Go Phish!

Monday, October 24, 2005

Email Fraud and Ice Cream

In just a few weeks we'll be releasing anti-phishing protection for a number of high profile phishing targets: eBay, PayPal, Citibank, and others.

Who's protected?
Cody Brenton asks: "What's your criteria for who gets marked? Some spammers are publishing SPF records and there are some sites which are half legit and half spam (they do mailing campaigns)." That's a great question that we've been wrestling with internally so here's an inside look at what we are thinking ...

Iconix is anti-phishing
Our number one goal is to help users avoid phishing so senders who were attacked are at the top of our list. Here's a list of attacks from the Anti-Phishing Working Group. While most targets are financial institutions, you might be surprised to hear about attacks on Baskin Robbins and the Better Business Bureau. Phishers are getting creative and any attack which tricks you into revealing personal information can be profitable. If an attack can even get you to create a new account to register for some free benefit, then a crook may try your email address and password on PayPal. That will work for a large number of people who reuse the same passwords.

The one thing we never want to gold lock is spam. We're big fans of the Spamhaus Project which defines spam as "unsolicited bulk mail". This is very different from the CAN-SPAM requirements which are quite useless. You definitely won't see a blacklisted spammer on our list of gold lock senders.

Final answer?
These are our thoughts as we try to define our gold lock criteria. The list will fall somewhere between Baskin and Robbins and Citibank. In the end, any sender that could motivate you to reveal personal information may become a tool for email fraud so our list will grow larger over time. One thing we always take into account is your input so if you have opinions then please let us know.

Thursday, October 20, 2005

Trusting eBay mail for the first time in two years ...

We're three weeks away from launching anti-fraud email protection for a bunch of high-profile phishing targets. Whenever you see a gold lock next to your email, you'll know you can trust it.

The last time I trusted a message from eBay was about two years ago. At one point, I was getting a fake mail asking me to verify my account information every week. On November 15th, I will actually know which messages to read and which ones to throw away without even opening them! The gold lock in the inbox will say it all.

Yahoo and Microsoft Unite (with help from Iconix)
Here's our secret sauce. Yahoo Mail supports domain keys for authentication but Microsoft is making a huge push for SPF/Sender ID. Our plug-in is implementing the Sender ID algorithm on top of Yahoo Mail so both our Yahoo and Hotmail users will be protected! (Being politically neutral, we'll also be supporting Yahoo's authentication for Hotmail shortly.)

Fraud-Proof Senders
Here's are some of the big names on our fraud-proof sender list: Bank of America, Citibank, Washington Mutual, US Bank, Discover, Ameritrade, Charles Schwab, American Express, eBay, PayPal, and Amazon. Hopefully you have heard of some of those. If you know of an SPF sender that you think should be on our list, then please let me know. November 15th ... mark your calendar!

Friday, September 30, 2005

Phishing protection for Hotmail

Microsoft and Yahoo don't share a lot. There's MSN Spaces versus Yahoo 360, MSN Search versus Yahoo Search, MSN Money versus Yahoo Finance, and SenderID versus Domain Keys. Hotmail and Yahoo! Mail compete too, but today they have one thing in common ... you can get email ID for both of them!

Our deployment cycle ran for about eight hours thanks to our QA team catching some last minutes bugs that we're glad you'll never see. In the end, all problems were fixed, retested, and deployed in time to catch the opening of Serenity so all was good in the world.

Speaking of the world, thanks to everyone in Europe and South America for trying us out. Phishing is happening everywhere and we've built email ID for everyone.

Next Up
Next up is phishing protection for GMail. We're also developing Yahoo support for SenderID and Hotmail support for Domain Keys. For everyone who's waiting for Microsoft and Yahoo to adopt each others authentication standards, it may be a while before they'll get along ... until then there's Iconix. And even when authentication is ubiquitous, there will still be email ID because authentication isn't enough.

Tuesday, September 20, 2005

3 ... 2 ... 1 ... LAUNCH!!!

Iconix Email Identity
Launching a new site is a crazy time. We fixed hundreds of bugs (although there are always more) and people were literally working 24x7 to put everything in place. We think we've nailed all the versions of Yahoo! Mail out there: free version, Mail Plus, Business Mail, Personal Address upgrade, and sbcglobal.net. Let us know if we missed anything! Special thanks to Gemini Solutions, our development partner on the other side of the world ... they really know what it takes to make a start-up work.

We're fully protecting everyone's privacy. The Better Business Bureau just certified us for their Online Privacy Program. We'll also be getting a TRUSTe privacy seal as soon as their new seal program for sites with downloads is ready.

Triva Note
The last feature to make it into the release was the shout-out. Now you can add a small blurb to your email identity which appears in your profile and Iconix signature.

Up Next
Hotmail launches in only nine days and GMail is next. We're also working on "Ben's feature" suggested by Ben Gottesman at PC Magazine. Without giving away the whole story, it will enable phishing protection for Citibank, Bank of America, eBay, Paypal, and a number of other high profile targets of email fraud. I can't remember the last time I trusted a message from someone claiming to be eBay. The time for email identity is long overdue.

Friday, September 02, 2005

A picture paints a thousand words

Logos for everyone
I remember the day we saw sender logos working for the first time in Yahoo! Mail. Everyone we showed them too wanted their own logo. Our CEO wanted one for his vineyard, our Director of Marketing wanted one for his Bay Area Viper club, and I wanted an animated one dealing pocket Aces :-)

Buddy Icons and Buddy Profiles
Sender logos for authenticated email are a solution for corporate identity to combat phishing but friends and family have identities too. So we extended the idea of sender logos to regular people. Where corporations use registered trademarks to mark their email, people can choose a buddy icon. When you mouse over a sender's buddy icon, you get their profile. Buddy profiles can be a lot more interesting because they can link to pictures, blogs, instant messenger status etc.

One thing we decided early was that we wouldn't be competing with MySpace, Friendster, Blogger, Yahoo Photos, Flickr, Xanga and other sites. Instead, we would link to these services so your email identity could be an aggregation of your other net identities. Linking to other services isn't required but it definitely makes your sender profile more interesting.

Who can see my baby pictures?
Sharing is up to you. Permissions allow you to share what you want with who you want. Right now you can only have one profile but in the future, we'll support multiple profiles. The most common request is to have one profile for co-workers, another for friends, and another for family.

Thursday, August 18, 2005

Russian mob moves to cyberspace

Today we had lunch with Dr. Bill Hancock, the Chief Security Officer at Savvis. Savvis is our Tier 1 hosting provider which serves high profile phishing targets such as Citigroup and Washington Mutual as well as major internet players such as Google, Yahoo, and Microsoft.

In our discussion on denial of service attacks, he mentioned that the Russian mob is currently extorting money from a number of gaming and poker sites. The mob threatens to launch a DoS attack against a target site unless that site pays them a fee.

Savvis offers a DoS protection service which repels attacks as they enter the Savvis backbone -- even before they hit your router. ISP protection from DoS attacks can range from $3K per month and upwards so it may be cost beneficial to pay an extortion fee versus subscribing to an ISP protection service.

Caution: if you own a popular site that demands high availability, then you may be the next target of the Russian mob!

Thursday, August 11, 2005

Just like Verisign

Start-ups are continually refining and evolving their strategies and mission. It hit me the other day while preparing for a presentation to a major ISP who we want to be. Iconix wants to be the certificate authority for email identity:

  • CA's issue credentials for websites and we'll issue credentials for email
  • CA credentials take the form of digital certificates. Our credentials take the form of buddy icons and Truemarks (marks registered with either the US Patent and Trademark Office or the World Intellectual Property Organization)
  • Digital certificates details can be viewed by double-clicking on the gold lock visible in your browser. Buddy and Truemark sender details can be viewed by mousing over a sender's icon in your inbox
  • CA services are free to consumers just like ours
  • Verisign certificates are universally recognized and their company valuation is about six billion dollars. Our adoption is growing fast and .. er ... we'd like to be worth six billion dollars too :-)

Finally, certificate authorities have become a standard part of browser security protecting consumers from pharming. Iconix is working to become a standard part of email security protecting consumers from phishing. Identity is as important for email as it is for web browsers. Anyone who's ever logged on to a website with HTTPS should give Iconix eMail ID a try.

Monday, August 08, 2005

Microsoft versus Yahoo!

Who will win the email authentication war?
There have already been a couple casualties in the battle for email authentication. Habeas and Goodmail Systems both appear to be abandoning their proprietary authentication schemes. While many may not be familiar with those two names, the titans remaining and their allies are waging a sort of World Internet War.

Taking sides
On one side is Microsoft's SenderID. Its chief ally is AOL who re-announced support for SenderID late last year. Actively opposing SenderID are members of the open source community (Apache, Debian, Postfix, Exim, and others).

An alternative is Yahoo and Cisco's Domain Keys Identified Mail (DKIM). A chief ally is Earthlink who dropped support for SenderID this month. DKIM is technically stronger but is harder to implement.

The equivalent of Geneva Switzerland would be Google which continues to support both solutions in GMail -- sometimes you almost forget they're compatible.

Good versus Evil
On the political side, Microsoft has made it clear that they prefer SenderID to fail versus giving up intellectual property rights for PRA. PRA is an algorithm which allows SenderID to authenticate forwarded mail, a major weakness of the original SPF solution. Microsoft has said publicly that they don't believe their license to be incompatible with GPL or other open source licenses but many in the open source community disagree. If Microsoft ever chose to assert their rights, it could be a disaster to open source if the internet became dependent on a Microsoft proprietary technology. Given Microsoft's view of open source as a threat and given Microsoft's predatory history, people don't trust them.

Microsoft aggressive
Microsoft recently launched an aggressive strategy akin to forcing SenderID down everyone's throat when they announced a November deadline for publishing SenderID records before Hotmail would start putting warning labels on unauthenticated mail. It reminds me of their strategy with Passport where everyone with XP was almost forced to create an account -- Passport eventually failed though.

It's safe to say that most domains won't make the deadline. Many ISP's used by smaller companies don't support adding the required DNS entry. In addition, Bank of America citied a six month implementation time for SPF because the process of collecting outbound email IP addresses is time consuming. It will be interesting to see the Hotmail users' confusion when a significant percentage of their email contains warning messages of authentication failure.

Much worse will be will be Hotmail's presentation of authenticated cousin-domain phishing attacks. Starting in November, fraudulent domains such as citibank-audit.com which implement SenderID may appear to be more legitimate to untrained users. It's an early adopter's dream ... if you're a crook.

Yahoo passive
In sharp contrast is Yahoo and Cisco's relatively passive campaign for DKIM. For example, it would be great if Yahoo were creating DKIM plug-ins for all the major mail servers and publishing them on SourceForge.net. However, the reality is that a business signing up to host their domain with Yahoo can't even get DKIM signed email ... they don't support it!!! Yahoo is showing signs of being a big company when they can't coordinate something like that.

Picking a loser
Iconix works with both authentication solutions so we're not dependent on one side winning. Indeed, we encourage our senders to adopt both solutions so that sender identity can be displayed in both Yahoo Mail and Hotmail. However, since neither side is likely to win widespread adoption in the near future, phishing attacks will only continue grow to and the loser will be the unsuspecting consumer.

Monday, July 25, 2005

Phishguts - The insider story on phishing

Here's a great Wall Street Journal article on the internals of a phishing scam. Christopher Abad from Cloudmark went undercover to find the players involved.

How to Phish

  • Create a fraudulent message
  • Create a fake website to collect personal information
  • Distribute the message through a zombie network
  • Convert the personal information to cash

Personal information is converted to cash by one of three methods: 1) selling it, 2) taking it to a "casher" (who takes a percentage), or 3) withdrawing money directly using Western Union or a faked ATM card

I've always wondered why so many phishing attacks were targeted at Washington Mutual customers. Why choose WAMU over Bank of America which is larger? The answer is that WAMU ATM cards were easier to fake until very recently. The cashers who convert personal information into dollars even have a reputation monitoring system.

Friday, July 08, 2005

Phishing 101 - Problem

What is phishing?
Phishing is the term coined for hackers who spoof email from legitimate companies and entice people to divulge sensitive information, such as passwords, credit card and bank account numbers. If you've ever received an email from eBay asking you to "Update your password or your account will be suspended", then you've been hit by an attack. $2.4 billion were stolen in 2004 and attacks are increasing.

How is phishing possible?
Phishing is possible because email is much more popular than its inventors could have possibly imagined. They never considered that we'd have 60 billion emails a day, and that email security would be such a big issue. The biggest flaw in that security is the ability to pretend to be someone else. With today's email protocol, anyone can say they are george.bush@usa.gov or support@citibank.com. Many people aren't aware of this security flaw so when Citibank customer support asks them to change their password by clicking on a link, they click that link and give a fraudster their account information.

Why don't we arrest the bad guys?
Three things make that hard to do: 1) attacks only last for a few days or even hours so you have a limited response time, 2) fraudsters purchase accounts with fake id's and stolen credit cards so they're difficult to trace, and 3) many of the attacks are launched from foreign countries and that poses a plethora of legal and motivational issues.

Will they ever fix that email security flaw?
Knowing the true identity of your email's sender would go a long way toward fighting phishing. The first big step that needs to be taken is called authentication - verifying who sent the email. There are two competing authentication proposals out there: Domain Keys/DKIM and SenderID/SPF. One is sponsored by Yahoo! and Cisco and the other is sponsored by Microsoft. SenderID/SPF is more widespread while Domain Keys/DKIM is more robust. With email providers such as AOL, Earthlink, and Google, and companies like Bank of America and Disney adopting these emerging standards, authentication appears to be on its way.

Does authentication solve the phishing problem?
No. As everyone on the Anti-Phishing Working Group will tell you, authentication doesn't solve the whole problem. Instead of launching an attack from support@citibank.com, a phisher may simply purchase a domain like citibank-audit.com for only $9.95. Many people don't realize that citibank-audit.com is in no way related to citibank.com and that opens new doors for phishers. This is called cousin-domain phishing.

See our solution.

Phishing 102 - Solution

How can we really tell who's who?
Everyone has seen the Citibank logo hundreds of times on all their identity theft commercials. Registered trademarks are great identifiers because the US Patent and Trademark Office and the World Intellectual Propery Organization work to ensure that all marks are unique. Further, companies spend billions of marketing dollars building brand awareness for their logos. Suppose there was a service that stamped a company logo on every piece of authenticated email. You could recognize genuine eBay email from ten feet away with its distintive red, blue, yellow, and green lettering. Problem solved!

How would sender logos for email work?
Here's how it would work: 1) email is authenticated so you know who the sender is, 2) the sender's identity (logo) is retrieved, and 3) the identity is displayed so you can instantly recognize legitimate emails.

What are the challenges?
The challenge is to create a solution that adds authentication, identity, and display to every email client ... Yahoo! Mail, Hotmail, Outlook, GMail, Earthlink, Apple Mail, Thunderbird, Comcast, and many others. That would be a major step towards thwarting phishing.

What does Iconix do?
Funny you should ask. Iconix is dedicated to rolling out its three step anti-phishing solution to Yahoo! Mail, Hotmail, Outlook, GMail, Earthlink, Apple Mail, Thunderbird, Comcast, and more. We're building plug-ins for all those platforms and we're also talking to major ISP's about direct integration of our identity service. Every work day of our lives (which is most days) is dedicated to fighting phishing ... and that's a noble cause.

Was this all a big sales pitch for purchasing a plug-in?
The plug-in is FREE! And not free like Cloudmark's spam blocker that started free so they could build their network then ended up costing money later. It is really free. We have a positive ROI story for all the paid senders that lost billions to email fraud. We love coming to work every day to build what we are hoping will be the greatest email add-on since the invention of the spam blocker. Here we go ...

Problem solved.