Transcript IPC_Update_Trends
Slide 1
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 2
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 3
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 4
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 5
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 6
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 7
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 8
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 9
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 10
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 11
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 12
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 13
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 14
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 15
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 16
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 17
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 18
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 19
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 20
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 21
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 22
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 23
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 24
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 25
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 26
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 27
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 28
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 29
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 30
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 31
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 32
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 33
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 34
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 2
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 3
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 4
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 5
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 6
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 7
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 8
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 9
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 10
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 11
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 12
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 13
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 14
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 15
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 16
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 17
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 18
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 19
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 20
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 21
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 22
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 23
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 24
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 25
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 26
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 27
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 28
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 29
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 30
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 31
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 32
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 33
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]
Slide 34
Anti-Phishing Working Group
www.antiphishing.org
Internet Policy Committee Update,
and Latest Phishing Trends
Public Interest Registry
Advisory Council
March 7, 2008
Presented by Mike Rodenbaugh
Agenda
• Developments in Phishing/Malware Threats
– Multi-level attacks
– Fast-flux tactics
– Phone phishing (aka vishing, to some)
• Ongoing concerns
– Registrar accreditation and responsiveness
• Update on continuing APWG Policy initiatives
– Registry Domain Suspension Plan
– ICANN Topical items
• Discussion
APWG Internet Policy Committee (IPC)
• Approximately 50 members
• Participants include registries, registrars,
CERTs, solution providers, ISPs, researchers,
financial institutions, ICANN wonks, etc.
• Goal: Ensure that anti-phishing concerns are
represented during the creation or modification
of Internet policies
APWG Collaboration with ICANN
Community
• APWG Presenting Phishing Issues at ICANN Meetings
– APWG presented at ICANN meetings since 2005
– Collaborating with SSAC on security/stability issues
• Fast Flux DNS
• Phishing attacks against registrars
– Work at constituency level on best practices and policy issues
• Registrar, Registry, ccNSO
• Whois working group
• .Asia suspension initiative
• ICANN staff and constituencies working with APWG
– Presenting at APWG meetings since 2006
– Several registrars and registries have joined as members
Phishing sites continue to proliferate
Methodologies of phishers changing - affecting reported site data - driven by:
• The success of browser blocking in IE and Firefox
• RockPhish and fast-flux attacks
• Reports handling catching up with these changes
Phishers Casting a Wider Net
• Many smaller banking institutions, and non-financial institutions, being
targeted -- usually with a serious lack of resources to fight the problem
• More sophisticated attacks being employed against first time targets
Phishing is a Global Problem
Top countries for hosting phish sites in November 2007
China and US in dead heat – China slightly more phish
India rose significantly
Latest Phishing Trends
• Domain Name Phishing
– Fast-Flux - not just for the big boys
– IDNs (Internationalized Domain Names)
• Phone Phishing
• Large-Scale Spear Phishing
– Ties to malware attacks
– Targeting of companies for customer intel
• Registrars facilitating the problem
Fast-Flux for Phishing Increasing
• More Players?
– Commercial systems from bot herders?
– More kits seen on flux and fraud DNS networks
– High volume of lures for fast-flux incidents – personalized & tracking
• More Targets
– Attacks against traditional targets continue relentlessly
– “Little Guys” hit hard with fast-flux on first ever phish
• Overwhelming infrastructure and personnel
• Losses occurring quickly – major cash-outs in short amount of time
• More Sophistication!
–
–
–
–
Routine blocking of monitoring efforts
Better DNS set-ups (self-defined, and use of ccTLD nameservers)
Finding and using the worst registrars to handle mitigation
Exploiting cash-outs via “holes” in overseas ATM verification systems
• CrimeDNS = High availability “fraud” DNS systems for hire
• SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing
DNS is the key! Advice for hunters/registrars/registries
• Scrutinize nameservers; limit changes?
– New nameservers on unusual domains/TLDs
– DNS servers located on consumer netblocks
– Multiple changes to nameserver IPs (double FastFlux)
• Examine new domain A Records in DNS
– Rapid changes
– Located on consumer netblocks
• Move daily from one to another - around the globe
• Multiple static entries - worldwide
• Can compare to known bad actors
– Wildcard - all hosts resolve
• The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps
•
•
•
•
•
Authenticate contacts before permitting changes to name server
configurations.
Implement measures to prevent automated (scripted) changes to name
server configurations.
Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart
the double flux element of fast flux hosting.
Implement or expand abuse monitoring systems to report excessive DNS
configuration changes.
Publish and enforce a Universal Terms of Service agreement that prohibits
the use of a registered domain and hosting services (DNS, web, mail) to
abet illegal or objectionable activities (as enumerated in the agreement) and
include provisions for suspension of domain names that are demonstrated
to be involved in fast flux hosting.
Large-scale use of IDNs in Phish
• ROCK leading the way in past few months
– Several IDN domains mixed in with regular ROCK domains daily
– Primarily on .HK with mixed scripts (Chinese, Roman)
• xn--randomlookingstuff-realstuff.tld
– xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk
– Three Chinese characters which translate to the pronoun "our" are
placed before the "askl44”
• Lots of implications - especially in the ccTLD space
– Can we all follow the non-mixed script recommendation?
– Automate systems to flag suspicious registrations?
• Is that easily done technically?
• Policy development?
• Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived
• Last 3 months have seen a rapid rise in phone
phishing (often mis-named vishing by press etc.)
– VOIP usually not being used
• Multiple techniques
– E-mail phone number
– Phone call website
• Often targeting “little” guys
– Small credit unions and local banks
– Local phone numbers used, local people targeted
• Getting good intel and target lists somewhere
Malware proliferation
• Change in emphasis - now Crimeware
• Organized crime with specialists creating
sophisticated attacks
• Open up computers to become zombies
• Install keyloggers and scan for user/pass
• Capturing and using address books
– Direct targets for sophisticated social engineering
– Going after “whales” - people with high-value assets
Phishing Social Networks
• MySpace example
– 2006- Zero phish
– More than 2,000 since then
– Currently over 5 per day
• Capturing login credentials and associations to
other people/affinities/companies
– Use for spamming/spear phishing
– Logins can be re-used by many for other services
• People are generally poor with password practices
Targeting of Businesses for Data
• Major phishing and malware groups are now targeting companies
with vast stores of sensitive information
– Attacks are looking for database access credentials
– NOT targeting financial institutions
– Particularly looking for executive staff data and HR access
• Growing phishing activity over past 9 months
– Business data: Lexis/Nexis, Salesforce.com
– Employment data (HR acct): Monster.com, CareerBuilder.com
– Credit Bureaus (business access): Equifax
• Wide swath of major financials also targeted directly
– Malware and/or phish targeted to executives
– Disguised as important agencies (IRS, FTC, BBB, EEOC)
– Leading directly to data breaches
• Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used
• Criminals run reports and get info on customers
– E-mail addresses for spam targeting
– Net-worth/value of the customer
– Latest transactions/communications
• Implications (for registrars/registries)
– Assume employees are compromised
– Institute better access controls (multi-factor, IP
tracing/blocking, etc)
– Monitor report generation and domain changes for
unusual activity
Mass-Market Spear Phishing
• Large-scale phishing with stolen customer data
–
–
–
–
Known good addresses
Established relationship with breached company
Social engineering mechanisms easy to create
Return address will be white-listed by many victims
• Personalization = high success rate
– Depending on data stolen, highly personalized lures
– Name, correct account #, latest transaction
– Expected communications can be timed and spoofed
Phishing 2.0.08
• We’re entering a new phase with these targeted attacks
• More, not less in losses
• What do we need?
–
–
–
–
–
–
–
Better/faster intervention
Better access controls in place for a wider variety of data
Education beyond “don’t click on this”
E-mail and web authentication and reputation actually USED
Better control over the DNS infrastructure
Fewer security holes in software!
Basically everything we’ve been talking about for over four years now.
#1 - Change in mindset – assume users are compromised - build and
run systems accordingly
Registrar Risks
• There are several risky registrars with access to
the TLD registry zones
– Hiding identities/locations
– No or SLOW response to abuse issues
– Registrar in-a-box – no one is actually there
• Handing out access to criminals posing as
“resellers”
– No rules or requirements from ICANN on reseller accreditation
– Shields financial transaction from registration process
• No accountability
Example: Blog.com
• Nice website with a great domain name
• No one is home!
– Registrar in-a-box
– US “presence” is a corporate filing in Delaware
– Actual site and “owners” in Portugal
• Never answer abuse requests (phone, email etc.)
• Fully-automated set-up, no humans needed
– Actual service provided by Directi (India)
• Will suspend abuse domains eventually
• The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars?
• ICANN compliance almost powerless
– Often don’t even have accurate contact data
– What is review process?
• Insurance checked?
• Spot checks on required support?
– Mixed messages on their mission
• Registries cannot suspend bad actors
– Must provide access to ICANN accredited registrars
– Still reluctant to take action/responsibility (some changes)
• If no one takes responsibility
– Some regulator will
– Things will break - badly
Initiatives of the APWG
Internet Policy Committee
•
•
•
•
•
•
•
Accelerated Domain Suspension by Registries
Influence ICANN WHOIS issues
Registrar Best Practices
“What to do if your site has been hacked”
Phish Site “Landing page” to educate victims
Collaborate with ICANN constituencies & SSAC
Large-scale data study for 2007 phishing
Process Flow: Registry Suspension of
Phish Domains
Accelerated Domain Suspension Plan
for Registries: Update
• Near final for .ASIA (Afilias back-end)
– Most logistics worked out after long consultation
• Several other ccTLD registries interested
• Still TBD
–
–
–
–
–
Accreditation agency
Accredited Intervenor list
Timeframe of registry suspension of DNS to eligible domain
Fast arbitration process for disputes
Penalties for erroneous requests
WHOIS Issues: APWG view
• Access needed to WHOIS by
– Law enforcement
– Brand owners
– Third party shutdown providers
• The use of WHOIS in phish site remediation:
http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
• Future studies – IPC will participate in ICANN framing of studies
• Privacy “services” and “proxies” a major concern – they make criminal
site suspension much more difficult and time-consuming, especially for
hacked sites using otherwise legitimate domain names.
Registrar Best Practices
• Goal: Provide recommendations to registrars to
help them assist the anti-phishing community
and make the Internet safer for all of us
• Focus:
– Limit NS and IP changes to mitigate ‘fast flux’ crime
– Evidence preservation (help LE catch the criminals)
• What is useful? How to preserve? Who to provide to?
– Registrant screening tips to identify fraud proactively
– Phishing domain takedown assistance
– Provide resources to help identify malicious activities
• Final draft in review by registrars
“What to do if your website has been
hacked by phishers”
•
•
•
•
Intended to be a quick reference guide
Supported by resources on the APWG website
Includes feedback from the wider APWG group
Nearly complete! Final feedback process
underway.
• If you only do two things…
– Ensure your software, hosting and DNS applications
are all up to date with the most recent patches
– Use hard-to-guess passwords
Phishing Site Landing Page
• Website to redirect from removed phishing sites
• EDUCATE people who fell for phishing lures
• Logistics in process
– Hosted by APWG or ISP that hosted phishing site
– Could we do this via Registry/Registrar?
– Translated to multiple languages
• Concerns
– Attacks (DDOS, Defacement, Drop Malware)
– Potential use for evidence gathering - how?
http://www.antiphishing.org/warning/index.html
Prototype
2007 Phishing Data Study
• Goal: Create an in-depth paper on phishing through
2007 that provides useful trends and commonalities to
help investigation and provoke action by stakeholders
• Special focus on domain name system
• Data sets being collected from many sources
• Volunteers needed!
– Data, data, data!
– Analysis and collaborators for the study
Next APWG Meeting
Tokyo, Japan
May 26-27, 2008
We invite you to participate!
APWG Contacts
• Website: http://www.antiphishing.org
• Phish Site Reporting:
[email protected]
• Membership: [email protected]
• IPC Chair’s e-mail:
– [email protected]
Discussion
Anti-Phishing Working Group
www.antiphishing.org
IPC Initiative Update and Latest
Phishing Trends
Presented by
Mike Rodenbaugh
[email protected]