Presentation is loading. Please wait.

Presentation is loading. Please wait.

APWG Update for ICANN Cross Constituency Meeting Rod Rasmussen Co-Chair APWG Internet Policy Committee President & CTO June 23, 2009.

Similar presentations


Presentation on theme: "APWG Update for ICANN Cross Constituency Meeting Rod Rasmussen Co-Chair APWG Internet Policy Committee President & CTO June 23, 2009."— Presentation transcript:

1 APWG Update for ICANN Cross Constituency Meeting Rod Rasmussen Co-Chair APWG Internet Policy Committee President & CTO June 23, 2009

2 Topics APWG IPC Initiatives Update Global Phishing Survey Update Use of Malicious Registrations: Avalanche Attacks on Registrars:.PR and DomainNZ New emphasis on the Internet as critical infrastructure

3 Current/Recent Initiatives 3 Redirect education pageAccelerated domain suspensionWebsite vulnerability studyEnd-User education effortsICANN: Policy work, outreach

4 Landing Page Working Well Up and running for over 6 months –Hundreds of sites redirected –Available in 20+ languages soon –Thousands of consumers educated –Live example! http://www.chapelenterprises.com/index/hsbcbanki ngonline/IBlogin.html Data to be made available to brand holders that are APWG members

5 Latest APWG Phishing Survey Study domain names and URLs to: Provide a consistent benchmark for scope of phishing problems worldwide Understand what phishers are doing Identify new trends Find hot-spots and success stories Suggest anti-abuse measures http://apwg.org/reports/APWG_GlobalPhishingSurvey2H2008.pdf

6 Overall Stats

7 Events in 2H2008 Disappearance of ROCK phish –Evident in drop off in.UK and.ES phishing –Replaced? late in year with Avalanche Started slowly in December - big in 2009! Similar tactics but uses fast-flux Assault on Venezuela (.VE) –Unprepared registry (registry/registrar model) Fast Flux attacks based on hundreds of VE domains Registry was very slow to act to mitigate No formal policies –Took months to update policies –Phishers took advantage

8 Top Phishing TLDs by Score (minimum 30,000 domains and 25 phish) RankTLDTLD Location Unique Domain Names used for phishing 2H2008 Domains in registry in Dec 2008 Score: Phish per 10,000 domains 2H2008 1 ve Venezuela 1,50482,500 182.3 2 th Thailand 8839,88022.1 3 bz Belize 5543,37712.7 4 su Soviet Union 7685,1198.9 5 ro Romania 188310,1146.1 6 cl Chile 116232,8975.0 7 kr Korea 413983,6264.2 8 vn Vietnam 3792,9924.0 9 ru Russia 6761,860,1793.6 10 tw Taiwan 144406,6693.5

9

10 Malicious Domain Registrations Of the 30,454 phishing domains, we identified 5,591 (18.5%) clearly registered by phishers. –Of those 5,591, only 1,053 domains contained a relevant brand name or misspelling. (Only 3.5% of all domains used for phishing.) <81% of domains used for phishing were compromised or hacked domains. The domain name itself usually does not matter to phishers. A hacked domain name of any meaning (or no meaning), in any TLD, will do.

11 Study Conclusions Phishers move from registrar to registrar, and TLD to TLD to exploit the best phishing holes Moving away from IP-based phishing The amount of Internet names and numbers used for phishing has remained fairly steady over the past two years. Subdomain registration services are nearly as abused as standard domain registrars Registry anti-abuse programs have an effect Malicious registrations >18% Phishers happy to use any domain name

12 Avalanche Phishing Attacks Successor to infamous ROCK phishers Using dozens of domains daily at targeted registrar(s) –Varying TLDs –Testing responses of registrars Fast Flux Domain Hosting –Using known nameservers –Large but fixed botnet Attacking over 30 major brands concurrently Cashing out millions of dollars

13 Avalanche Brands Under Attack

14 Attacks Move Between Registrars Once registrar identified, attacks continue until registrar reacts –Blocks bogus registrations –Mitigates domains within 3 hours Often looking for weak reseller of larger registrar

15 Hacking Attacks on Registrars Two major hacking attacks in April –DomainZ –PR NIC –http://www.zone-h.org/news/id/4708http://www.zone-h.org/news/id/4708 Seven recent attacks around the world Many by Turkish hacker group Peace Crew –Goal was site take-over for defacement –Proof of concept or bragging rights??? Appears to be targeted SQL injection against domain management server

16 Take-over domain account Assign new nameservers Point A record to defacement

17 Wake up Call? Will the next attack be for real crime? Has it already happened –Mystery data in recent phish set-ups hint at it Whos doing PEN testing? Monitoring key resources? Monitoring customer domains? SSAC working on a report addressing these issues

18 Registrar Security Posture Weve come a long way Weve still got a long way to go… Attacks now being directed against registrars and DNS infrastructure providers Mindset change about the Internet

19 Protecting Critical Infrastructure DNS control is fundamental – recent attacks have proven this repeatedly Areas to address for best practices/policy/self-regulation –Protecting access and control systems –Preventing criminal exploitation of systems –Monitoring for attacks and exploit attempts –Incident response –Assist with industry and LE efforts

20 Summary APWG continues to drive initiatives to improve Internet security and trust –Engaging ICANN community to develop collaborative solutions Criminals continue to exploit weak links –Sophisticated use of DNS for attacks –Direct attacks against registrars and infrastructure providers Change in attitude on DNS security underway?

21 For More Information Studies and Registrars Best Practices document posted at: http://www.awpg.org/ Rod Rasmussen, Internet Identity rod.rasmussen internetidentity.com +1 253 590 4100

22 APWG Update for ICANN Cross Constituency Meeting Rod Rasmussen Co-Chair APWG Internet Policy Committee President & CTO June 23, 2009


Download ppt "APWG Update for ICANN Cross Constituency Meeting Rod Rasmussen Co-Chair APWG Internet Policy Committee President & CTO June 23, 2009."

Similar presentations


Ads by Google