Yahoo, eBay and PayPal are adopting signature-based email authentication technology that they say should cut down on dangerous phishing email attacks.
Called DomainKeys, the technology was developed in 2005 by Yahoo and authenticates email messages by allowing Internet service providers to determine if messages are real. DomainKeys use cryptology to verify the domain of a sender and gives email providers another way to validate an email's originating domain.
Phishing attacks appear to the end user to be from a well-known company and trick users into revealing personal information such as an email address and password. PayPal and eBay have been top brand targets by phishers looking to trick users into giving up identifiable information.
The DomainKeys technology upgrade will be rolled out globally over the next several weeks to all users of Yahoo Mail. The technology will be used to specifically identify the authenticity of messages for eBay and PayPal.
"Like banks our brand makes a good target for phishers and we heard loud and clear that our customers were looking to us to solve this problem for them," said PayPal spokesperson Sara Gorman.
Gorman said PayPal has been working with a number of ISPs and testing various tools to identify and eliminate phishing spam messages. The company has been offering a free beta version of software from Santa Clara, Calif.-based Iconix Inc. that can be installed on an email client. The software identifies valid messages for end users with a gold lock with a checkmark.
Security vendors have been tracking the increasing sophistication of phishing messages. Symantec's October Spam Report identified a product spam campaign using code from a legiti¬mate eBay message to appear that the email came through eBay. Symantec also identified a recent Russian phishing attack which consisted of over 10,000 email messages in one day. Overall Symantec said spam levels continued to rise increasing to average 70% of all email.
Security vendor Finjan has been tracking a number of sophisticated phishing attacks in recent months. The latest attacks have been not only slipping by some antiphishing technologies including DomainKeys, but also failing to be detected by some financial services firms.
"They're now using sophisticated domain name hijacking to get users to think they are actually using the right site," said Iftach Amit, director of security research at Finjan's Malicious Code Research Center. "I was almost fooled by the latest stuff that phishers have brought on. The browsing padlock is on and you see you've got an SSL connection, but it's still fraudulent."
The latest attack tracked by Finjan mixes a Trojan horse and phishing technique. It employs client-side malicious code that causes the PC of the victim to completely fake a browsing environment. When the user tries to use a financial service the malicious software on the client detects the behavior and starts communicating with a master server. The server creates a back channel in parallel to the legitimate financial service making the experience look legitimate in every way, Amit said.
Ultimately, PayPal's Gorman said, customers have to be more vigilant. PayPal has been engaging users through an education campaign at its Web site to help end users identify fraudulent messages.
"In addition to own technology tools we've been rolling out, the second and biggest thing is user education," she said.