DMARC Goes Live

Yesterday, dmarc.org released the new DMARC standard for email.  Contributors to the DMARC standard include Agari, American Greetings, AOL, Bank of America, Cloudmark, Comcast, Facebook, Fidelity Investments, Google, LinkedIn, Microsoft, PayPal, Return Path, TDP, and Yahoo!.

DMARC stands for “Domain-based Message Authentication, Reporting & Conformance.”  DMARC provides important extensions to the existing email authentication standards by providing automated and standardized methods to process messages that fail email authentication. DMARC explains the significance of this enhancement:

A DMARC policy allows a sender to indicate that their emails are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes – such as junk or reject the message. DMARC removes guesswork from the receiver’s handling of these failed messages, limiting or eliminating the user’s exposure to potentially fraudulent & harmful messages. DMARC also provides a way for the email receiver to report back to the sender about messages that pass and/or fail DMARC evaluation.

Let’s look at an example. If a phisher spoofs “paypal.com”, the real email address of PayPal, the bad guy cannot send email from PayPal’s email servers. Because the bad guy can’t use the real email servers, the fake paypal.com email will fail authentication. Before DMARC, webmail services such as Hotmail, Yahoo! Mail, AOL, Mail and Gmail lacked a systematic way for senders to tell them what to do with emails that failed authentication. This is where DMARC comes into play. If PayPal is using DMARC, webmail providers will know that PayPal wants them to reject the fake “paypal.com” email.

Let’s look at another example. What does DMARC do if a phisher uses a deceptive email address instead of “paypal.com”?  Consider the example of paypa1.com, where the last letter is really the number one instead of the letter el. Because the deceptive domain is not paypal.com, the deceptive domain is not governed by the authentication records of the paypal.com or the DMARC instructions for paypal.com. The authentication records and DMARC instructions for paypal.com govern only paypal.com and not the other hundreds of millions of domains that exist and will be created. DMARC will have no impact on paypa1.com emails.

While DMARC can deny bad guys the use of the actual domains of trusted senders, DMARC cannot stop bad guys from using domains that are not the actual domains of trusted senders. DMARC will not stop pay-pal.com, fasebook.com, or the myriad of other deceptive domains that bad guys will dream up. DMARC is useful because it:

• allows senders to specify handling policies about messages that fail authentication, and
• provides feedback that can help senders improve their authentication accuracy,

but it only addresses one of many doors that phishers use to get into the inbox.

To deal with all the doors leading to your inbox , you need more. You need a service that can distinguish real from fake for leading consumer brands, regardless of the methods that phishers use. You need eMail ID from Iconix.

Know Who. No Doubt. Use eMail ID.

Zappos Hacked: Customers Beware Phishing Scams

It is being widely reported in the press that an estimated 24 million Zappos user accounts have been compromised.

Mashable reports:

Robert Siciliano, a McAfee consultant and identity theft expert, says he expects whoever hacked Zappos’s site will now sell the data to people who run phishing scams. “They’ll sell it 10,000 accounts at a time, short money, like $100,” he says. While hackers don’t have complete credit card numbers, Siciliano says there’s enough information for a hacker to approach affected users as either Zappos or the credit card company and then ask them for more data — the classic phishing scam — which might be supplemented with a voicemail “vishing” attack as well.

The bad guys now have very useful information with which to  craft very convincing fake email.  What they cannot do is use the real Zappos’s email servers.  You can easily identify real email really coming from Zappos by using a tool to identify real email.  You need eMail ID from Iconix.

Know Who.  No Doubt.  Use eMail ID.

IRS Email Warns Of Phishing — Is the Warning Phishing?

Today the IRS issued its Tax Tip 2012-08 warning about phishing scams aimed at US taxpayers.   Subscribers to IRS information services received an email about the warning.

This is a screen shot of the email:

Is this a real IRS email?  Did you notice these odd things about it?

Why would I open such an obviously fake email?  Because it isn’t fake — it is real.  I know it is real because I use the products of Iconix.  This is what my display looks like with SP Guard turned on:

The IRS really made spelling errors and the IRS really sends emails from the domain govdelivery.com.

Know Who.  No Doubt.   Use Email ID and SP Guard.

Apple Phishing Scam Alert

CNET is warning about a phishing scam in which the bad guys are sending emails that are fake billing error notices from Apple.

CNET reports that unlike other Apple phishing scams, in this scam the bad guys have created a reasonably convincing fake.  The grammar and spelling are correct and the message is formatted to look like a real Apple message.  The email address that is displayed looks like it could be from Apple – ”appleid@id.apple.com.”  However, it isn’t real. Following the links will land at a fake Apple website that also looks pretty convincing. The fake Apple website requests your Apple ID and password. It then prompts you to update your personal data, including your credit card information. DON”T DO IT!

CNET provides useful advice on detecting the scam. CNET explains how to unwind URLs and then how to compare the fake URLs to real Apple URLs.

To this advice, we add that you should use the latest version of a reputable security product (such as the products of Trend Micro) and install all the security patches for your operating system and applications.  You should be careful.  But you need to do more.  You need a product that will identify legitimate emails from many of the leading consumer brands. Distinguishing real email from fake email is hard.  Being conversant with all the real URL’s is impossible.  You need a tool to identify real email.  You need eMail ID from Iconix.

Know Who.  No Doubt.  Use eMail ID.

Iconix Issued Fifth U.S. Patent for Email

Today the United States Patent and Trademark Office issued Iconix its fifth patent titled “USER INTERFACE FOR EMAIL INBOX TO CALL ATTENTION DIFFERENTLY TO DIFFERENT CLASSES OF EMAIL.” The abstract for U.S. Patent 8,073,910, dated December 6, 2011, states: “A user interface for email users which calls attention to one or more categories of emails in different ways.”  Iconix filed the patent application on March 3, 2005.

Technology from this patent is used in all of the Iconix^® offerings, including the Iconix Truemark^® service, which helps protect consumer users from phishing attacks, and Iconix SP Guard^TM, which protects enterprises from spear-phishing attacks. The Iconix services highlight legitimate email messages with an icon in the inbox and open messages, giving users an intuitive “visual ID” for key email messages, thus allowing them to easily distinguish real from fake. The result is increased trust and confidence in email and increased safety for users and businesses.

Learn more by reading the entire press release at:  http://iconix.com/corp/pr-20111207.php

Phishers Use Cyber Monday for Scams

Computerworld reports that cybercriminals are using phishing scams  to rip-off consumers during this holiday shopping season.  The bad guys are using spoofing legitimate messages from real companies in order to deceive consumers.  The criminals are sending fake shipping confirmations, fake Groupon and Living Social offers and fake social traffic.  A common scam is a fake email about problems with a transaction, such as a delivery problem, a canceled order or direct deposit.  Cloudmark has reproduced this example of a fake UPS email:

Computerworld quotes Cloudmark engineering director Angela Knox about details of the UPS-based phishing  scam.  This phishing scam lures recipients into either opening an attachment or clicking on a link to infect machines with malware.

“We’ve seen a number of variants in this campaign, some with attachments, some with no attachments and bad links, all of them personalized to the recipient, and sent from an ever-changing list of fake UPS employees or the generic ‘UPS Customer Services,’” said Knox in a blog post today.

The attached files are actually .zip archives that contain malware, said Knox, while the links lead to compromised or hacker-controlled websites that host attack code.

“With Cyber Monday kicking off the online holiday shopping frenzy, online shoppers should remember to be vigilant about any email message that they receive,” said Knox.

To this advice, we add that you should use the latest version of a reputable security product (such as the products of Trend Micro) and install all the security patches for your operating system and applications.  You should be careful.  But you need to do more.  You need a product that will identify legitimate emails from many of the leading consumer brands. Distinguishing real email from fake email is hard.  You need a tool to identify real email.  You need eMail ID from Iconix.

Know Who.  No Doubt.  Use eMail ID.

Xbox Live Phishing Scam — Microsoft Reimburses Ripped-off Users

The Guardian is reporting that Microsoft is giving refunds to Xbox Live subscribers who may have had their credit card information stolen in a phishing scam.   The Guardian describes the scam in its November 22, 2011 edition:

Reports are proliferating of Xbox Live users checking the credit card and bank account statements which they use to pay their Xbox Live subscriptions, and discovering payments which they did not make, generally over a period of months, which were used to buy Microsoft Points (the service’s currency which enables users to purchase extra downloadable content, games and in-game objects) which were then cashed in to buy downloadable content from EA Sports – specifically Ultimate Team Packs for its games FIFA 12, Madden and NBA.

EU provides more details about the scam on its website.

You receive an email that appears to be from EA concerning an Ultimate Team promotion. You click on the link in the email, go to what appears to be the Ultimate Team login page, and enter your account name and password. Two days later you discover all the gold players you’ve worked so hard for have disappeared.

This is the fake website that is launched from the phishing email:

EU advised that the official EA website uses the following URL:
<a href=”http://www.ea.com/”>http://www.ea.com/</a>.
Any other similar looking URL is not official and should not be clicked on.

As this image from the EA website shows, the difference between the scam website and the real website are extremely subtle.

This is a close-up of the URL’s.

To this advice, we add that you should use the latest version of a reputable security product (such as the products of Trend Micro) and install all the security patches for your operating system and applications.  You should be careful.  But you need to do more.  You need a product that will identify legitimate emails from many of the leading consumer brands. Distinguishing real email from fake email is hard.  Being conversant with all the real URL’s is impossible.  You need a tool to identify real email.  You need eMail ID from Iconix.

Know Who.  No Doubt.  Use eMail ID.

CYBER SECURITY AWARENESS MONTH FAILS TO DETER PHISHERS – RSA

RSA’s recently released report Cyber Security Awareness Month Fails to Deter Phishers explains that despite efforts to increase awareness and fight phishing, deceptive emails continue to be a major problem.

Sometimes viewed as one of the oldest scams in the book, phishing is still a very popular method among cybercriminals. RSA recently estimated that worldwide losses from phishing attacks alone during H1 2011 amounted to over $520 million, and losses incurred from phishing attacks during the 12-month period of H2 2010 through H1 2011 reached nearly $1 billion.

RSA shows the recent growth of phishing:

You should use the latest version of a reputable security product and install all the security patches for your operating system and applications.  You should be careful.  But you need to do more.  You need a product that will identify legitimate emails from many of the leading consumer brands. Distinguishing real email from fake email is hard.  Unless you have the right tool.

Know Who.  No Doubt.  Use eMail ID.

SEC Issues Guidance on Cyber Risk Disclosure

On October 13, 2011, the United States Securities and Exchange Commission (SEC) issued formal guidance on how U.S. publicly traded companies should disclose cybersecurity risks and data exposure.  In the guidance, the SEC states:

Depending on the registrant’s particular facts and circumstances, and to the extent material, appropriate disclosures may include:

• Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
• To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
• Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
• Risks related to cyber incidents that may remain undetected for an extended period; and
• Description of relevant insurance coverage.

A registrant may need to disclose known or threatened cyber incidents to place the discussion of cybersecurity risks in context. For example, if a registrant experienced a material cyber attack in which malware was embedded in its systems and customer data was compromised, it likely would not be sufficient for the registrant to disclose that there is a risk that such an attack may occur. Instead, as part of a broader discussion of malware or other similar attacks that pose a particular risk, the registrant may need to discuss the occurrence of the specific attack and its known and potential costs and other consequences.

Of course,  Iconix is not in the business of giving legal advice and we suggest that anyone interested in this topic should read the SEC formal guidance and consult with their attorneys.  We are in the business of providing technology that improves the integrity of email. For email correspondence with customers, we offer our Truemark service.  For internal email correspondence, we offer our SP Guard solution.

For further information on our email solutions, contact us at 408-727-6342, ext 3 or use our online form.

Hotel Refund Email Scam

Sophos reports on a new email scam.  In this scam, the bad guys are sending emails that claim to offer a refund for erroneous hotel billings. In order to claim the refund, you must use the attached zip file.  The zip file contains malware which loads a Trojan Horse onto your system. This Trojan Horse can be used to take control over your computer, giving the bad guy the ability to steal your personal information or turn your machine in spam zombie.

What can you do to protect yourself?  You should use the latest version of a reputable security product and install all the security patches for your operating system and applications.  But you need to do more.  You need a product that will identify legitimate emails from many of the leading consumer brands. Distinguishing real email from fake email is hard.  Unless you have the right tool.

Know Who.  No Doubt.  Use eMail ID.