DMARC stands for Domain-based Message Authentication, Reporting and Conformance.

The companies involved include: Google, Facebook, LinkedIn AOL, Microsoft, Yahoo, PayPal (eBay), Bank of America, Fidelity Investments, American Greetings, Agari, Cloudmark, eCert, Return Path and Trusted Domain Project.

In a post on Google’s Online Security Blog, product manager Adam Dawes writes:

Industry groups come and go, and it’s not always easy to tell at the beginning which ones are actually going to generate good solutions. When the right contributors come together to solve real problems, though, real things happen. That’s why we’re particularly optimistic abouttoday’s announcement of DMARC.org, a passionate collection of companies focused on significantly cutting down on email phishing and other malicious mail.

We’ve been active in the leadership of the DMARC group for almost two years, and now that Gmail and several other large mail senders and providers — namely Facebook, LinkedIn, and PayPal — are actively using the DMARC specification, the road is paved for more members of the email ecosystem to start getting a handle on phishing. Our recent data indicates that roughly 15% of non-spam messages in Gmail are already coming from domains protected by DMARC, which means Gmail users like you don’t need to worry about spoofed messages from these senders. The phishing potential plummets when the system just works, and that’s what DMARC provides.

“Email phishing defrauds millions of people and companies every year, resulting in a loss of consumer confidence in email and the Internet as a whole,” said Brett McDowell, Chair of DMARC.org and Senior Manager of Customer Security Initiatives at PayPal. “Industry cooperation – combined with technology and consumer education – is crucial to fight phishing.”

“BITS has been committed to defining and improving email authentication standards and practices to meet the financial services industry’s needs. DMARC’s evolutionary approach is critical in assuring these needs are met for years to come,” said Paul Smocer, President of BITS, the technology policy division of The Financial Services Roundtable.

DMARC is encouraging interested organizations to read the specification, join their mailing list and start testing and deploying standards, by learning the details at DMARC.org.

Now, that looks an awful lot like any other email you’d receive from Apple but there are a few clues that it’s fake (most phishing emails have these sorts of tells). The first and biggest is the link. Although it says “store.apple.com” in the body of the email, the link does not actually go to store.apple.com:

If you get an email from Apple or eBay or your bank that includes a link, the link will always include the actual name/official website of the company you’re visiting. If the link goes somewhere else entirely, it’s a fake. Case in point: store.apple.com. Of course, the best response to an email like this is to delete it, and manually navigate to Apple’s (or your bank’s, or whatever) website and log in to your account that way.

A couple other clues that the email is bogus: pretty much nobody threatens to shut down your account if you don’t update your billing information. You can have an Apple account with no billing information at all. They just won’t let you buy anything. Also, there are usually grammar tipoffs. For example, a legitimate email from Apple would probably not capitalize “Billing Information.” Finally, most direct emails will include either your personal name or your user name in the message greeting, as an indication that the message is legitimate. Thus, a legitimate email from Apple or any other site would say “Dear Bob,” or “Dear bobalicious75,” instead of a generic “Dear Customer.”

Long story short, don’t trust an email just because it looks legit. Read the text carefully for typos and weird grammar, and check the links. Better yet, ignore the email and log in to your account directly and see if there really is a problem.

[Source: The Mac Security Blog]

Kevin Mahaffey, the CTO and Co-founder of Lookout Mobile Security, told us that mobile devices have evolved from telephones to computers that we can put into our pockets.

“Mobile devices are gaining a whole new level of importance in the world,” he said. “They know who you are, who you talk to, [and] they might even have financial and location information about you.”

Because the functions of mobile devices have created ease and convenience for consumers both in their professional and personal lives, most users don’t think about being in danger of security attacks. However, according to security software vendor Trusteer, mobile users are three times more vulnerable to phishing attacks than desktop computer users are. This is a pretty unsettling stat, isn’t it?

How secure do you feel in the transactions that you do on your mobile device? Let us know.

Mahaffey told us that users are susceptible to three primary types of attacks: phishing, drive-by downloads, and exploits. At this point, the phishing attacks are the most common with scammers offering links that would compromise confidential information.

Drive-by downloads, which occur when a site tricks users to download something without seeking consent, are also beginning to gain some traction on mobile devices. Exploits are also a concern for mobile since a bad site could use a flaw in the browser or software to gain control over the device.

What’s more, Mahaffey said that we could expect these attacks to increase as more devices come to the market. Consumers are also feeling more comfortable with their mobiles, which means that they are becoming more risky in their behavior.

“Now that everyone’s reading email, browsing the Web, [and] downloading apps, there are a large number of ways that the bad guys can get in,” he said.

For these reasons, Lookout Mobile Security recently introduced Safe Browsing to help protect users from scammers. The technology scans every url a user visits to check for any malicious activity. The interesting thing is that, unless it detects something, a user would never know it was there.  It also doesn’t impact the browsing speed for users.
If the technology does detect something, it gives a warning message to the user. From there, the user can decide whether or not it wants to continue.

As part of this launch, Lookout also announced a partnership with Sprint that will bring the Safe Browsing protection to Sprint users. Mahaffey said Lookout’s goal was to “make people happy and more confident in their phones,” which they believe is furthered by this partnership.

In terms of basic security advice, he told us that users should be careful about what they click on and where they download apps. He recommends determining if the developer is reputable, if the app is safe, and if the area of the Internet is shady. In addition, he points out that users should check their phone bill since scammers might try to slip in extra charges.

Does this information make you hesitant about using your mobile device for everything?

When you get a message from someone who isn’t in your Gmail contacts, Google will now show the sender’s email address in the header. Even when a site sends you something on behalf of someone, it will show you who actually send it. Like if your friend sends you something via a share link on an article, it will make it more clear that this is coming from your actual friend (as opposed to the site).

Google software engineer Ela Iwaszkiewicz writes on the Gmail Blog:

I recently received an email from what looked like my bank saying I should update my account, but it looked a little weird. I clicked on the “show details” link and quickly learned it wasn’t from my bank after all; instead of being sent from First National Bank’s real email address, this message originated from a random South African domain. If I hadn’t viewed these details, I could have been tricked — it wasn’t entirely obvious that this email was a fake.

Phishing messages are a form of spam that attempt to deceive recipients in order to gain access to their personal information. Starting today, Gmail will automatically display more information about the origin of certain messages you receive so you can be better informed and protect yourself from getting tricked. If someone fakes a message from a sender that you trust, like your bank, you can more easily see that the message is not really from where it says it’s from.

Additionally, Gmail will now display a warning when it detects suspicious emails. You can always report messages you think are phishing attempts.

More information about the changes is available in the Gmail Help Center.

Some are going further, and providing advice on how to procede. For example, Citi customers received an email this morning, warning them of potentail phishing attacks as a result of email addresses falling into spammers’ hands. Here’s a sample from that:

Because e-mail addresses can be used for “phishing” attacks, we want to remind our customers of the following:

- It is not recommended to use your e-mail address as a login ID or password.

They also give an email address to contact if you supsect you’ve received a fraudulent message.

While security experts will be quick to back up the notion of being cautious about phishing attacks, they’re also playing down the extent of the damage done by the breach, considering it was just names and email addresses that were allegdly attained by the attackers.

Perimeter E-Security CTO, Andrew Jaquith said he received an email from McKinsey Quarterly notifying him of the attack and made a couple quick observations – first, this is embarrassing for Epsilon and second, the attack will be of no consequence to most people. He says that companies should take this incident as an opportunity to reinforce their security policies, but shouldn’t worry too much.

The reported list of companies that use Epsilon seems to keep growing. There are reportedly over 2,500 of them, and the company says 2% of its customers were hit. The list includes: US Bank, Capital One, JPMorgan Chase, Citigroup, Best Buy, Kroger, TiVo, Walgreen’s, Target, Disney, Robert Half, Brookstone, Home Shopping Network, McKinsey & Company, etc.

The report found attacks focusing on brands in online retail, auction and financial services categories decreased while payment services increased more than 10 percent in the first quarter of 2010. The category of “other” – social networking, online classifieds and online gaming industries – rose to an 18 percent proportion, however, from 13 percent in Q4 2009, an increase of more than 37 percent quarter over quarter.

"The increase in the ‘Other’ category is attributed to the sharp increase in attacks against the online classifieds, social networking and gaming industries,” said Ihab Shraim, chief security officer and vice president, network and system engineering at MarkMonitor and APWG Trends Report contributing analyst.

The proportion of infected computers increased more than 10 percent quarter over quarter. The proportion of infected computers grew from more than 47 percent in the fourth quarter of 2009 to more than 53 percent in Q1 2010.

Other highlights from the report include:

*The United States continued its position as the top country hosting phishing sites during the first quarter of 2010.

*Unique phishing reports reached a Q1 2010 high of 30,577 in March, down 25 percent from the record in August 2009 of 40,621 reports.

*The number of total unique phishing websites detected at Q1’s end, in March, was 29,879, off 47 percent from high of 56,362 in August 2009.

“The Q1 statistics paint the picture of shifting focus and approaches used by phishing gangs who are apparently using more sophisticated social engineering schemes less reliant on spoofing a bank’s brand,” said Dave Jevans, APWG Chairman. 

“Less visible statistically but as potent is the increasing focus on direct attacks against executives with corporate treasury authority. Losses from the latter, according to reports received by the APWG, can and do regularly run into six figures now.”

PayPal had said that it would reimburse people for unauthorized charges, but now the company has put up a blog post responding to the situation. PayPal Chief Information Security Officer Michael Barrett writes:

There has been a lot of recent news coverage about unauthorized payments to iTunes, and some of our customers are concerned about the safety of their PayPal accounts. We’ve looked into this extensively, and want to assure you that: 1) the PayPal system itself has not been compromised and continues to be secure; and 2) if you have been affected by this issue, the criminals behind it have not taken over or logged into your PayPal account.

Apple has also confirmed that iTunes’ servers have not been compromised. For those customers who have seen unauthorized iTunes charges to your PayPal or credit card account, Apple has recommended that you contact your financial institution about a chargeback and change your iTunes password right away. They have some useful tips on protecting your iTunes account security here.

This should set users’ minds at ease. Hopefully they will take this as a lesson to be more careful about their online experiences.

Some people did already go so far as to remove their PayPal accounts from iTunes:

Burnett also offers some tips for protection in the future.

Erick Schonfeld at TechCrunch reports, "At least one group of scammers has found a way to charge thousands of dollars to iTunes accounts through PayPal. One targeted customer told us, ‘My account was charged over $4700. I called security at PayPal and was told a large number of iTunes store accounts were compromised.’ His email was filled with nearly 50 receipts from PayPal for $99.99 each."

Some are going so far as to remove their PayPal accounts from iTunes altogether.

According to John Paczkowski at All Things Digital, it is gullible users who are to blame. "There’s no security hole in iTunes, and if you’ve been unfortunate enough to have hundreds of dollars in unauthorized purchases charged to your iTunes account, it’s likely because you’ve fallen victim to a bot attack or phishing scam–a variation on the one that’s been around for years now," he writes. "Sources close to Apple tell me iTunes has not been compromised and the company isn’t aware of any sudden increase in fraudulent transactions."

He also has an official statement from Apple on the matter, which says, "ITunes is always working to prevent fraud and enhance password security for all of our users. But if your credit card or iTunes password is stolen and used on iTunes we recommend that you contact your financial institution and inquire about canceling the card and/or issuing a chargeback for any unauthorized transactions. We also recommend that you change your iTunes account password immediately."

According to Paczkowski, PayPal has said that it will reimburse people for unauthorized charges.

Even with the drop, the number of credit unions being spoofed in text-to-phone cases stayed the same, meaning these organizations were the most targeted by industry. In these attacks, cyber criminals impersonate companies by text message and try to get people to call a fake interactive voice response (IVR) system designed to steal account information.

"There were some encouraging trends in fighting phishing in the first quarter of this year, including reductions in the some of the worst online attacks. Despite that, problems continue, and we’ve seen a rise in devastating losses for small businesses which threatens to massively erode trust in online business banking," said IID President and CTO Rod Rasmussen.

"In order to be one step ahead of these cyber criminals, organizations must actively detect, diagnose and mitigate such attacks 24/7, because cyber criminals don’t sleep."

Other findings of the report include:

*Cyber criminals increasingly posed as relief organizations to launch phishing attacks, claiming to help victims of recent disasters, like the earthquakes in Haiti and Chile

*More and more, phishing was used to carry out Internet Domain Name System hijackings, specifically with China’s biggest search engine Baidu.com (similar to the December 2009 hijacking of Twitter)

*The major share of phishing volume moved to targeting money transfer sites

The report authors found the Avalanche phishing gang was responsible for 66 percent of all phishing attacks launched in the second half of 2009. Avalanche successfully targeted some 40 banks and online service providers, and domain name registrars and registries.

"Avalanche’s impact was unprecedented," said Greg Aaron, Director of Key Account Management and Domain Security at Afilias and co-author of the study.

"This one criminal group was responsible for two-thirds of the world’s phishing, and also combined it with sophisticated crimeware distribution. The losses by banks and individual Internet users were staggering."

Avalanche was first detected in December of 2008 and was responsible for 24 percent of phishing attacks in the first half of 2009.  In the second half of 2009, the average Avalanche domain often hosted around 40 separate attacks at a time. While the number of Avalanche attacks was large, Avalanche domains were only about 14 percent of all domains used for phishing.

"Avalanche’s relentless activities led to the development of some very effective counter-measures," said Rod Rasmussen, founder and CTO of Internet Identity and co-author of the study.

"The data shows that the anti-phishing community — including the target institutions, security responders, and domain name registries and registrars — got very good at identifying and shutting down Avalanche’s attacks on a day-to-day basis. Further, a coordinated action against Avalanche’s infrastructure in November has led to an ongoing, significant reduction in attacks through April 2010."