Free Email Providers Launch DMARC.org To Prevent Phishing Scams

Leading free email providers like Google, Microsoft and Yahoo are teaming up in an effort to prevent “phishing” scams. As WWJ’s Rob Sanford reports, the unprecedented effort was announced this week.

The companies have created a working group – DMARC.org – to promote a standard set of email technologies that they say will lead to more secure email.

According to its website, DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance,” standardizes how email receivers perform email authentication. This means that senders will experience consistent authentication results for their messages at AOL, Gmail, Hotmail, Yahoo! and any other email receiver implementing DMARC.

With the rise of the social internet and e-commerce, spammers have a tremendous financial incentive to compromise user accounts, enabling theft of passwords, bank accounts, credit cards and more. Email is easy to manipulate and criminals have found spoofing to be a proven way to exploit user trust of well-known brands. Simply inserting the logo of a well-known brand into an email gives it instant legitimacy with many users.

CNET executive editor Molly Wood said phishing is threatening the legitimacy of email.

“I think it’s hard sometimes for these companies to work together. They don’t always think it’s in their best interest to come together, but I think it’s gotten to the point now where phishing scams are so prevalent, that all of these companies are worried that their customers are going to stop trusting their legitimate email,” said Wood.

The arrangement will not stop all spam or phishing but will stop what they call a “significant chunk” of malicious messages sent.

DMARC helps email senders and receivers work together to better secure emails, protecting users and brands from painfully costly abuse. Find more information at DMARC.org.

Source: http://cbsloc.al/zhdnzo

I will NEVER ask for your password

by Dick Craddock

There are a lot of bad things on the Internet, and few are worse than phishing scams. But there is a certain class of phishing scam that has earned a special level of disdain and disgust, at least from me. I’m talking about the phishing scams that target Hotmail customers using my name, my picture, and even my signature. Grrrr.

Let me clear something up right off the bat: I will never ask for your password. No one from Hotmail or Microsoft will ever ask for your password. In fact, no legitimate service will ever ask for your password. If you ever get an email asking for any password to any service, you can be sure, without a shadow of a doubt, that the email is a phishing scam. Just junk it. (Or, in Hotmail, mark it as a phishing scam using the “Mark As” menu.)

Phishing scams

Spammers want to send spam. That’s what they do. As I said in my last post, we’ve made it hard for them to send spam with new accounts due to the effectiveness of our account reputation work. So, spammers have turned to hijacking customer accounts in order to send more spam.

Phishing scams are one of the simplest ways that spammers use to gain control of your account. The spammer sends an email that asks for your password, usually with a threat that your account is about to be closed. You reply, providing your password, and, Voila! Your account (and reputation) is hacked.

Spammers do this on all networks and all services – Hotmail, Gmail, Yahoo!, Facebook, AOL – spammers do not discriminate, and no service is immune.

How my picture got out there

Hotmail sends email to our customers fairly regularly to update people on various things, such as the availability of new software or features, or even to remind people about security measures, like creating a strong password or adding your mobile phone number to your account.

About a year ago, we decided that we would make these messages more personal by including my name, my picture, and my signature.

That decision has really come back to haunt me.

A gift to spammers

Almost immediately, the spammers copied that email, including my picture, name and signature, and modified the content so that it said something like “Your account is about to be shut down unless you reply to this email with your account name and password.”

This is a classic example of a phishing scam, and one of the most common ways that accounts get compromised. Here’s an example:

The bottom of that same email looks like this:

Yep. That’s me, all right. But that email is definitely not from me.

Even smart people fall for it

Phishing messages can look very real and convincing, so even smart, tech-savvy people fall for them. I get asked about this quite a bit.

Here’s a conversation that took place on my public Facebook page. The first person asks, “I got this message, is it really you?” In response, our Development Manager, Eliot, displayed both his penchant for pithiness and his mastery of high school French:

Phishing scammers know that they’ll get better response rates by using my pictures and my signature to produce email messages that look legitimate. They even translate their scams into multiple languages to broaden their reach.

The telltale signs of a phishing message

As I’ve said, any email that asks for your password is a phishing scam and shouldn’t be trusted. You don’t need to look any further to know the message is a fake. Nonetheless, it’s interesting to see how “creative” the scammers can get. Here are some tactics scammers use to get people to provide their account info:

They copy Hotmail’s marketing images. These phishing messages usually contain the latest image from Hotmail’s own marketing campaigns, like this one:

They provide a bogus reason for needing your password. The messages usually contain an introduction that offers a false explanation about why they need your password. Some of my favorites include:

• “We are currently upgrading our data base and e-mail account center.”
• “We are deleting all unused accounts to create more space for new accounts.”
• “We encountered a problem with our database and a lot of records were lost, we are restoring our database to enable us serve you better.”
• “We are having too many congested email due to the anonymous registration of Hotmail Msn-Live Accounts in our database system.”

Rest assured: NONE of these will EVER be a legitimate reason to ask for your password.

They design a subject line to scare you. The subject lines call for your immediate attention and are often intended to be scary. Here are a few common examples:

• Some variation of “Account Alert!!!”, or “Account upgrade alert,” or “Email account alert.”
• Some variation of “Account renewal process,” or “Verify your account details.”
• Some variation of “Email Warning!!!”, or “Verify your email now to avoid being closed!!!!!”

(Scammers really like to use exclamation points!!!! A lot!!!)

They send the email from a bad “From” address. The “From” address in the email is often a dead giveaway. At a glance, it might look like you’ve gotten mail from the Hotmail Team. But if you look at the actual email address, it’s almost always something fishy (phishy?). Typically, scammers just use the name of a Hotmail customer account.

Get educated, educate others

In a perfect world, no one would ever give out their password, and the phishing scams would be ineffective, and would just stop. You’ve already taken a step to helping us get there by reading this post, and now you can help pay it forward by educating others.

Any email that asks for your password is a phishing scam. If anyone ever asks you, “Hey, is this email legit?” just say, “If it asks you for your password, then it is absolutely, definitely, without question a scam! Report it as junk!”

As a final note, some of you might be wondering, Why can’t Hotmail detect these scams? We can detect these scams and do detect many of them. But it’s just a numbers game, and spammers are capable of producing a huge volume of phishing scams, with enough variation in the text and images to fool our filters a small percentage of the time. In addition, it’s important for us to keep the false positives low – meaning that we don’t want to mistakenly identify a legitimate email sent from a good user as spam.

So, until we get to that perfect world without spammers, we’ll be here building better and better systems to battle the bad guys. Thanks for reading, and thanks for using Hotmail.

Sir Spamalot and Lady Phishing

By Jon-Louis Heimerl

I am a millionaire. Actually, I’m a multi-millionaire. Or rather I could be if I helped the honorable Mr. Nagumba get his money out of Nigeria, or helped Barbara get her money out of Brazil, or picked up my unclaimed lottery winnings, or helped another half dozen people in the last month. 

I have won $1500 several times a day for the last few months. I have won a new car. I have important packages waiting to pick up from FedEx and UPS. I am being audited by the IRS and they sent me an attachment that included an executable notice with instructions. I won a 15 day cruise if I qualified – they only needed a credit card number to confirm my identity and that I am over 18. I can get my teeth whitened or Lasik eye surgery for 80% off. I have qualified for a special deal on a new BMW 335 with experimental pricing, and can get in a brand new one for under $15,000. Two of my credit cards have been compromised so I needed to log onto the included website to verify and change my account information. As a matter of fact, another credit card that I don’t even have was also compromised, and I needed to log on there too. One of my bank accounts appears to have some out-of-date information associated with it. I can get really cheap Viagra (sic) cheap online, Heather thinks I’m hot, and there seems to be way too many people interested in my manhood.

My personal spam folder is pretty thin. I try to trim spam aggressively. Just in the last 24 hours I have received 42 emails. Three from family, 21 advertisements from retailers (it’s beyond me why I need a daily reminder from a retailer telling me that they are still open and selling the same stuff they’ve been selling for the last five years), and 18 spam. Now, I have no idea how much spam my ISP trims before it even gets to me, but I assume it is a lot. A quick search shows unofficial estimates that spam is somewhere between 60 and 97% of all email sent. By the best accounts I can find, that means around 40 billion spam emails every day (give or take a few billion). The numbers are down slightly from 2010 partially because three botnets (Rustock, Lethic, and Xarvester) have been somewhat throttled. The closure of spam specialist Spamit helped as well. But, as we all know, spam has not gone away.

Unfortunately, spam means money. Spam brings with it a variety of issues, but it also delivers chunks of money and other opportunities to those who generate it. Pay-per-click sites still exist, and if you send 100 million spam messages and get 1% of recipients to click through – ka-ching! Say you send 50 million spam messages that contain a link for a free virus scan, and you can get .5% of those recipients to follow through with a fake purchase for ONLY $29.99 – that’s $7.5million – ka-ching! Credit card information is not worth what it used to be, but if you can send 100 million fake “change your password” notices to BigBlueBank customers, and 1% of them go through your fake link and update their password – ka-ching! And even if they can’t get something from you, maybe they can compromise some low percentage of recipients with a Trojan or sniffer. The numbers add up quickly because of volume.

But spam and phishing emails are not always obvious, are they? Well, some of them are. If the email subject line includes things like “Cialis” or “Replica Handbags” I think the chances it is spam is probably something around 100%. But do we always know? I included an example of a recent phishing email I received (names have been changed). It looks pretty good at a glance, but there is a lot wrong with it if you pay attention.

Let’s look through it in detail.

Let’s work on the premise that the logo and all the colors are correct, and that at a glance, this looks authentic – it appears to be an email from BigBlueBank, where you have an account registered with online access. What is wrong with the email?

1. BigBlueBank Online may be the correct name, but the chances that return email address is correct is low (read “low”, think “nonexistent”). Notice that it is @onlinesvc.com. If this was really from BigBlueBank chances are pretty good that it would be @BigBlueBank.com. If the return address just shows as BigBlueBank Online, hold your cursor over the name. The actual associated email address should show in a mouse-over or in the lower left corner of your browser.

2. “To: undisclosed-recipients” - If this was genuine, it would actually be to your specific email address, and NOT show as a bulk email with hidden addressees. Check what you bank emails you now – they are all to your real email address.

3. “UPDATE YOUR INFORMATION!” – This pushes an immediate sense of urgency. Not necessarily a blazing orange flag, but it should raise your skepticism when you get an email so obviously trying to raise your personal sense of alarm.

4. “This message is a critical one…” This is obviously a person to whom English is not their primary language. Normal English phrasing would be “This is a critical message…”. If BigBlueBank is based in South Carolina this should get your attention. If they are based in Germany, it probably still should, but not quite as much.

5. “It has come to our attentions,” “This require” - The extra “s” on attention and the missing “s” are perfect examples of disagreement in tense, and errors. These are strong indicators that the writer is not a natural English speaker, and that whoever sent the email did not spend enough time proof reading and editing the content. If BigBlueBank is a top 10 bank in the Americas, what are the chances that they would not have a proof reader check everything that went out (Hint: the answer is 0%).

6. “Your Account information” and “The Account update…” – What is with the random capitalization of “Account”? Errors like this should be blazing a hole in your brain by now.

7. “Is also a new BigBlueBank” – This is just an awkward sentence. Read the whole sentence from the email. Perhaps “the account update also includes” or something similar, but again, it is an error in grammatical construction that should tell you this is not a professional email.

8. “Services security statement…” – Again with the random capitalization of “Services”? Brain. Hole. Burning.

9. “Goes according” – Perhaps if it read “is in accordance” this would not raise alarms, but the misuse of the “ing” is a common error for a non-natural English speaker.

10. “On our terms of service” – “in” our terms of service would be appropriate for an English speaker, and even more appropriate in a professionally prepared communication.

11. 5:55 AM 20/01/2012 – This is actually the first thing I saw in the email that made me say “fake”. The date is shown as day/month/year, which is predominantly European or other international convention. Standard in the United States would be 01/20/2012. I know the other way sorts better, but it is aberrant construction in the U.S. If you are not from the U.S., this probably does not bother you as much as it did me.

12. “May result on a suspension of your account” – “on” is again wrong. A natural English speaker would say “in”. This also implies a threat designed to increase your sense of urgency and decrease your vigilance.

13. BigBlueBank Upgrade Home – Look at that. How convenient it was of them to include a link back to Bigbluebank for you. Just hold your mouse over the hyperlink (don’t bother; it won’t work on the example, since the hyperlink has been removed). By now you realize the chances that the link actually has anything to do with bigbluebank is exactly 0%. In the example of this email, it actually linked to something like the following – the fact that bigbluebank is not the domain should be an obvious clue: http//generalupdates.gh.ost.de/bigbluebank/account_update/index.php.

14. 1-888-XXX-XXXX – Very nice to have an included phone number. It really does help make the whole thing look better. Especially if you dial the number and someone in a call center answers it “Big Blue Bank – Customer Service, how can I help you?” First of all, check the provided number against the customer service number on your bank statements or against the number provided on Bigbluebank’s real website. It may be close but it will not match. Your second clue is that someone actually answered the phone and you did not have to go through a Voice Response system – when was the last time that happened?

15. “Will be helping” – there is that “ing” again. “This will help us” would not raise alarm, but the improper English should have your spinal column on fire by now. You should almost expect it say to “will to be helping us” like some alien speaking through an electronic translator.

If in doubt, bring up the genuine bigbluebank.com website by typing it into your browser yourself (completely ignoring their link, if you please), and check for information there. Locate their contact information to email, or call them to ask if they sent the information. Chances are that bigbluebank has its own security group that is interested in abuse and phishing emails. They may want you to forward a copy of the email to them for their own review if you feel like going that far.

Perhaps this was not the best example because this email was chock full o’ clues. But these are exactly the types of indicators you will see in many phishing emails. The fact that you even got this email should immediately raise your level of awareness, so everything else should follow.