Anti-Phishing Working Group Internet Policy Committee Update, and Latest Phishing Trends Public Interest Registry Advisory Council March 7, 2008 Presented by Mike Rodenbaugh

Agenda Developments in Phishing/Malware Threats –Multi-level attacks –Fast-flux tactics –Phone phishing (aka vishing, to some) Ongoing concerns –Registrar accreditation and responsiveness Update on continuing APWG Policy initiatives –Registry Domain Suspension Plan –ICANN Topical items Discussion

APWG Internet Policy Committee (IPC) Approximately 50 members Participants include registries, registrars, CERTs, solution providers, ISPs, researchers, financial institutions, ICANN wonks, etc. Goal: Ensure that anti-phishing concerns are represented during the creation or modification of Internet policies

APWG Collaboration with ICANN Community APWG Presenting Phishing Issues at ICANN Meetings –APWG presented at ICANN meetings since 2005 –Collaborating with SSAC on security/stability issues Fast Flux DNS Phishing attacks against registrars –Work at constituency level on best practices and policy issues Registrar, Registry, ccNSO Whois working group.Asia suspension initiative ICANN staff and constituencies working with APWG –Presenting at APWG meetings since 2006 –Several registrars and registries have joined as members

Phishing sites continue to proliferate Methodologies of phishers changing - affecting reported site data - driven by: The success of browser blocking in IE and Firefox RockPhish and fast-flux attacks Reports handling catching up with these changes

Phishers Casting a Wider Net Many smaller banking institutions, and non-financial institutions, being targeted -- usually with a serious lack of resources to fight the problem More sophisticated attacks being employed against first time targets

Phishing is a Global Problem Top countries for hosting phish sites in November 2007 China and US in dead heat – China slightly more phish India rose significantly

Latest Phishing Trends Domain Name Phishing –Fast-Flux - not just for the big boys –IDNs (Internationalized Domain Names) Phone Phishing Large-Scale Spear Phishing –Ties to malware attacks –Targeting of companies for customer intel Registrars facilitating the problem

Fast-Flux for Phishing Increasing More Players? –Commercial systems from bot herders? –More kits seen on flux and fraud DNS networks –High volume of lures for fast-flux incidents – personalized & tracking More Targets –Attacks against traditional targets continue relentlessly –“Little Guys” hit hard with fast-flux on first ever phish Overwhelming infrastructure and personnel Losses occurring quickly – major cash-outs in short amount of time More Sophistication! –Routine blocking of monitoring efforts –Better DNS set-ups (self-defined, and use of ccTLD nameservers) –Finding and using the worst registrars to handle mitigation –Exploiting cash-outs via “holes” in overseas ATM verification systems CrimeDNS = High availability “fraud” DNS systems for hire SSAC Report (SAC 025); GNSO Issues Report forthcoming

Detecting, Killing, Preventing DNS is the key! Advice for hunters/registrars/registries Scrutinize nameservers; limit changes? –New nameservers on unusual domains/TLDs –DNS servers located on consumer netblocks –Multiple changes to nameserver IPs (double FastFlux) Examine new domain A Records in DNS –Rapid changes –Located on consumer netblocks Move daily from one to another - around the globe Multiple static entries - worldwide Can compare to known bad actors –Wildcard - all hosts resolve The 3 P’s - Policies, procedures, people - in place for quick kills

SSAC Report: possible mitigation steps Authenticate contacts before permitting changes to name server configurations. Implement measures to prevent automated (scripted) changes to name server configurations. Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart the double flux element of fast flux hosting. Implement or expand abuse monitoring systems to report excessive DNS configuration changes. Publish and enforce a Universal Terms of Service agreement that prohibits the use of a registered domain and hosting services (DNS, web, mail) to abet illegal or objectionable activities (as enumerated in the agreement) and include provisions for suspension of domain names that are demonstrated to be involved in fast flux hosting.

Large-scale use of IDNs in Phish ROCK leading the way in past few months –Several IDN domains mixed in with regular ROCK domains daily –Primarily on.HK with mixed scripts (Chinese, Roman) xn--randomlookingstuff-realstuff.tld –xn--askl44-2n0jx24jgq2b.hk = 我們的 askl44.hk –Three Chinese characters which translate to the pronoun "our" are placed before the "askl44” Lots of implications - especially in the ccTLD space –Can we all follow the non-mixed script recommendation? –Automate systems to flag suspicious registrations? Is that easily done technically? Policy development? Most aren’t even doing it for ASCII based system!

Phone Phishing Has Arrived Last 3 months have seen a rapid rise in phone phishing (often mis-named vishing by press etc.) –VOIP usually not being used Multiple techniques –  phone number –Phone call  website Often targeting “little” guys –Small credit unions and local banks –Local phone numbers used, local people targeted Getting good intel and target lists somewhere

Malware proliferation Change in emphasis - now Crimeware Organized crime with specialists creating sophisticated attacks Open up computers to become zombies Install keyloggers and scan for user/pass Capturing and using address books –Direct targets for sophisticated social engineering –Going after “whales” - people with high-value assets

Phishing Social Networks MySpace example –2006- Zero phish –More than 2,000 since then –Currently over 5 per day Capturing login credentials and associations to other people/affinities/companies –Use for spamming/spear phishing –Logins can be re-used by many for other services People are generally poor with password practices

Targeting of Businesses for Data Major phishing and malware groups are now targeting companies with vast stores of sensitive information –Attacks are looking for database access credentials –NOT targeting financial institutions –Particularly looking for executive staff data and HR access Growing phishing activity over past 9 months –Business data: Lexis/Nexis, Salesforce.com –Employment data (HR acct): Monster.com, CareerBuilder.com –Credit Bureaus (business access): Equifax Wide swath of major financials also targeted directly –Malware and/or phish targeted to executives –Disguised as important agencies (IRS, FTC, BBB, EEOC) –Leading directly to data breaches Attacks often use fast-flux and/or sophisticated DNS

Stolen Login Credentials Used Criminals run reports and get info on customers – addresses for spam targeting –Net-worth/value of the customer –Latest transactions/communications Implications (for registrars/registries) –Assume employees are compromised –Institute better access controls (multi-factor, IP tracing/blocking, etc) –Monitor report generation and domain changes for unusual activity

Mass-Market Spear Phishing Large-scale phishing with stolen customer data –Known good addresses –Established relationship with breached company –Social engineering mechanisms easy to create –Return address will be white-listed by many victims Personalization = high success rate –Depending on data stolen, highly personalized lures –Name, correct account #, latest transaction –Expected communications can be timed and spoofed

Phishing We’re entering a new phase with these targeted attacks More, not less in losses What do we need? –Better/faster intervention –Better access controls in place for a wider variety of data –Education beyond “don’t click on this” – and web authentication and reputation actually USED –Better control over the DNS infrastructure –Fewer security holes in software! –Basically everything we’ve been talking about for over four years now. #1 - Change in mindset – assume users are compromised - build and run systems accordingly

Registrar Risks There are several risky registrars with access to the TLD registry zones –Hiding identities/locations –No or SLOW response to abuse issues –Registrar in-a-box – no one is actually there Handing out access to criminals posing as “resellers” –No rules or requirements from ICANN on reseller accreditation –Shields financial transaction from registration process No accountability

Example: Blog.com Nice website with a great domain name No one is home! –Registrar in-a-box –US “presence” is a corporate filing in Delaware –Actual site and “owners” in Portugal Never answer abuse requests (phone, etc.) Fully-automated set-up, no humans needed –Actual service provided by Directi (India) Will suspend abuse domains eventually The latest favorite registrar for ROCK

Who’s in charge of Risky Registrars? ICANN compliance almost powerless –Often don’t even have accurate contact data –What is review process? Insurance checked? Spot checks on required support? –Mixed messages on their mission Registries cannot suspend bad actors –Must provide access to ICANN accredited registrars –Still reluctant to take action/responsibility (some changes) If no one takes responsibility –Some regulator will –Things will break - badly

Initiatives of the APWG Internet Policy Committee Accelerated Domain Suspension by Registries Influence ICANN WHOIS issues Registrar Best Practices “What to do if your site has been hacked” Phish Site “Landing page” to educate victims Collaborate with ICANN constituencies & SSAC Large-scale data study for 2007 phishing

Process Flow: Registry Suspension of Phish Domains

Accelerated Domain Suspension Plan for Registries: Update Near final for.ASIA (Afilias back-end) –Most logistics worked out after long consultation Several other ccTLD registries interested Still TBD –Accreditation agency –Accredited Intervenor list –Timeframe of registry suspension of DNS to eligible domain –Fast arbitration process for disputes –Penalties for erroneous requests

WHOIS Issues: APWG view Access needed to WHOIS by –Law enforcement –Brand owners –Third party shutdown providers The use of WHOIS in phish site remediation: Future studies – IPC will participate in ICANN framing of studies Privacy “services” and “proxies” a major concern – they make criminal site suspension much more difficult and time-consuming, especially for hacked sites using otherwise legitimate domain names.

Registrar Best Practices Goal: Provide recommendations to registrars to help them assist the anti-phishing community and make the Internet safer for all of us Focus: –Limit NS and IP changes to mitigate ‘fast flux’ crime –Evidence preservation (help LE catch the criminals) What is useful? How to preserve? Who to provide to? –Registrant screening tips to identify fraud proactively –Phishing domain takedown assistance –Provide resources to help identify malicious activities Final draft in review by registrars

“What to do if your website has been hacked by phishers” Intended to be a quick reference guide Supported by resources on the APWG website Includes feedback from the wider APWG group Nearly complete! Final feedback process underway. If you only do two things… –Ensure your software, hosting and DNS applications are all up to date with the most recent patches –Use hard-to-guess passwords

Phishing Site Landing Page Website to redirect from removed phishing sites EDUCATE people who fell for phishing lures Logistics in process –Hosted by APWG or ISP that hosted phishing site –Could we do this via Registry/Registrar? –Translated to multiple languages Concerns –Attacks (DDOS, Defacement, Drop Malware) –Potential use for evidence gathering - how?

Prototype

2007 Phishing Data Study Goal: Create an in-depth paper on phishing through 2007 that provides useful trends and commonalities to help investigation and provoke action by stakeholders Special focus on domain name system Data sets being collected from many sources Volunteers needed! –Data, data, data! –Analysis and collaborators for the study

Next APWG Meeting Tokyo, Japan May 26-27, 2008 We invite you to participate!

APWG Contacts Website: Phish Site Reporting: Membership: IPC Chair’s Discussion

Anti-Phishing Working Group IPC Initiative Update and Latest Phishing Trends Presented by Mike Rodenbaugh