A simple look at the last Anti-Phishing Working Group (APWG) report, covering the first half of 2014, revealed that there were at least 123,741 unique phishing attacks worldwide, the most since 2009.
Also, the attacks occurred on 87,901 unique domain names, up from the 82,163 domains used in the second half of 2013. In the APWG report, it contains the key phrase “phishers are criminal, but they do make rational decisions about how to go about their work”.
Now you can see phishing as annoying messages that appear in your email, or hopefully your junk mailbox, that you ignore or delete. However for businesses in the financial services they can be a huge problem, and two security professionals have said enough is enough.
Ed Tucker and Ian Hunneybell, both security professionals in the UK Government, have seen phishing message cause more than a problem, they are a threat to the communication channel most commonly used and one that has been abused so much that UK consumers do not know what is legitimate or not.
In order to find a solution, Tucker and Hunneybell have launched a whitepaper detailing a number of methods to defeat and supercede the phishers. Named “A recipe of real-world controls”, Tucker said that the concept came after their business struggled to communicate with customers and deal with the tide of negative phishing messages, and they created something they hope the industry will adopt.
“It is not just another thought piece, but there is no available advice on how to deal with the problem,” he said. “It is more of a nuts and bolts approach with six components and bringing them together so for someone who needs controls and if you do one or more, then it helps people protect all customers.”
He said that his business is always doing awareness campaigns for users, but the problem is for users on how do they tel the difference and for a business, how do they abate it as it is not about malicious adverts, it is “more and more successful and a huge industry and financially rewarding”. Tucker said: “So we put these options together in this way to create something that is a force for all.”
The whitepaper says that “fraudulent Email can be considered the corporate equivalent of identity theft; someone is using your name or brand, most likely as a means to defraud your customers, and committing this theft in your name.
“The cost of such fraud, even if your organisation does not appear directly targeted, is in fact huge, as it saps trust in your organisation and decreases brand equity. It can ultimately close the door on the legitimate use of email for any form of customer communication or notification, as customers and ISPs may simply learn to distrust anything bearing your ‘brand’, meaning the efficacy of email communication drops-off, ultimately becoming unreliable”.
The approach encompasses six components:
1 – Technical Email control mechanisms under the glorious acronyms of SPF, DKIM, ADSP and DMARC. These controls can be implemented by technical staff to help mail servers across the internet identify genuine Email from your organisation from fraudulent messages simply claiming to be from you. This assembly of acronyms aim to ‘Can the spam’;
2 – Domain acquisition and parking. This approach aims to gain control of domain names similar to your organisation’s name or brand and lock-out the ‘bad guys’ before they try and use them, e.g. if you operate creditcardbrand.co.uk, ensure you also control and so can ‘lock-down’ against fraudulent use, credticardbrand.co.uk;
3 – Monitoring real-world traffic. It’s hard to take action if you don’t know what is going on and so there are proposals to establish feedback and monitoring solutions which can give you visibility of how bad an issue you face and where to focus your organisation’s efforts to combat abuse;
4 – Take-down services, targeted at using intelligence from your monitoring service and other sources, to find and disrupt infrastructure being used to carry-out fraud campaigns against your customers using your brand or organisation’s name;
5 – Internal organisational policies that can prevent well-intentioned internal efforts making it easier for fraudsters to effectively mimic your organisation’s legitimate customer communications. There can be significant negative impact to your brand through the introduction of a new email service if it is not done in a way that ensures neither customers nor ISPs start viewing it as spam and which doesn’t open the door to fraudsters to copy your own marketing efforts, but to their own nefarious end;
6 – Looking to the future, providing a mean by which ‘average consumers’ as opposed to ‘cyber techno-whizzes’ can readily recognise genuine from fraudulent email and links to fraudulent sites become easy to spot, report and avoid.
Full details on the technical specifications are in the whitepaper, but talking to Hunneybell, he explained each to me. For the first, he said that the controls exist and this is part of how a legal framework is being provided to ISPs, and increase deliverability. “We are losing email as a good form of communication, and if we lose email as a channel, we cannot do it at all,” he said. “There is a lot around not just getting rid of spam, as it has a low open rate of what is sent out, as many may not bother, but if there is a sufficient amount you lose the ability to use it.
That is a fair point, and with financial services companies wanting users to move to paperless statements and communications, perhaps there is a reason for standards to be enforced upon sending technologies.
The second point, on domain acquisition and parking, deals with the problem of how we would deal with a website “www.itsecguru.org”. Not much we can do I suspect, but for a major business, if they are not proactive in buying mis-spelt domains. Tucker said that even if you own the domains, there is the function to send emails out unless you prevent it. He highlighted issues where the mis-spelt Goolge website was eventually seized, and with banks often containing initials, how easy is for a fraudulent MNBA or HSCB to catch out fast moving customers?
The third point relates to visibility, and getting an idea of what the ISP is seeing. Tucker said: “We want to see the messages from one bad guy to another as when the emails are not sent by you, there is no visibility at all, and if it is third party to third party, there is no value in it at all.”
The fourth component focuses on using intelligence from monitoring services, to find and disrupt infrastructure being used to carry-out fraud campaigns against your customers using your brand or organisation’s name. Hunneybell said that this is about targeting command services to where a phishing campaign leads.
He said: “It is a mechanism for how phishing websites work, as a message goes out and we need improved ways of warning the user that the site they visit is fraudulent.”
The fifth component claims that “internal organisational policies can prevent well-intentioned internal efforts”, and Hunneybell said that this is about email hygiene and if it does not look legitimate, then it may look like phishing, and the more you do, the more you could be opening yourself up to attackers.
The final component requires some future-gazing, and as Tucker said to me, it is about every component preventing a spammer abusing your brand, and preventing their communication and control options.
Any effort to push advice for the benefit of the industry has to be positive, especially coming from those doing the job who obviously see this as a big enough issue. Let’s hope the whitepaper is read, and action is taken, so that the format of email can be reclaimed for good.
Ed Tucker and Ian Hunneybell were talking to Dan Raywood