This article was published on February 21, 2013

Twitter uses DMARC to take action against email phishing for user passwords after high-profile hacks

Twitter uses DMARC to take action against email phishing for user passwords after high-profile hacks

Twitter’s ‘Postmaster’ Josh Aberant today announced that Twitter has been using a new technology called Domain-based Message Authentication, Reporting and Conformance (DMARC) to help prevent email phishing.

Phishing is the practice of sending fake emails to people that look like they come from a company like Twitter but actually don’t. The goal is to harvest user passwords by tricking people into entering passwords on sites that are owned by hackers and harvesters, rather than by the companies that they’re imitating.

Twitter says that using the DMARC technology makes it ‘extremely unlikely’ that any users will see any email pretending to be from a address.

“Without getting too technical,” writes Aberant, “DMARC solves a couple of long-standing operational, deployment, and reporting issues related to email authentication protocols. It builds on established authentication protocols (DKIM and SPF) to give email providers a way to block email from forged domains popping up in inboxes.”

Basically, it’s a directory that’s used by email providers to weed out the people who send shady emails like this. DMARC is being used by AOL, Gmail, Outlook and Yahoo! Mail already, allowing them to detect and reject spoofed phishing versions of Twitter emails. As it spreads to new providers, the protection will grow as they contribute to and utilize this ‘ban list’ of bad senders.

Phishing is an extremely common method of harvesting user passwords which can then be used to access Twitter accounts or, if users are silly enough to do so, email accounts that share the same password. As Twitter has grown in size and popularity, it has become the target of ever increasing phishing attempts and account ‘hackings’.

Recently, high profile Twitter accounts belonging to the Burger King and Jeep brands were compromised and began spewing racist and unsavory commentary. One possible vector for this kind of takeover is a phishing email that convinced someone managing the account to click on a link and enter their credentials. Twitter has since posted on its blog about basic password procedures, as well as today’s DMARC announcement. It seems likely that these are a response to the concern that brands might have about how secure their very public face on Twitter is.

Image Credit: Sean Gallup/Getty Images

Back to top