Anti-Phishing Groups Outline Best Practices

Two e-mail industry trade groups have issued a joint document detailing best practices with which ISPs and other mailbox providers should comply to combat the deceptive online fraud known as phishing. Besides harming consumers, phishing damages brands and e-mail marketing as a whole, because consumers wary of attacks can grow skeptical of all commercial messages.

The Anti-Phishing Working Group (APWG) and the Messaging Anti-Abuse Group (MAAWG) jointly released a set of recommendations for implementing several types of protection schemes, which include recommendations for filtering of mail messages, policy changes, and other technical and business practices aimed at preventing phishing attacks and responding to ones that occur.

The document is based on the collective wisdom of MAAWG and APWG members, many of whom are ISPs, mailbox providers, or security vendors. While not all practices will apply to all providers, most should be able to find something new in the document to add to their current practices, according to Vipul Ved Prakash, editor of the document, co-chair of the MAAWG anti-phishing special interest group, and chief scientist and co-founder of Cloudmark.

“ISPs and security vendors have contributed to this set of recommendations based on what has worked for them in real world deployments. I believe most ISPs who read this document will find new ideas and solutions here and it will also serve to validate or improve their current practices,” Prakash told ClickZ. “What we’ve done is provided a comprehensive set of best practices used by ISPs around the world so those who are adopting these can choose what works best for them from both a technical and policy point of view.”

Phishing is a technique used by criminals to entice users to hand over sensitive personal or financial information. The phisher usually sends an e-mail pretending to be from a legitimate financial institution or other organization, but which actually links to a phisher-controlled site masquerading as a legitimate site. The site collects users’ account information, personal data, or usernames and passwords with the intent of using that information to impersonate the user and commit credit fraud.

Because phishing attacks are more sophisticated, targeted, short-lived and fast-moving than traditional spam, it cannot be addressed with the same filters and techniques as spam, according to the document. Inbound filtering designed to catch spam will not catch most phishing attacks, since those e-mails are designed to mimic legitimate mail, and are often sent from an IP address of an unknowing but trusted sender.

However, spam-fighting techniques like Bayesian filters, IP blacklists, URL-based filters, heuristics and fingerprinting schemes that are specifically designed to detect phishing attacks can work well in filtering inbound messages to an ISP or mailbox provider, the organizations said. In addition, when those filters are used on outbound messages, they can catch phishing messages being sent from unsuspecting hosts, such as an unprotected PC belonging to an ISP’s customer.

Besides filtering, the APWG and MAAWG document suggests ISPs implement several policy changes to combat phishing. Phishing can be reduced by hiding images or disabling hyperlinks from untrusted sources, or providing visual cues in user inboxes to identify messages from trusted sources. Since most ISPs have implemented some kind of e-mail authentication, they should use that information to clearly identify messages from forged senders and filter or reject them.

The APWG and MAAWG recommend that ISPs consider rejecting phishing messages whenever possible, since some users will find a phishing message in their spam folder and think it is a legitimate message that was wrongly tagged as spam. If the message is delivered, it should be clearly marked as a suspected fraudulent message.

ISPs and mailbox providers should also engage in education efforts with their customers, the organizations recommend, to inform them of ways they can spot phishing scams and protect themselves. End users should also be encouraged to employ client-side security solutions, both those that filter e-mail and browser plug-ins that help identify known phishing sites when a user visits them.

The groups also suggest that ISPs work with their own customer support teams to be sure they have clear steps in place to resolve phishing complaints, and to educate consumers whenever possible. They should also put in place a procedure to alert financial institutions or other organizations that are being targeted when an attack occurs.

According to Prakash, widespread adoption of these guidelines will make for a significant deterrent to phishers. By publishing these best practices and spreading the knowledge of experts worldwide, overall security will improve throughout the industry, he said.

“E-mail abuse works because the cost of carrying out such abuse is extremely low. When ISPs worldwide work together to reduce or eliminate the impact of abusive e-mail on their subscribers, the incentive to carry out such attack goes down,” he said.