Scammers Exploit DomainKeys Anti-phishing Weapon

Phishing scammers are using the DomainKeys e-mail signing technology-regarded by many in the security community as one of the best hopes for preventing spam and phishing-to their advantage.

Numerous and prolific, phishing scammers continue to claim victims, recently damaging the reputation of the most promising technology deployed to thwart them.

In a week that saw analysts declare a 500 percent increase in global phishing activity over the previous quarter, experts are warning of new attacks that not only circumvent the fledgling DomainKeys system but also use the technology to their advantage.

DomainKeys, an e-mail signing technology developed by Yahoo Inc. a year ago and deployed last month, is regarded by many in the security community as one of the best hopes for preventing spammers and phishers from forging e-mail addresses.

"DomainKeys is not meant to solve spam. Its meant to take forgery out of the spammers arsenal," said Miles Libby, anti-spam product manager for Yahoo Mail at Yahoo, in Sunnyvale, Calif. "Thats one of their prime techniques. If we can kill forgery, we can apply a true reputation to mail that comes in."

DomainKeys works by using public-key cryptography to let users verify that a message actually comes from the domain that is listed in the sending address. Each ISP or mail provider that implements the system has a private key that it uses to sign all outgoing messages. It publishes its public key in the DNS (Domain Name System) records.

The mail server on the receiving end then uses the digital signature and the sending domains public key to verify that the message did, in fact, come from that domain. The system is not meant to replace anti-spam filters but is designed to augment those defenses and take away one of the favorite tools of spammers and scammers: spoofed e-mail.

/zimages/2/28571.gifClick here to read about a recent rash of phishing attacks.

But last week, spam messages promoting Web cams and adult sites and carrying DomainKeys signatures began appearing in users mailboxes. Some of the messages came from Yahoo Mail accounts. Yahoo Mail is one of several mail providers and ISPs—including Google Inc.s Gmail, British Telecommunications plc. and Earthlink Inc.—that have adopted or are testing the DomainKeys system.

According to security experts, the scam artists have begun using the DomainKeys technology themselves to make their bogus messages appear more legitimate. The turnaround is undermining confidence in the fledgling systems ability to deliver on its promise, they say.

"It proves that people will get to the point where they cant trust e-mail from anywhere," said one security expert who works closely with investigators and asked not to be identified.

Aside from co-opting DomainKeys, phishers also have begun employing a new scheme recently that doesnt rely on spoofed Web sites to trick users. Scammers have begun compromising banks Web servers.

They then send out normal phishing messages that take the recipient to an attacker-controlled page located on the banks server. These attacks are insidious because the victim is visiting a legitimate site, security experts warn.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.