Global Best Practices to Fight Online ''Phishing'' Crime Jointly Approved by APWG & MAAWG; Recommendations More than Engineering ''Reality Check''.LOS ALTOS Los Altos (lôs ăl`tōs, lŏs), residential city (1990 pop. 26,303), Santa Clara co., W Calif.; inc. 1952. There is diversified light manufacturing. , Calif. & SAN FRANCISCO San Francisco (săn frănsĭs`kō), city (1990 pop. 723,959), coextensive with San Francisco co., W Calif., on the tip of a peninsula between the Pacific Ocean and San Francisco Bay, which are connected by the strait known as the Golden -- To protect Internet users from online fraudsters and defend the Internet against scammers commandeering network resources, the two most influential global trade associations combating Internet crime Internet crime is crime committed on the Internet, using the Internet and by means of the Internet. Computer crime is a general term that embraces such crimes as phishing, credit card frauds, bank robbery, illegal downloading, industrial espionage, child pornography, have jointly released an explicit new set of Best Practices to combat "phishing," a major cause of online identify theft and fraud. The recommendations will help Internet Service Providers Internet service provider (ISP) Company that provides Internet connections and services to individuals and organizations. For a monthly fee, ISPs provide computer users with a connection to their site (see data transmission), as well as a log-in name and password. (ISPs) and mailbox providers better police their own infrastructures and filter traffic traversing their networks. The Anti-Phishing Working Group The AntiPhishing Working Group (APWG) is a consortium that brings together businesses affected by phishing attacks, businesses that provide security products and law enforcement. The APWG has more than 2700+ members from more than 1600 companies & agencies worldwide. (APWG APWG Anti-Phishing Working Group APWG Action Plan Work Group APWG Acquisition Policy Working Group APWG Advocates for Prostituted Women and Girls APWG AFSCN Prioritization Working Group APWG AFSCN Priorities Working Group ) and the Messaging Anti-Abuse Group (MAAWG MAAWG Messaging Anti-Abuse Working Group ) jointly developed the recommendations outlined in "Anti-Phishing Best Practices for ISPs and Mailbox Providers." The paper provides technical and business practices to help ISPs and mailbox providers thwart phishing attacks and other malevolent ma·lev·o·lent adj. 1. Having or exhibiting ill will; wishing harm to others; malicious. 2. Having an evil or harmful influence: malevolent stars. network abuses and also includes practices to respond constructively when these attacks occur. "Phishing" employs deceptive technology such as spoofing (1) Faking the sending address of a transmission in order to gain illegal entry into a secure system. See e-mail spoofing. (2) Creating fake responses or signals in order to keep a session active and prevent timeouts. and social engineering to steal consumers' personal identity and financial account data, and has become a major concern. APWG Chairman David Jevans said, "The APWG and MAAWG have worked together for many, many months on defining these best practice recommendations for ISPs to help prevent phishing attacks. This important work is the result of a collaboration between ISPs, security companies and government agencies. This kind of ongoing collaboration is crucial, as phishing and crimeware are a constantly evolving security threat." The joint efforts between the two groups and their respective technical and governance committees began in the fall of 2005. The final document was reviewed and approved at a co-located June meeting of the APWG and MAAWG in Brussels, and the main editor in developing the work was Vipul Ved Prakash Vipul Ved Prakash (born 1977) is a software engineer and entrepreneur. He is perhaps best known for creation of Vipul's Razor, a collaborative anti-spam system. In 2001, Vipul co-founded Cloudmark, a company that builds email security software for consumers, enterprises and ISPs , chief scientist and co-founder of Cloudmark. Specific Technical and Business Recommendations Daniel Dreymann, co-chair of the MAAWG Anti-Phishing Special Interest Group and a co-founder of Goodmail Systems, Inc. said, "ISPs and mailbox providers have a lead role in combating email borne security threats like phishing, the risk here being an erosion of consumer trust in commercial email. MAAWG and APWG have done the industry an enormous service with this guide, having compiled the best anti-phishing practices worldwide." The Best Practices outline technology and business methods that will help ISPs maintain cleaner communications channels for their customers and protect their infrastructures from interlopers INTERLOPERS. Persons who interrupt the trade of a company of merchants, by pursuing the same business with them in the same place, without lawful authority. seeking to commandeer com·man·deer tr.v. com·man·deered, com·man·deer·ing, com·man·deers 1. To force into military service. 2. To seize for military use; confiscate. 3. To take arbitrarily or by force. the network. In addressing the deployment of security technologies, the paper encourages piloting and field trials of technologies and comparative analysis of multiple solutions. Among the recommendations: --Two way filtering of communications flows to stop inbound phishing email from reaching consumers and to tip off ISPs and mailbox providers when their servers are being used for sending outbound phishing emails --Internet Protocol (IP) blacklists to temporarily render servers co-opted for phishing attacks unreachable by consumers caught up in a scam; using URL-based filters to help ISPs filter their customer traffic outbound to IP addresses, domains or URLs where known phishing Web pages are hosted --Filtering or rejecting email if it can be unequivocally determined to be forged; disabling images and hyperlinks in email from untrusted sources --Employing visual cues or tags within the email client See e-mail program. interface that can characterize the authenticity and trustworthiness of email for the users --Blocking access to known phishing sites during attacks and distributing client tools that users can employ to deflect their Web browser The program that serves as your front end to the Web on the Internet. In order to view a site, you type its address (URL) into the browser's Location field; for example, www.computerlanguage.com, and the home page of that site is downloaded to you. from accessing phishing sites The recommendations are more than a "reality check" of technical issues from the engineering department, however. They also incorporate consumer education and the law enforcement measures necessary to counter criminal abuses such as phishing. For example, the Best Practices include educating consumers to check for Web site certificate authenticity before submitting personal information, directing users who believe they have been scammed to the Federal Trade Commission and other anti-fraud organizations, and alerting financial institutions when they are the target of phishing campaigns. The groups are working through diplomatic channels to cultivate support for the new Best Practices. They both have abiding relations with the national CERTs (Computer Emergency Response Teams) worldwide and maintain open dialogues with industrial and government bodies in Europe, East Asia East Asia A region of Asia coextensive with the Far East. East Asian adj. & n. and Australasia. MAAWG is the largest global trade association focusing on email abuse and the anti-phishing recommendations are part of its voluntary Code of Conduct. For the APWG, the global thought-leader in electronic fraud, the Best Practices are part of an ongoing campaign to articulate the electronic fraud experience and engender shared understanding among its members, industry, government and the public worldwide and to promote appropriate solutions. The entire "Anti-Phishing Best Practices for ISPs and Mailbox Providers" document is available at www.MAAWG.org or directly at the following link, http://antiphishing.org/reports/bestpracticesforisps.pdf About the Anti-Phishing Working Group (APWG) The Anti-Phishing Working Group (APWG) is an industry association focused on eliminating the identity theft and fraud that result from the growing problem of phishing and email spoofing See e-mail spoofing. and the spread of crimeware that automatically mines consumers' personal data from their PCs. Membership is open to qualified financial institutions, online retailers, ISPs, the law enforcement community, and solutions providers. There are currently over 1500 organizations participating in the APWG and more than 2400 members worldwide. The APWG is a 501c6 tax-exempted organization and maintains the public website http://www.antiphishing.org (http://www.antiphishing.org/) for its members and for the general public. About the Messaging Anti-Abuse Working Group (MAAWG) The Messaging Anti-Abuse Working Group (MAAWG) is where the messaging industry comes together to work against spam, viruses, denial-of-service attacks and other online exploitation. MAAWG (www.MAAWG.org) is the only organization addressing messaging abuse holistically by systematically engaging all aspects of the problem, including technology, industry collaboration and public policy. It leverages the depth and experience of its global membership to tackle abuse on existing networks and new emerging services. Headquartered in San Francisco, Calif., MAAWG is an open forum driven by market needs and supported by major network operators and messaging providers. |
|
||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion