Anti-Phishing Working Group

www.antiphishing.org

Internet Policy Committee Update,

and Latest Phishing Trends

Public Interest Registry

Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
 Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)

• Approximately 50 members

• Participants include registries, registrars,

CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.

• Goal: Ensure that anti-phishing concerns are

represented during the creation or modification
of Internet policies
 APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
 Phishing sites continue to proliferate

Methodologies of phishers changing - affecting reported site data - driven by:

• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
 Phishers Casting a Wider Net

• Many smaller banking institutions, and non-financial institutions, being

targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem

Top countries for hosting phish sites in November 2007

China and US in dead heat – China slightly more phish
India rose significantly
 Latest Phishing Trends

• Domain Name Phishing

– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
 Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
– Routine blocking of monitoring efforts
– Better DNS set-ups (self-defined, and use of ccTLD nameservers)
– Finding and using the worst registrars to handle mitigation
– Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
 Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries

• Scrutinize nameservers; limit changes?

– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
• Authenticate contacts before permitting changes to name server
configurations.
• Implement measures to prevent automated (scripted) changes to name
server configurations.
• Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
• Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
• Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
 Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)

• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的 askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”

• Lots of implications - especially in the ccTLD space

– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
 Phone Phishing Has Arrived

• Last 3 months have seen a rapid rise in phone

phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail  phone number
– Phone call  website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
 Malware proliferation

• Change in emphasis - now Crimeware

• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
 Phishing Social Networks

• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
 Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
 Stolen Login Credentials Used

• Criminals run reports and get info on customers

– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
 Mass-Market Spear Phishing

• Large-scale phishing with stolen customer data

– Known good addresses
– Established relationship with breached company
– Social engineering mechanisms easy to create
– Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
 Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
– Better/faster intervention
– Better access controls in place for a wider variety of data
– Education beyond “don’t click on this”
– E-mail and web authentication and reputation actually USED
– Better control over the DNS infrastructure
– Fewer security holes in software!
– Basically everything we’ve been talking about for over four years now.

#1 - Change in mindset – assume users are compromised - build and

run systems accordingly
 Registrar Risks

• There are several risky registrars with access to

the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
 Example: Blog.com

• Nice website with a great domain name

• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
 Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
 Initiatives of the APWG
Internet Policy Committee
• Accelerated Domain Suspension by Registries
• Influence ICANN WHOIS issues
• Registrar Best Practices
• “What to do if your site has been hacked”
• Phish Site “Landing page” to educate victims
• Collaborate with ICANN constituencies & SSAC
• Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
 Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
– Accreditation agency
– Accredited Intervenor list
– Timeframe of registry suspension of DNS to eligible domain
– Fast arbitration process for disputes
– Penalties for erroneous requests
 WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers

• The use of WHOIS in phish site remediation:

http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf

• Future studies – IPC will participate in ICANN framing of studies

• Privacy “services” and “proxies” a major concern – they make criminal

site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
 Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
 “What to do if your website has been
hacked by phishers”
• Intended to be a quick reference guide
• Supported by resources on the APWG website
• Includes feedback from the wider APWG group
• Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
 Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
 2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders

• Special focus on domain name system

• Data sets being collected from many sources

• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting

Tokyo, Japan
May 26-27, 2008

We invite you to participate!

 APWG Contacts

• Website: http://www.antiphishing.org
• Phish Site Reporting:
reportphishing@antiphishing.org
• Membership: membership@antiphishing.org

• IPC Chair’s e-mail:

– rod.rasmussen@internetidentity.com

Discussion
Anti-Phishing Working Group
www.antiphishing.org

IPC Initiative Update and Latest

Phishing Trends

Presented by
Mike Rodenbaugh
mike@rodenbaugh.com