands for Domain-Based Message Authentication, Reporting, and Conformance, is a way for domain owners to prove an email is truly being sent from them and is not a phishing attack. These attacks are often emails that attempt to dupe a user into giving up personal information such as logins or financial information. One of the main ways criminals attempt to trick users is by forging a “sender” line so the email looks like it’s from a reputable source. People are far more willing to give their bank account number and login credentials to PayPal than to the Prince of Nigeria.

“Email phishing defrauds millions of people and companies every year, resulting in a loss of consumer confidence in email and the Internet as a whole,” said DMARC chair Brett McDowell, who is also PayPal’s senior manager of customer security initiatives.

Being able to fake the sender line is very dangerous, especially for older people who have not learned to be suspicious of unknown email. DMARC, however, provides domain holders like PayPal an opportunity to prove their identity and block any other emails claiming to be them. It does this by building on a two-step authentication system.

First, the domain owner can use SPF (Sender Policy Framework), to identify which of its employees are allowed to send emails on the company’s behalf. These emails are authenticated by looking at the IP address of the computer to make sure they are the verified sender.

Second, domain owners can use DKIM (Domain Keys Identified Mail), which looks at the digital signature of the sender. A digital signature exists in the background of an email, and lists out a number of different parameters that should be met within the body and to/from fields of the email. For instance, one parameter could be “d,” for domain, where the domain owner can put, “d=paypal.com.” DKIM then checks if the email being sent is actually from “paypal.com” and can block a message if the parameters aren’t met.

By using and fine-tuning these authentication systems, DMARC aims to make more companies take responsibility for their outgoing mail. Eventually, companies will get to a point where enough trust is put in the system to block any email that fails authentication.

Facebook, Google, and PayPal aren’t the only ones who have seen this kind of phishing scheme. Apple also recently experienced a string of phishing emails claiming to come from “appleid@id.apple.com.” The email’s body, which took on the same shadowing and coloring as a normal Apple email, asked members to “update their account information,” including bank account and social security number. Another scam came from “member@linkedin.com,” claiming you had received an In-Mail, but really redirected you to a Viagra sale site.

According to Dawes, nearly 15 percent of all non-spam Gmail messages are already being authenticated and are protected by DMARC.

He explained, “The phishing potential plummets when the system just works, and that’s what DMARC provides.”

hat tip NetworkWorld, Phishing image via Shutterstock