Putting a stop to phishing attacks will require some sort of E-mail sender authentication scheme, the Anti-Phishing Working Group said Monday as it announced that 95% of all fraudulent E-mail scams use spoofed, or forged “From” addresses.
May’s account of phishing–the group puts out monthly reports–showed only a 6% increase in the number of unique attacks. The results would have been worse, the group said, if not for the Memorial Day holiday weekend, which saw a significant dip of reported scams.
The average number of phishing attacks per day was also up slightly over April, the group reported.
But with an overwhelming majority of phishing attacks relying on spoofed sender addresses, there’s little chance of beating these scams until authentication is widely adopted, said Dave Jevans, chairman of the Anti-Phishing Working Group.
News source: Information Week “The Achilles heel of phishing is the reliance on forged ‘From’ addresses to hide the sender’s identity,” Jevans said in a statement. “Once ISPs start to verify the source of messages, a lot of the bad things in E-mail, including phishing, will be greatly reduced. Not many scammers will use their personal E-mail accounts to launch a crime wave.”
Multiple sender authentication specifications have been proposed, including Sender ID, a blend of Microsoft’s former Caller ID for E-mail and the more popular Sender Policy Framework (SPF) which was submitted to the ITEF last week, and Yahoo’s competing DomainKeys.
Of the 5% of “From” addresses that weren’t forged, the Anti-Phishing Working Group dubbed the majority as “social engineering” addresses that aren’t phony but simply variations of the actual E-mail domains used by the firms phished.
For instance, one social engineering “From” address used to fool Visa customers into divulging credit-card information is , which is not a valid address for Visa. Other misleading addresses the group has spotted include and .
Citibank remained the No. 1 target of phishers in May, a dubious honor it has held for the last two months. Other companies with a phishing bull’s-eye on their backs include eBay, U.S. Bank, and PayPal. These top four targets accounted for 82% of all phishing and E-mail fraud scams for the month.