[council] FW: APWG Global Phishing Survey

["Mike Rodenbaugh" <icann@xxxxxxxxxxxxxx>]

FYI the report from APWG with some very interesting information.  I
requested that 'subdomain policy' be added to the BlueSky list for reasons
at bottom of this string.  I hope we can discuss the potential merits and
disadvantages of trying to enforce the RAA terms on domain registrants that
offer subdomain registration services.

Full report:  http://www.apwg.org/reports/APWG_GlobalPhishingSurvey2007.pdf

Conclusion:

As always, phishers are constantly adapting as they find new opportunities
and react to anti-phishing efforts. This study has documented some of their
recent strategies and tactics, including their adoption of subdomain
services, evasion and spoofing techniques, and their systematic exploitation
of vulnerable registrars and registries. We hope this study will spur
further research on these and related topics. 

The number of domain names used for phishing in 2007 was upwards of 52,000.
This was a miniscule percentage of the approximately 153 million total
domain names in existence, but the phishing resulted in huge financial
losses for Internet users and the targeted brands. We have noted some of the
problems associated with detecting and mitigating phishing in this ocean of
domain names. Registrars and registry operators have no control over the
security of the Web sites hosted on the domains they sponsor, and have more
limited options when vulnerable sites are compromised for phishing. But
registries and registrars are in an excellent position to address malicious
domain name registrations, which are a major part of the current phishing
problem. Registry operators can disseminate information to their registrars,
and both can mitigate malicious domain name registrations quickly, thereby
reducing phishing up-times and reducing the options available to phishers.



Among other findings and suggestions:

Only 12 of the 51,989 domain names were Internationalized Domain Names
(IDNs). 

Only about 129 were trademarks at the second level, e.g. bankname.com.

The domain name itself usually does not matter to phishers. Therefore a
domain name in any TLD will do.  

Brand name owners should continue to make defensive domain name
registrations, and should continue to use detection methods that find
infringing domain names by scanning zone files for pattern matches. However,
the data indicates that phishers are probably aware of that countermeasure
and avoid domain names that draw attention to themselves. Brand owners
should also employ detection methods that collect and analyze entire
phishing URLs. 

In our survey we positively identified 11,443 subdomain sites/accounts used
for phishing, beneath 448 unique second-level domains. [I]f we had counted
these unique subdomains as ?regular? domain names, then these types of
domains would represent at least 18% of all domains involved in phishing ? a
significant percentage. 

Examples of subdomain accounts used for phishing from our survey data
include: 
 -- account-slgnln-elbay-fr.pochta.ru. (Pochta.ru is a popular free e-mail
service that offers unlimited mailboxes and free hosting.) 
 -- labsupport.no-ip.org. (The domain no-ip.org redirects to No-IP.com, a
company that provides managed DNS, dynamic DNS, domain registration, e-mail,
and other domain-related services.) 
 -- A free online tool that makes it easy for anyone to create and publish
Web pages in just minutes. This service hosted multiple phishes that
targeted social networking sites, an auction provider, and other brands in
2007. 

The extensive use of subdomain services is eye-opening and poses several
challenges. These services are unaccredited (unlike domain name registrars
are), are often free, and most are offered by small companies. Thus there
are few checks and balances on who runs such services or how they screen
their customers. These conditions are ripe for abuse, both at the consumer
level and at the reseller level, as any criminal can set up his own such
service. Depending on the available features of the service, a criminal can
obtain as much control over a unique DNS entry as he can through a domain
name registrar, making these types of subdomains very convenient for running
fast-flux, name-spoofing, and other common domain name tricks used by
phishers. There is no published WHOIS information for these subdomains,
making it nearly impossible to determine if there is a fraudulent
registration, or if someone?s legitimate (but hacked) site is being used to
host a phish. In the latter case, the lack of WHOIS makes it much harder to
track down the site owner of a hacked Web site during a take-down effort.
 
Instead, responders are completely reliant upon the subdomain service
provider to handle all mitigation requests. These services are typically
unmanned or lightly supported, meaning the only point of contact for the
domain may be unavailable for days. The fact that there could be thousands
of functional, legitimate subdomain sites beneath the main domain means that
suspension of the main domain is usually not a viable option.


Best regards,

Mike Rodenbaugh