Phishing steals spotlight at MIT Spam Conference

While the volume of unwanted e-mail ebbs and flows, the nature of unwanted e-mail is steadily becoming more dangerous, say spam experts.

Advances in anti-spam technology and increased use of these products are delivering somewhat cleaner in-boxes and less-annoyed e-mail users, experts say. But no technology has been developed that can effectively protect e-mail users from phishing attacks that steal personal and financial information, and until this form of fraud can be detected and blocked, unwanted e-mail remains a threat.

“The spam problem will get worse, and the reason is phishing,” said Bill Yerazunis, senior research scientist with Mitsubishi Electric Research Laboratories, and chairman of the MIT Spam Conference, which held its fourth meeting in Cambridge, Mass., last week. Yerazunis estimates 20% to 30% of all spam messages are phishing attacks. “For people who aren’t ‘Net savvy, they could lose their retirement money,” he said.

The response rate for phishing e-mails is higher than for spam, said Paul Judge, CTO of messaging security maker CipherTrust. So while spammers have to send more unsolicited e-mail, as anti-spam filters get better at identifying and blocking spam, phishing attacks are well enough disguised that a higher percentage of recipients click on them, he said.

Not only is phishing dangerous for potential victims, it is destroying banks’ and other companies’ ability to communicate with their customers in the most effective way, Judge continued. “Some of the most powerful entities on earth can’t talk to their customers over e-mail” because phishing has corroded their customers’ trust, he said.

As one of the dozen companies, universities and laboratories presenting papers at the MIT Spam Conference last week, CipherTrust focused its talk on the rising threat of phishing. The company last week also announced PhishRegistry.org, a service designed to warn legitimate Web sites when they are being spoofed by phishers.

Anti-spam products that filter content aren’t able to catch phish because the actual theft doesn’t happen in e-mail, but at the forged Web site that a phishing message sends recipients to, said Jonathan Zdziarski, research scientist at CipherTrust. The company has developed technology that creates a digital fingerprint of a Web site suspected to be bogus, and of the site it is spoofing, and compares the two.

Once a bogus site is identified, CipherTrust feeds that information into its Radar anti-phishing service and posts a notice at PhishRegistry. org, which Zdziarski defines as a “neighborhood watch for your Web site.”

Another company, MarkMonitor, attempts to identify potential phishing sites by these sites’ domain names. The company, which is a domain registrar, provides a service that looks for newly registered or altered sites with domain names that are close to legitimate domain names, such as bankofamerica1. com, says Chuck Drake, senior vice president of fraud solutions.

Advance notice of a potential phishing scam lets MarkMonitor’s customers work to shut down the fraudulent site through claims such as brand infringement, Drake said. If a phishing attack does happen, MarkMonitor’s service also shuts down the fake site by contacting the site’s ISP and presenting evidence of fraud.

This week MarkMonitor plans to announce a service called Phishing Readiness and Response, designed to bring these services to small and midsize financial institutions that may not have staff dedicated to fraud detection and prevention. The company says between July 2005 and January 2006 phishing attacks that target institutions with less than $500 million in assets jumped from 1% to 6% of all phishing attacks.

Sender authentication is another technology thought to be effective in preventing phishing, although it hasn’t been widely adopted.

Fresh from an IETF meeting last month, Sendmail’s Chief Science Officer Eric Allman spoke at the MIT conference about the progress being made with Domain Keys Identified Mail (DKIM), a sender-authentication proposal from Yahoo and Cisco that’s wending its way through the standards body, and how it can be used to fight phishing.

While DKIM isn’t a cure-all for spam and phishing, it presents an effective way for signers to assert that they really did process messages, and to hold them responsible. But DKIM and other authentication approaches won’t work in a vacuum, he said. “We need to use authentication as input to a larger system; it’s one part of a big toolbox,” Allman said. “If something is authenticated that doesn’t necessarily mean that it’s good.”

Another way to fight phishing is through public awareness. In preparation for tax season, the IRS last week announced an e-mail address – phishing@irs.gov – where residents can forward bogus messages claiming to be from the IRS.