1 / 34

Anti-Phishing Working Group antiphishing

Anti-Phishing Working Group www.antiphishing.org. Internet Policy Committee Update, and Latest Phishing Trends Public Interest Registry Advisory Council March 7, 2008 Presented by Mike Rodenbaugh. Agenda. Developments in Phishing/Malware Threats Multi-level attacks Fast-flux tactics

elu
Download Presentation

Anti-Phishing Working Group antiphishing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Anti-Phishing Working Group www.antiphishing.org Internet Policy Committee Update, and Latest Phishing Trends Public Interest Registry Advisory Council March 7, 2008 Presented by Mike Rodenbaugh

  2. Agenda • Developments in Phishing/Malware Threats • Multi-level attacks • Fast-flux tactics • Phone phishing (aka vishing, to some) • Ongoing concerns • Registrar accreditation and responsiveness • Update on continuing APWG Policy initiatives • Registry Domain Suspension Plan • ICANN Topical items • Discussion

  3. APWG Internet Policy Committee (IPC) • Approximately 50 members • Participants include registries, registrars, CERTs, solution providers, ISPs, researchers, financial institutions, ICANN wonks, etc. • Goal: Ensure that anti-phishing concerns are represented during the creation or modification of Internet policies

  4. APWG Collaboration with ICANN Community • APWG Presenting Phishing Issues at ICANN Meetings • APWG presented at ICANN meetings since 2005 • Collaborating with SSAC on security/stability issues • Fast Flux DNS • Phishing attacks against registrars • Work at constituency level on best practices and policy issues • Registrar, Registry, ccNSO • Whois working group • .Asia suspension initiative • ICANN staff and constituencies working with APWG • Presenting at APWG meetings since 2006 • Several registrars and registries have joined as members

  5. Phishing sites continue to proliferate • Methodologies of phishers changing - affecting reported site data - driven by: • The success of browser blocking in IE and Firefox • RockPhish and fast-flux attacks • Reports handling catching up with these changes

  6. Phishers Casting a Wider Net Many smaller banking institutions, and non-financial institutions, being targeted -- usually with a serious lack of resources to fight the problem More sophisticated attacks being employed against first time targets

  7. Phishing is a Global Problem Top countries for hosting phish sites in November 2007 China and US in dead heat – China slightly more phish India rose significantly

  8. Latest Phishing Trends • Domain Name Phishing • Fast-Flux - not just for the big boys • IDNs (Internationalized Domain Names) • Phone Phishing • Large-Scale Spear Phishing • Ties to malware attacks • Targeting of companies for customer intel • Registrars facilitating the problem

  9. Fast-Flux for Phishing Increasing • More Players? • Commercial systems from bot herders? • More kits seen on flux and fraud DNS networks • High volume of lures for fast-flux incidents – personalized & tracking • More Targets • Attacks against traditional targets continue relentlessly • “Little Guys” hit hard with fast-flux on first ever phish • Overwhelming infrastructure and personnel • Losses occurring quickly – major cash-outs in short amount of time • More Sophistication! • Routine blocking of monitoring efforts • Better DNS set-ups (self-defined, and use of ccTLD nameservers) • Finding and using the worst registrars to handle mitigation • Exploiting cash-outs via “holes” in overseas ATM verification systems • CrimeDNS = High availability “fraud” DNS systems for hire • SSAC Report (SAC 025); GNSO Issues Report forthcoming

  10. Detecting, Killing, Preventing DNS is the key! Advice for hunters/registrars/registries • Scrutinize nameservers; limit changes? • New nameservers on unusual domains/TLDs • DNS servers located on consumer netblocks • Multiple changes to nameserver IPs (double FastFlux) • Examine new domain A Records in DNS • Rapid changes • Located on consumer netblocks • Move daily from one to another - around the globe • Multiple static entries - worldwide • Can compare to known bad actors • Wildcard - all hosts resolve • The 3 P’s - Policies, procedures, people - in place for quick kills

  11. SSAC Report: possible mitigation steps • Authenticate contacts before permitting changes to name server configurations. • Implement measures to prevent automated (scripted) changes to name server configurations. • Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart the double flux element of fast flux hosting. • Implement or expand abuse monitoring systems to report excessive DNS configuration changes. • Publish and enforce a Universal Terms of Service agreement that prohibits the use of a registered domain and hosting services (DNS, web, mail) to abet illegal or objectionable activities (as enumerated in the agreement) and include provisions for suspension of domain names that are demonstrated to be involved in fast flux hosting.

  12. Large-scale use of IDNs in Phish • ROCK leading the way in past few months • Several IDN domains mixed in with regular ROCK domains daily • Primarily on .HK with mixed scripts (Chinese, Roman) • xn--randomlookingstuff-realstuff.tld • xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk • Three Chinese characters which translate to the pronoun "our" are placed before the "askl44” • Lots of implications - especially in the ccTLD space • Can we all follow the non-mixed script recommendation? • Automate systems to flag suspicious registrations? • Is that easily done technically? • Policy development? • Most aren’t even doing it for ASCII based system!

  13. Phone Phishing Has Arrived • Last 3 months have seen a rapid rise in phone phishing (often mis-named vishing by press etc.) • VOIP usually not being used • Multiple techniques • E-mail  phone number • Phone call  website • Often targeting “little” guys • Small credit unions and local banks • Local phone numbers used, local people targeted • Getting good intel and target lists somewhere

  14. Malware proliferation Change in emphasis - now Crimeware Organized crime with specialists creating sophisticated attacks Open up computers to become zombies Install keyloggers and scan for user/pass Capturing and using address books Direct targets for sophisticated social engineering Going after “whales” - people with high-value assets

  15. Phishing Social Networks MySpace example 2006- Zero phish More than 2,000 since then Currently over 5 per day Capturing login credentials and associations to other people/affinities/companies Use for spamming/spear phishing Logins can be re-used by many for other services People are generally poor with password practices

  16. Targeting of Businesses for Data Major phishing and malware groups are now targeting companies with vast stores of sensitive information Attacks are looking for database access credentials NOT targeting financial institutions Particularly looking for executive staff data and HR access Growing phishing activity over past 9 months Business data: Lexis/Nexis, Salesforce.com Employment data (HR acct): Monster.com, CareerBuilder.com Credit Bureaus (business access): Equifax Wide swath of major financials also targeted directly Malware and/or phish targeted to executives Disguised as important agencies (IRS, FTC, BBB, EEOC) Leading directly to data breaches Attacks often use fast-flux and/or sophisticated DNS

  17. Stolen Login Credentials Used • Criminals run reports and get info on customers • E-mail addresses for spam targeting • Net-worth/value of the customer • Latest transactions/communications • Implications (for registrars/registries) • Assume employees are compromised • Institute better access controls (multi-factor, IP tracing/blocking, etc) • Monitor report generation and domain changes for unusual activity

  18. Mass-Market Spear Phishing Large-scale phishing with stolen customer data Known good addresses Established relationship with breached company Social engineering mechanisms easy to create Return address will be white-listed by many victims Personalization = high success rate Depending on data stolen, highly personalized lures Name, correct account #, latest transaction Expected communications can be timed and spoofed

  19. Phishing 2.0.08 • We’re entering a new phase with these targeted attacks • More, not less in losses • What do we need? • Better/faster intervention • Better access controls in place for a wider variety of data • Education beyond “don’t click on this” • E-mail and web authentication and reputation actually USED • Better control over the DNS infrastructure • Fewer security holes in software! • Basically everything we’ve been talking about for over four years now. #1 - Change in mindset – assume users are compromised - build and run systems accordingly

  20. Registrar Risks • There are several risky registrars with access to the TLD registry zones • Hiding identities/locations • No or SLOW response to abuse issues • Registrar in-a-box – no one is actually there • Handing out access to criminals posing as “resellers” • No rules or requirements from ICANN on reseller accreditation • Shields financial transaction from registration process • No accountability

  21. Example: Blog.com • Nice website with a great domain name • No one is home! • Registrar in-a-box • US “presence” is a corporate filing in Delaware • Actual site and “owners” in Portugal • Never answer abuse requests (phone, email etc.) • Fully-automated set-up, no humans needed • Actual service provided by Directi (India) • Will suspend abuse domains eventually • The latest favorite registrar for ROCK

  22. Who’s in charge of Risky Registrars? • ICANN compliance almost powerless • Often don’t even have accurate contact data • What is review process? • Insurance checked? • Spot checks on required support? • Mixed messages on their mission • Registries cannot suspend bad actors • Must provide access to ICANN accredited registrars • Still reluctant to take action/responsibility (some changes) • If no one takes responsibility • Some regulator will • Things will break - badly

  23. Initiatives of the APWG Internet Policy Committee • Accelerated Domain Suspension by Registries • Influence ICANN WHOIS issues • Registrar Best Practices • “What to do if your site has been hacked” • Phish Site “Landing page” to educate victims • Collaborate with ICANN constituencies & SSAC • Large-scale data study for 2007 phishing

  24. Process Flow: Registry Suspension of Phish Domains

  25. Accelerated Domain Suspension Plan for Registries: Update • Near final for .ASIA (Afilias back-end) • Most logistics worked out after long consultation • Several other ccTLD registries interested • Still TBD • Accreditation agency • Accredited Intervenor list • Timeframe of registry suspension of DNS to eligible domain • Fast arbitration process for disputes • Penalties for erroneous requests

  26. WHOIS Issues: APWG view • Access needed to WHOIS by • Law enforcement • Brand owners • Third party shutdown providers • The use of WHOIS in phish site remediation: http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf • Future studies – IPC will participate in ICANN framing of studies • Privacy “services” and “proxies” a major concern – they make criminal site suspension much more difficult and time-consuming, especially for hacked sites using otherwise legitimate domain names.

  27. Registrar Best Practices • Goal: Provide recommendations to registrars to help them assist the anti-phishing community and make the Internet safer for all of us • Focus: • Limit NS and IP changes to mitigate ‘fast flux’ crime • Evidence preservation (help LE catch the criminals) • What is useful? How to preserve? Who to provide to? • Registrant screening tips to identify fraud proactively • Phishing domain takedown assistance • Provide resources to help identify malicious activities • Final draft in review by registrars

  28. “What to do if your website has been hacked by phishers” • Intended to be a quick reference guide • Supported by resources on the APWG website • Includes feedback from the wider APWG group • Nearly complete! Final feedback process underway. • If you only do two things… • Ensure your software, hosting and DNS applications are all up to date with the most recent patches • Use hard-to-guess passwords

  29. Phishing Site Landing Page • Website to redirect from removed phishing sites • EDUCATE people who fell for phishing lures • Logistics in process • Hosted by APWG or ISP that hosted phishing site • Could we do this via Registry/Registrar? • Translated to multiple languages • Concerns • Attacks (DDOS, Defacement, Drop Malware) • Potential use for evidence gathering - how? http://www.antiphishing.org/warning/index.html

  30. Prototype

  31. 2007 Phishing Data Study • Goal: Create an in-depth paper on phishing through 2007 that provides useful trends and commonalities to help investigation and provoke action by stakeholders • Special focus on domain name system • Data sets being collected from many sources • Volunteers needed! • Data, data, data! • Analysis and collaborators for the study

  32. Next APWG Meeting Tokyo, Japan May 26-27, 2008 We invite you to participate!

  33. APWG Contacts • Website: http://www.antiphishing.org • Phish Site Reporting: reportphishing@antiphishing.org • Membership: membership@antiphishing.org • IPC Chair’s e-mail: • rod.rasmussen@internetidentity.com Discussion

  34. Anti-Phishing Working Group www.antiphishing.org IPC Initiative Update and Latest Phishing Trends Presented by Mike Rodenbaugh mike@rodenbaugh.com

More Related