Sender Authentication Seen As Key To End Phishing

May's account of phishing -- the group puts out monthly reports -- showed only a six percent increase in the number of unique attacks. The results would have been worse, said the Anti-Phishing Working Group (APWG) if not for the Memorial Day holiday weekend, which saw a significant dip of reported scams.

The average number of phishing attacks per day was also up slightly over April, the APWG reported.

But with an overwhelming majority of phishing attacks relying on spoofed sender addresses, there's little chance of beating these scams until authentication is widely adopted, said Dave Jevans, chairman of the APWG.

"The Achilles heel of phishing is the reliance on forged 'From' addresses to hide the sender's identity," said Jevans in a statement. "Once ISPs start to verify the source of messages, a lot of the bad things in e-mail, including phishing, will be greatly reduced. Not many scammers will use their personal e-mail accounts to launch a crime wave."

Sponsored post

Multiple sender authentication specifications have been proposed, including Sender ID, a blend of Microsoft's former Caller ID for E-mail and the more popular Sender Policy Framework (SPF) which was submitted to the ITEF last week, and Yahoo's competing DomainKeys.

Of the five percent of "From" addresses which were not forged, APWG dubbed the majority as "social engineering" addresses which are not phony, but simply variations of the actual e-mail domains used by the firms phished.

For instance, one social engineering "From" address used to fool Visa customers into divulging credit card information is [email protected], which is not a valid address for Visa. Other misleading addresses APWG has spotted include [email protected] and [email protected].

Citibank remained the number one target of phishers in May, a dubious honor the financial firm has held for the last two months. Other companies with a phishing bull's-eye on their backs include eBay, U.S. Bank, and PayPal. These top four targets accounted for 82 percent of all phishing and e-mail fraud scams for the month.

For more on phishing, see CRN.

This story courtesy of TechWeb.