Two new research reports find that e-mail spoofing attacks are on a steep rise. And one of those reports says that businesses in the financial services sector appear to be most vulnerable to having their corporate identities hijacked.
Phishing, or spoofing attacks, involve the mass distribution of e-mail messages with phony return addresses, links or branding, which make them appear to come from banks, insurance agencies or any other legitimate business.
In reality, those fraudulent e-mails actually come from spammers, senders of unwanted commercial e-mail, who hope to trick end users into giving up credit card numbers and other personal information. The practice can result in stolen money and identity theft.
The new report, "Phishing Attack Trends Report for February 2004," was released by
Two reports, similar findings
The APWG said it received 282 new reports of unique phishing attacks in February, representing a 60% increase over the previous month, and a 163% increase over December.
Similar findings were reported this week by New York-based MessageLabs Inc.
The security software vendor said that over the past six months, the number of phishing e-mails rose from 279 to 215,643. That number had spiked to 337,050 in January before dropping to the most recent figure, which was from March.
The APWG report broke the numbers down further. It found that February averaged 9.7 phishing attacks per day, that eBay was the most frequently spoofed company and that the financial services sector was targeted more often than any other industry.
The identity of Regulations.gov, a government agency, was also spoofed during February in an attack designed to steal consumers' personal information.
Spoofing anyone, anytime
Experts and IT professionals interviewed say there is little that companies can do to avoid having their e-mail addresses spoofed.
"If you give me your e-mail address, then I could send you an e-mail from God in heaven," said Daniel V. Klein, an independent consultant, proprietor of a small Internet service provider (ISP) and a longtime antispam crusader.
The trick for spammers is getting phishing targets to take the bait. "Attempting impersonation is easy," Klein said. "Succeeding at it is hard."
Analyst Michael D. Osterman described one relatively simple phishing approach. "I could use (Microsoft) Outlook to set up any domain, and I would then supposedly be sending from that domain," said Osterman, of Black Diamond, Wash.-based Osterman Research.
But while protecting your users' e-mail addresses from being hijacked is virtually impossible, there are a couple of ways to avoid receiving spoofed e-mails. Experts say that it's simply a matter of employing technology that detects and then weeds out spoofed e-mails along with the rest of the unwanted spam.
Apply SPF protection liberally
Osterman, along with Nick Shelness, a research analyst with Ferris Research and a former chief technology officer for Lotus Development Corp., explained that the best way to filter out spoofed e-mail is to deploy Sender Policy Framework (SPF) authentication on your mail servers.
SPF is an antispam approach in which the Internet domain of an e-mail sender can be authenticated. SPF and other authentication schemes, such as Yahoo's Domain Keys and Microsoft's Caller ID, work by making it easier for a mail server to determine when a message came from a domain other than the one claimed.
SPF seals a hole in Simple Mail Transfer Protocol (SMTP), the main protocol used in sending e-mail, which doesn't include an authentication mechanism.
"Basically, what happens is that when I receive e-mail, let's say from Microsoft.com, my mail server automatically looks [at a database to find out] if this sender has an authorized IP address for that domain," Osterman said.
"Support one authentication scheme or all of them," Osterman added. "I think they'll be an important weapon in the war on spam."