[dmarc-discuss] RE : Statistical considerations regarding expected DMARC impact on phishing

Sébastien Goutal sebastien.goutal at vade-retro.com
Tue Apr 10 06:38:35 PDT 2012 

> Thanks for the stats, you may have seen this infographic:
> http://www.marketingtechblog.com/dmarc-infographic/ any comments?

Regarding France, we noticed that over half of the phishing target ISP. The statistics are as follows:
ISP: 58%
Financial: 22%
Payment services: 15%
Other (Gaming, government...): 5%

> Do you have some word of wisdom regarding:
> What if miscreants use the display field of the From: to fake my brand/domain?
> On the http://www.dmarc.org/faq.html

The From: header display field is as well often obfuscated.
As noted in DMARC faq, it is mainly a user interface issue.

> Especially, considering DMARC implemented, what is the next step for the industry to take?

This is a very difficult question. I have a few proposals.

1. Currently, two layers of security are set up to limit the damage caused by phishing:
- as first security layer, ISP and ESP implement message filtering to detect and reject phishing.
- as second security layer, most popular Internet browsers provide anti-phishing features, mostly based on on-line phishing URL database queries, to prevent access to forged websites.

We can add a third security layer that targets the phishing process and may reduce phishing collateral damages by providing a on-line database of compromised credentials.

However it requires cooperation and confidentiality between all actors (ISP, free e-mail service provider, financial services...) to remain efficient.

I may present this approach at the next MAAWG in Berlin, but I think it's out of scope for the DMARC mailing list.

2. Major web browsers should include a database of signatures of phishing sites.
This is the weak point of phishers : they spend most of the time trying to bypass spam filters, not web browsers filters.
For instance, Firefox and Chrome do a good job by submitting URL to Google Safe Browsing service, but it should be improved by embedding a database of signatures in the browser: thus, phishing sites could be detected proactively.

3. Companies targeted by phishing should implement two-factor authentication for critical operations.

Regards,

Sébastien Goutal
Filter Lab Manager

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://medusa.blackops.org/pipermail/dmarc-discuss/attachments/20120410/2f7cabc9/attachment.htm>

More information about the dmarc-discuss mailing list