Microsoft: Phishing Bad, Users Complicit, Education Best Defense

Microsoft, along with Trust-e and RSA Security, summarized the plague of phishing attacks as the "fastest-growing form of online fraud," but offered little new in terms of advice or technology.

Microsoft Tuesday summarized the plague of phishing attacks as the "fastest-growing form of online fraud in the world today," but offered little new in the form of either advice or technology.

Among the few tidbits: use of Sender ID on Microsoft's free Web-based Hotmail service will lead to similar support for the sender authentication scheme in Outlook and Exchange later this year.

Mike Nash, the chief security executive at Microsoft, and others from companies including Truste and RSA Security, pointed to the dangers of phishing to both consumers and businesses, with emphasis on the latter.

"The long term damage phishing can do to brands is the real concern," said Fran Maier, the executive director and president of Truste, in an hour-long Webcast Tuesday morning.

Phishing attacks, which typically begin with e-mails that pose as requests from actual firms to update accounts or provide other personal identity information, direct unwary consumers to bogus Web sites that may in some cases use addresses similar to the real deal.

"Companies need to have a clear banding strategy that says, 'we never ask for anything via e-mail,'" Maier added. "Companies also have to be clear on where and how they redirect URLs to other companion sites."

Phishing can strike at businesses in other ways, said Craig Spiezle, a director in Microsoft's technology safety group. "In the business environment, there's also private information and intellectual property that can be at risk to phishing attacks," he said.

Nash and the others concentrated their advice on the educational aspects of defending against phishing attacks, in some cases coming close to blaming users for the problem.

"Users will open about anything," said Burt Kaliski, the vice president of research and chief scientist at RSA Security. "The human element," he went on, "is the weakest link."

But Kaliski also blamed ancient technology. He took the current username/password authentication scheme -- often the only info a phisher is after -- to task. "User authentication is basically the same as in the days of mainframes. There has to be a way to improve the confidence consumers have in logging in." He suggested integrating enhanced authentication within the browser or the operating system, or both as being ultimately easier than hammering into users how dangerous phishing attacks can be.

"Let's face it, users are one of the most difficult part of the process to 'reprogram,'" he said.

RSA's SecurID two-factor authentication technology recently made the news when it announced early this month that E-Trade would equip its upper-end customers with free one-timepassword tokens.

Nash spent much of the time touting spam defenses as the best way to prevent phishing attacks, even though evidence is increasing that the most sophisticated phishers are turning to other attack avenues, including malicious code and spyware, to rip off identities.

"Implement protections to reduce spam," he said, recommending multi-layered defense at the gateway, server, and end-point; relying on the more security-conscious Internet Explorer 6.0 included in Windows XP SP2 (which includes a pop-up blocker and spotlights possibly fraudulent URLs in the address bar); and publishing the Sender Policy Framework (SPF) record for legitimate business domains.

Hotmail, he said, has been using Sender ID -- Microsoft's sender authentication scheme that's partially based on SPF -- for the past two months, and has found that it reduces the amount of spam, and may trim the amount of phishing spam users receive.

About one-fifth of the e-mails received by Hotmail's users originated from a domain that had published an SPF record, said Nash, and of that number, about a quarter showed evidence of domain spoofing. While domain spoofing isn't a phishing-only phenomenon -- "regular" spammers almost always spoof their sending addresses, too -- Nash said a more extensive use of Sender ID and SPF would help the fight against phishing.

Hotmail's use of Sender ID, a Microsoft spokesperson said separately, has meant "notable improvements in the accuracy of its SmartScreen filtering process." SmartScreen is the name Microsoft gives to its anti-spam technology within Exchange and the Outlook client. "Microsoft will provide support for [Sender ID and SPF] in Outlook and Exchange later this year," the spokesperson added.

Nash did not give any additional information on the upcoming Internet Explorer 7.0, which is scheduled to appear in beta this summer, reportedly with additional protection against phishing and other malicious attacks. Nor did Nash respond to a question asking for a status update on the browser.

When asked about what kind of anti-phishing and/or anti-spam defenses might be under consideration for Longhorn, the next-generation Windows, a Microsoft spokesperson said, "It's a little early to discuss security features in Longhorn, as many of the ideas are being finalized right now," and the usual "we're listening to customers, and evaluating the feature set."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Email This  | 
Print  | 
More Insights
Copyright © 2020 UBM Electronics, A UBM company, All rights reserved. Privacy Policy | Terms of Service