[dmarc-discuss] Statistical considerations regarding expected DMARC impact on phishing
Franck Martin
fmartin at linkedin.com
Fri Apr 6 10:54:08 PDT 2012
Thanks for the stats, you may have seen this infographic: http://www.marketingtechblog.com/dmarc-infographic/ any comments?
Do you have some word of wisdom regarding:
What if miscreants use the display field of the From: to fake my brand/domain?
On the http://www.dmarc.org/faq.html
Especially, considering DMARC implemented, what is the next step for the industry to take?
From: Sébastien Goutal <sebastien.goutal at vade-retro.com<mailto:sebastien.goutal at vade-retro.com>>
Date: Fri, 6 Apr 2012 13:45:10 +0000
To: "dmarc-discuss at dmarc.org<mailto:dmarc-discuss at dmarc.org>" <dmarc-discuss at dmarc.org<mailto:dmarc-discuss at dmarc.org>>
Subject: [dmarc-discuss] Statistical considerations regarding expected DMARC impact on phishing
Dear all,
I would like to add statistical considerations regarding DMARC as a technology that aims to combat phishing effectively.
According to the DMARC specification draft, in section 2.2 :
[...]
This document is significantly informed by ongoing efforts to enact large-scale, Internet-wide, anti-phishing measures. Whereas DMARC can only be used to combat specific forms of exact-domain phishing directly, the DMARC mechanism is viewed more importantly as a substantial step forward in terms of creating reliable and defensible message streams.
Specifically, DMARC does not attempt to solve problems related to use of Cousin Domains or abuse of the RFC5322.From "display name".
[...]
According to our analysis, the statistical tendency of phishing is that exact-domain phishing is a decreasing practice.
I've sampled phishing corpus for years 2010, 2011 and 2012.
These phishing scams target ISP, PayPal, Visa as well as banks from United States (Bank Of America, Chase), United Kingdom (Halifax, Santander) and France (Caisse d'Epargne, Crédit Mutuel, Banque Postale, Banque Populaire).
I've extracted "From:" header and compared it with the companies official domains.
The results are the following:
2010: 38.7% of exact-domain phishing
2011: 22.1% of exact-domain phishing
2012: 20.0% of exact-domain phishing
In United States and United Kingdom, exact-domain phishing is decreasing but is still a common practice.
But in France, exact-domain phishing is becoming rare and has reached 10% in 2012: the primary objective of phishers is to bypass heuristic or statistical spam filters that rely on keywords such as domain in "From:" header. In our everyday work, we have noticed a growing tendency to phishing obfuscation.
As soon as phishers will hear about DMARC, you can expect the progressive disappearance of exact-domain phishing.
The disappearance of exact-domain phishing will not really impact the phisher business model, as they will still collect hundreds or thousands of credentials, and it will be still a very profitable activity.
In fact, the main issue in their business model is the difficulty of converting money on online accounts to hard cash.
DMARC is a significant and important step forward against domain spoofing, but its impact on phishing will be limited.
Regards,
Sébastien Goutal
Filter Lab Manager
_______________________________________________ dmarc-discuss mailing list dmarc-discuss at dmarc.org<mailto:dmarc-discuss at dmarc.org> http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://medusa.blackops.org/pipermail/dmarc-discuss/attachments/20120406/2ea3ee03/attachment-0001.htm>
More information about the dmarc-discuss
mailing list