A New Way For ers To Defend Themselves Against Fraud

Transcription

1 June 27, 2012 Defining DMARC A New Way For ers To Defend Themselves Against Fraud by Shar VanBoskirk with Sarah Glass and Elizabeth Komar Why Read This Report Hundreds of brands are hijacked by phishing scams every month, costing companies and ultimately their end customers billions. And existing methods to fight phishing like authentication standards aren t enough to stop the problem. This report introduces a new way marketers can defend themselves against fraud: by applying Domain-based Message Authentication, Reporting, and Conformance (DMARC). Read this report to understand why existing anti-phishing standards have failed, what DMARC can and cannot do to address these failures, and what marketers need to do to get started with DMARC. Marketers need Better visibility into THE CHANNEL data theft and the phishing scams that result cost billions and destroy customer relationships. 1 And despite more than a decade of developing ways to secure data, fraud is more common than ever. 2 Why? Spam filters aren t foolproof. Internet service providers (ISPs) spam filters analyze details like volume, complaints, bounce rates, and sender reputation to try to block unnecessary volume and protect users from spammers or fraudulent senders. But sometimes targeted phishing attacks best even the smartest ISP filters, while legitimate senders struggle to get s out of spam folders. For example, 65% of the Internet Retail 500 implement anti-phishing tactics such as authentication. Yet 9% of the that comes from their domains is spoofed. 3 ers don t adopt authentication standards. Standards exist to help legitimate marketers identify genuine s to ISPs (see Figure 1). 4 But in 2011, only 26% of organizations used one or more forms of authentication. 5 Adoption is low because: 1) stakeholders don t want to take the time required to authenticate all of a company s outbound s; 2) authentication doesn t guarantee delivery; senders must still pass spam filters; and 3) traditional ISP reporting around authenticated and unauthenticated is unreliable. Authentication doesn t prevent fraud. Authentication confirms that a sent comes from an identified sender. But it doesn t prove that the sender is reputable. And though some ISPs like Gmail can connect a company s reputation score with its authentication records, it doesn t necessarily prohibit the delivery of unauthenticated or spoofed s. Headquarters Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA, USA Tel: Fax:

2 Defining DMARC 2 Figure 1 Authentication Standards Aren t Enough To Stop Phishing 1-1 authentication confirms a sender by matching the from address to the sender s domain Verified authentication signature In this example of a properly authenticated , the domain name matches a verified authentication signature Most s do not include verified authentication signatures. So to an ISP, legitimate unauthenticated s and domain-spoofed s look identical. 1-2 Legitimate unauthenticated and spoofed s can be indistinguishable Good Bad Types of Authenticated Unauthenticated Direct domain spoof Cousin spoofing Definition Contains verifiable information so that receivers can automatically recognize senders. Lacks information to help an box provider verify who sent the message. Sent by a malicious sender using a legitimate sender s domain. Looks authentic, but actually comes from an illicit domain. DMARC reports and forensic s show senders the difference between good and bad unauthenticated that appears to come from one domain. Once legitimate streams from a domain are authenticated, marketers can select a DMARC enforcement policy quarantine or reject which will take action against unauthenticated Source: Forrester Research, Inc.

3 Defining DMARC 3 Introducing A New Approach To FIGHT fraud Enter DMARC: A new way for any sender to affordably manage phishing attacks. What exactly is DMARC? A collaboration... DMARC started with a partnership between PayPal and Yahoo in 2007 and then with Google in 2008 to protect consumers from popular phishing scams. 6 PayPal wanted a way for these ISPs to block spoofed messages coming from its domain. The DMARC collaborative (DMARC.org) was officially chartered in 2011 to combat fraudulent at scale. Today it includes its founding members as well as some of the biggest consumer ISPs and senders like AOL, Hotmail, Comcast, Facebook, Bank of America, and American Greetings and a specification... Members of the DMARC.org created a specification to combat spoofed mail. It enables senders to tell box providers how to treat unauthenticated mail: deliver, quarantine, or reject it. It also helps box providers with a way to report information back to senders about failed authentication, domain spoof attempts, and where unauthenticated is coming from within a sender s organization.... which leverages existing authentication standards. DMARC is not another authentication standard. It allows senders who use existing authentication standards sender policy framework (SPF) and domainkeys identified mail (DKIM) to receive reports about what is authenticated and what isn t and to take action against unauthenticated mail. 8 Participating box providers have agreed on a consistent way to report on authentication, which helps improve marketer deliverability. When Intercontinental Hotels Group (IHG) worked with Return Path to beta test DMARC, it increased its deliverability rates by 32%. 9 DMARC Illuminates Authentication And Phishing Problems The value of joining the DMARC organization and participating in its process is that it allows marketers: Visibility into authentication history. DMARC authentication reports and forensic s copies of every that originates from your domain will reveal what groups within an organization fail to authenticate. This capability eliminates the need to investigate every department or manually monitor practices. 10 And rather than discovering fraud post-facto, senders can review reports for evidence of domain spoofing. This gives marketers a head start to take down fraudulent URLs or prepare for backlash from scams committed in their names. Ways to halt delivery of unauthenticated . In addition to receiving authentication reports, senders can also set their DMARC preferences which are applied to the domain name system (DNS) records to tell ISPs to monitor, quarantine, or reject unauthenticated . Monitor tells the ISP to take no action against unauthenticated mail. Quarantine allows marketers

4 Defining DMARC 4 to scrutinize, flag, or direct suspicious s to a spam folder. And reject permanently terminates delivery of the selected messages. By implementing a termination policy, PayPal reduced the percentage of unauthenticated s delivered likely domain spoofs from phishers from 4% of its entire stream to 0%. 11 But DMARC Is No Panacea DMARC alone won t stop phishing, fraud, or data theft. Marketers getting familiar with DMARC should understand that it is not: An automatic entry into the inbox. Authenticated s resplendent with their DMARC records still have to pass through spam filters (see Figure 2). In the future ISPs may give extra credit to senders using DMARC. But even so, marketers should still apply other deliverability best practices in order to increase user engagement and minimize complaints. 12 For example, IHG increased its deliverability rates by 32% by improving its authentication and adhering to the best practices required to get accredited as a good sender by reputation vendor Return Path. A replacement for authentication. DMARC reports simplify the process of identifying authenticated versus unauthenticated . Michael Adkins, a DMARC engineer for Facebook explains, Without [DMARC], it is expensive and time-consuming to monitor your system for authentication issues. 13 But DMARC doesn t automatically authenticate a sender s stream. To consistently authenticate, make authentication a mandatory part of your company s data security policies. Then use DMARC reports to track down noncompliant business units. Michael Hammer, head of web operations security at American Greetings, finds that, Using DMARC is an opportunity to improve [authentication] practices across the board. Reliable for B2B ers today. To date, only major consumer ISPs have agreed to implement DMARC. 14 More common B2B inboxes like Microsoft s Outlook and Lotus Notes and filtering systems like Postini, Barracuda, and Symantec have yet to accept this new process. Quinn Jalli, Epsilon s senior vice president of marketing technologies expects that B2B partners will be on board soon, they are just on a slower curve. We agree. Look for Microsoft and Google founding members of DMARC to get their Outlook and Postini properties on board within the next two years. 15

5 Defining DMARC 5 Figure 2 The Authentication And DMARC Process Map Steps to DMARC Sender activities Domain-spoofer activities Step 1 Author publishes her DNS record to DMARC Hacker gains access to a legitimate sender s domain ISP activities Details Step 2 Mail is authenticated with SPF or DKIM Step 3 is sent to ISPs is sent to ISPs Step 4 Standard validation tests are applied Filter To screen out bad actors, ISPs apply tests like volume limits and lists of past offenders to block that authenticated must pass Step 5 Authentication protocols are retrieved DKIM The ISP compares the sender s domain with verified DKIM domains SPF The ISP retrieves the SPF authentication signatures Step 6 Step 7 Authenticated s are delivered s are blocked Appropriate DMARC policy is applied to unauthenticated mail Authenticated is delivered. Unauthenticated is blocked. Monitor sender receives regular reporting but all mail is delivered Quarantine Unauthenticated mail is delivered to consumers junk mail Reject Delivery of the unauthenticated mail is permanently blocked Consumer receives legitimate Source: Forrester Research, Inc.

6 Defining DMARC 6 Recommendations consider DMARC Part Of Treatment NOT A Cure Participating in the DMARC organization and process is a no-brainer even though it is not a complete cure for all woes. It is free and provides better visibility into authentication than anything else to date. And you can begin with DMARC just by publishing your DNS record. Don t worry; if you don t know how to do this, your IT team, service provider (ESP), or reputation management vendor does. In fact Epsilon, ExactTarget, Agari, and Return Path already implement DMARC on behalf of their clients. 16 To best leverage DMARC: Create a take-down plan for domain-spoofed s. After publishing your DNS record you will receive authentication reports to a specified address almost immediately. This is when the real work begins. DMARC will illuminate potential fraud. But you need your own action plan for what to do when you see trouble. Michael Hammer uses these reports as alerts to take down spoofed messages or block violating URLs before customers alert him of the problem. Vendors like VeriSign, Netcraft, MarkMonitor, and FraudWatch International can offload the hard work here by managing take-down procedures or place URLs into browser block feeds. 17 Prioritize data security. hackers take advantage of soft spots in data security practices. 18 So make sure you don t have any. 19 Tools like Forrester s Security Review will help marketers learn how to stop security gaps and provide a template for working with security officers that are part of IT and less familiar with marketing requirements. Stay tuned to the DMARC conversation. DMARC is in its infancy. We anticipate improved benefits to develop from DMARC like building reputation scores based on domains instead of IP addresses as more marketers and ISPs use it. Keep abreast of DMARC developments by tapping resources like the Anti-Phishing Working Group, DMARC.org, Online Trust Alliance, and of course your ESP. Supplemental MATERIAL Companies Interviewed For This Report Agari American Greetings Epsilon Microsoft Hotmail PayPal Return Path ExactTarget

7 Defining DMARC 7 Endnotes 1 Phishing is when hackers spoof a company s domains in order to rip-off its customers. For more information about the gravity of this sort of electronic fraud to marketers, see the August 5, 2011, How To Protect Your Data report. 2 Direct domain-spoofed phishing s are usually the result of a data breach. The RSA the Security Division of EMC tracks data about the security breaches due to cyber attacks. Their research shows that not only are attacks on companies increasing but cyber criminals are becoming ever more sophisticated. Source: RSA Online Fraud Resource Center ( online-fraud/index.htm). To see the latest trends in phishing specifically, check out APWG s Phishing Attacks Trends Report 1H Source: Phishing Attacks Trends Report 1H 2011, APWG, December 23, 2011 ( antiphishing.org/phishreportsarchive.html). 3 The Online Trust Alliance monitors rates of spoofing and found that as much as 90% of some senders is spoofed. For more information about these statistics check out the following report. Source: 2011 Online Trust Scorecard & Honor Roll, Online Trust Alliance, May 2011 ( resources/2011honorroll/2011_otaonlinetrustscorecard.pdf). 4 To learn more about the two most common standards SPF and DKIM visit their web pages: SPF ( and DKIM.org ( 5 The Online Trust Alliance also found that only 26% of senders use authentication methods like DKIM and SPF. For more information about these statistics see their website. Source: 2011 Online Trust Scorecard & Honor Roll, Online Trust Alliance, May 2011 ( OTAOnlineTrustScorecard.pdf). 6 To read more about the history of DMARC, see the blog post from Sam Masiello, the GM/chief security officer for Return Path, announcing their support of DMARC. Source: Sam Masiello, DMARC.org: A Giant Step Forward in the Fight Against Phishing, In The Know Blog, January 30, 2012 ( returnpath.net/blog/intheknow/2012/01/dmarc-org-a-giant-step-forward-in-the-fight-against-phishing/). 7 To see all the founding contributors to DMARC check out their website. Source: DMARC.org ( org/about.html). 8 The two authentication standards include: 1) sender policy framework (SPF), an validation system designed to prevent spam by matching an sender s IP address against a preregistered address, and 2) domainkeys identified mail (DKIM), a cryptographic-based protocol that places a unique signature in each message, which the ISP confirms upon delivery. 9 When IHG decided to update its program, it made the security and protection of its brand from spoofing or phishing a high priority. Read more about this case study in the following blog post. Source: George Bilbrey, Case Study: IHG Optimizes and Secures Channel with Return Path, In the Know Blog, March 13, 2012 (

8 Defining DMARC 8 10 The basic xlm reports you will be ed are free but vendors such as Agari, e Online Trust Alliance, or Return Path also offer additional services like providing a visually appealing report, recommendations for authentication improvements, and alerts if problems occur. 11 Despite aggressively using authentication and private channels with ISPs, still 4% of their stream was unauthenticated. These unauthenticated s were typically domain-spoofed s. By implementing a termination policy, Return Path was able to reduce their unauthenticated delivery rates from 4% to 0%. 12 To learn more about best practices that lead to good delivery rates, see the July 7, 2008, The Secret To Delivery report. 13 See Michael s full DMARC announcement on Facebook. Source: Facebook ( facebook.com/notes/facebook-engineering/dmarc-building-open-source- -authenticationtechnologies/ ). 14 At the time of this report, only Gmail was implementing DMARC but the other founding ISPs were in process of setting up the necessary standards. Source: DMARC.org ( 15 Currently Gmail is the only ISP that is returning DMARC records but Yahoo and Hotmail have agreed to implement the standard reporting criteria in Q and start testing reports by Q Source: DMARC.org ( 16 Senders can implement DMARC on their own, but if you want help understanding the reports and making business decisions based on them an ESP or a reputation management company will help. They can make sense of the DMARC reports by uploading them into a more visually appealing platform, make recommendations for authentication improvements, and alert you if domain spoofing occurs. 17 The Anti-Phishing Working Group lists several recommended vendors for these services. Source: APWG ( 18 In our first report on security, we found the value of data has four components: 1) consumers want their addresses kept secure; 2) data lost can cost companies millions; 3) addresses enable further data theft; and 4) cybercrimes are a growing concern. To read more about why data is valuable and how to protect it see the August 5, 2011, How To Protect Your Data report. 19 Cisco a software company that develops security programs for consumers and businesses saw a recent shift from high-volume attacks to low-volume and targeted attacks on organizations. Source: Attacks: This Time It s Personal, Cisco, June 2011 ( ps10128/ps10339/ps10354/targeted_attacks.pdf). Forrester Research, Inc. (Nasdaq: FORR) is an independent research company that provides pragmatic and forward-thinking advice to global leaders in business and technology. Forrester works with professionals in 19 key roles at major companies providing proprietary research, customer insight, consulting, events, and peer-to-peer executive programs. For more than 27 years, Forrester has been making IT, marketing, and technology industry leaders successful every day. For more information, visit Forrester Research, Inc. All rights reserved. Forrester, Forrester Wave, RoleView, Technographics, TechRankings, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective owners. Reproduction or sharing of this content in any form without prior written permission is strictly prohibited. To purchase reprints of this document, please clientsupport@forrester.com. For additional reproduction and usage information, see Forrester s Citation Policy located at Information is based on best available resources. Opinions reflect judgment at the time and are subject to change