Phishing pays off for email security providers

Big financial institutions and other companies are finally succeeding in reducing the volume of emails sent by malicious actors who disguise messages so that they appear to come from a trusted brand, a key technique both for cyber criminals and international spies.

Banks as well as Facebook, LinkedIn and other frequently impersonated companies are using small specialist technology providers, such as Return Path and Agari, to cross-check and confirm that messages purportedly sent from addresses such as Facebook.com really originated there.

Spying and phishing, as imposter emails aimed at extracting financial account numbers, passwords and other sensitive data are known, have been a big worry at large institutions and companies offering email for some time. And many big cases of cyber-assisted industrial espionage attacks, including those last year on security company RSA and online marketer Epsilon, began with emails sent to employees from faked addresses.

Starting this month, new guidelines from the Federal Deposit Insurance Corp and other US regulators require financial institutions to do more to protect their customers from online theft from their accounts. Such crimes have cost an estimated $15bn during the past five years. A number of proposed laws would do more to combat cybercrime, but the legislation has been bogged down because a large number of congressional committees are involved.

The technology to authenticate emails has been around for some time but companies have been slow to use it as specialist service providers sought sustainable business models.

Now two such service providers are claiming rapid growth as phishing concerns increase and regulatory pressure grows. Return Path, which earns most of its revenue delivering mass emails, added a registry for authenticating mail as a separate service in 2010. A second, smaller company that offers a registry was formerly known as Authentication Metrics when it was funded a year ago and is now called Agari.

New York-based Return Path and Palo Alto-based Agari serve as intermediaries between their corporate clients and the email providers looking to confirm that the named senders are authentic. The more clients those two get, the more worthwhile it is for email companies to consult them. The more email companies that sign up, the more clients they can attract.

“With the onslaught of deceptive and malicious email targeting all sectors, including government agencies, Agari and others in the space provide a lot of value to protect outbound mail and to protect employees opening up those emails,” says Craig Spiezle, executive director of the non-profit organisation Online Trust Alliance.

If an email comes from numeric internet locations that Gmail, Yahoo and other big email brands have not listed on new registries maintained by the specialists, they block the messages from reaching their clients’ recipients.

Close to 80 per cent of all email delivered by Google is now being authenticated using the technique, according to product manager Adam Dawes.

Return Path’s clients include Yahoo, other large email brands and online discount deals start-up LivingSocial, says company president George Bilbrey.

Agari handles 1bn inboxes, including those at Gmail, Hotmail, Facebook and AOL, says founder Patrick Peterson, a former Cisco Systems security expert, who exchanges information with his previous employer about where phishing messages are originating.

Agari, with 13 employees, has done well at handling the large number of machines and third parties that can be legitimately involved in sending a bank’s email, according to Google and a security executive at one of the biggest US banks.

“Like all big banks, we have a ton of email going to customers purporting to be from us,” says the bank executive, who was not authorised to speak publicly or name his company. “Now tens of millions of our customers aren’t getting those. We have gotten a lot more benefit from it than we thought we would.”

But it is not all good news. There are still loopholes – such as substituting the number 1 for the letter l – that can make address impersonation convincing.

More broadly, savvy computer users will occasionally click on bad links that they think come from a friend or colleague even with poorly disguised addresses. Stopping con jobs and computer takeovers that spring from those actions has proved a nearly insurmountable challenge to date, especially for home users.