340 likes | 564 Views
Anti-Phishing Working Group www.antiphishing.org. Internet Policy Committee Update, and Latest Phishing Trends Public Interest Registry Advisory Council March 7, 2008 Presented by Mike Rodenbaugh. Agenda. Developments in Phishing/Malware Threats Multi-level attacks Fast-flux tactics
E N D
Anti-Phishing Working Group www.antiphishing.org Internet Policy Committee Update, and Latest Phishing Trends Public Interest Registry Advisory Council March 7, 2008 Presented by Mike Rodenbaugh
Agenda • Developments in Phishing/Malware Threats • Multi-level attacks • Fast-flux tactics • Phone phishing (aka vishing, to some) • Ongoing concerns • Registrar accreditation and responsiveness • Update on continuing APWG Policy initiatives • Registry Domain Suspension Plan • ICANN Topical items • Discussion
APWG Internet Policy Committee (IPC) • Approximately 50 members • Participants include registries, registrars, CERTs, solution providers, ISPs, researchers, financial institutions, ICANN wonks, etc. • Goal: Ensure that anti-phishing concerns are represented during the creation or modification of Internet policies
APWG Collaboration with ICANN Community • APWG Presenting Phishing Issues at ICANN Meetings • APWG presented at ICANN meetings since 2005 • Collaborating with SSAC on security/stability issues • Fast Flux DNS • Phishing attacks against registrars • Work at constituency level on best practices and policy issues • Registrar, Registry, ccNSO • Whois working group • .Asia suspension initiative • ICANN staff and constituencies working with APWG • Presenting at APWG meetings since 2006 • Several registrars and registries have joined as members
Phishing sites continue to proliferate • Methodologies of phishers changing - affecting reported site data - driven by: • The success of browser blocking in IE and Firefox • RockPhish and fast-flux attacks • Reports handling catching up with these changes
Phishers Casting a Wider Net Many smaller banking institutions, and non-financial institutions, being targeted -- usually with a serious lack of resources to fight the problem More sophisticated attacks being employed against first time targets
Phishing is a Global Problem Top countries for hosting phish sites in November 2007 China and US in dead heat – China slightly more phish India rose significantly
Latest Phishing Trends • Domain Name Phishing • Fast-Flux - not just for the big boys • IDNs (Internationalized Domain Names) • Phone Phishing • Large-Scale Spear Phishing • Ties to malware attacks • Targeting of companies for customer intel • Registrars facilitating the problem
Fast-Flux for Phishing Increasing • More Players? • Commercial systems from bot herders? • More kits seen on flux and fraud DNS networks • High volume of lures for fast-flux incidents – personalized & tracking • More Targets • Attacks against traditional targets continue relentlessly • “Little Guys” hit hard with fast-flux on first ever phish • Overwhelming infrastructure and personnel • Losses occurring quickly – major cash-outs in short amount of time • More Sophistication! • Routine blocking of monitoring efforts • Better DNS set-ups (self-defined, and use of ccTLD nameservers) • Finding and using the worst registrars to handle mitigation • Exploiting cash-outs via “holes” in overseas ATM verification systems • CrimeDNS = High availability “fraud” DNS systems for hire • SSAC Report (SAC 025); GNSO Issues Report forthcoming
Detecting, Killing, Preventing DNS is the key! Advice for hunters/registrars/registries • Scrutinize nameservers; limit changes? • New nameservers on unusual domains/TLDs • DNS servers located on consumer netblocks • Multiple changes to nameserver IPs (double FastFlux) • Examine new domain A Records in DNS • Rapid changes • Located on consumer netblocks • Move daily from one to another - around the globe • Multiple static entries - worldwide • Can compare to known bad actors • Wildcard - all hosts resolve • The 3 P’s - Policies, procedures, people - in place for quick kills
SSAC Report: possible mitigation steps • Authenticate contacts before permitting changes to name server configurations. • Implement measures to prevent automated (scripted) changes to name server configurations. • Set a minimum allowed TTL (e.g., 30 minutes) that is long enough to thwart the double flux element of fast flux hosting. • Implement or expand abuse monitoring systems to report excessive DNS configuration changes. • Publish and enforce a Universal Terms of Service agreement that prohibits the use of a registered domain and hosting services (DNS, web, mail) to abet illegal or objectionable activities (as enumerated in the agreement) and include provisions for suspension of domain names that are demonstrated to be involved in fast flux hosting.
Large-scale use of IDNs in Phish • ROCK leading the way in past few months • Several IDN domains mixed in with regular ROCK domains daily • Primarily on .HK with mixed scripts (Chinese, Roman) • xn--randomlookingstuff-realstuff.tld • xn--askl44-2n0jx24jgq2b.hk = 我們的askl44.hk • Three Chinese characters which translate to the pronoun "our" are placed before the "askl44” • Lots of implications - especially in the ccTLD space • Can we all follow the non-mixed script recommendation? • Automate systems to flag suspicious registrations? • Is that easily done technically? • Policy development? • Most aren’t even doing it for ASCII based system!
Phone Phishing Has Arrived • Last 3 months have seen a rapid rise in phone phishing (often mis-named vishing by press etc.) • VOIP usually not being used • Multiple techniques • E-mail phone number • Phone call website • Often targeting “little” guys • Small credit unions and local banks • Local phone numbers used, local people targeted • Getting good intel and target lists somewhere
Malware proliferation Change in emphasis - now Crimeware Organized crime with specialists creating sophisticated attacks Open up computers to become zombies Install keyloggers and scan for user/pass Capturing and using address books Direct targets for sophisticated social engineering Going after “whales” - people with high-value assets
Phishing Social Networks MySpace example 2006- Zero phish More than 2,000 since then Currently over 5 per day Capturing login credentials and associations to other people/affinities/companies Use for spamming/spear phishing Logins can be re-used by many for other services People are generally poor with password practices
Targeting of Businesses for Data Major phishing and malware groups are now targeting companies with vast stores of sensitive information Attacks are looking for database access credentials NOT targeting financial institutions Particularly looking for executive staff data and HR access Growing phishing activity over past 9 months Business data: Lexis/Nexis, Salesforce.com Employment data (HR acct): Monster.com, CareerBuilder.com Credit Bureaus (business access): Equifax Wide swath of major financials also targeted directly Malware and/or phish targeted to executives Disguised as important agencies (IRS, FTC, BBB, EEOC) Leading directly to data breaches Attacks often use fast-flux and/or sophisticated DNS
Stolen Login Credentials Used • Criminals run reports and get info on customers • E-mail addresses for spam targeting • Net-worth/value of the customer • Latest transactions/communications • Implications (for registrars/registries) • Assume employees are compromised • Institute better access controls (multi-factor, IP tracing/blocking, etc) • Monitor report generation and domain changes for unusual activity
Mass-Market Spear Phishing Large-scale phishing with stolen customer data Known good addresses Established relationship with breached company Social engineering mechanisms easy to create Return address will be white-listed by many victims Personalization = high success rate Depending on data stolen, highly personalized lures Name, correct account #, latest transaction Expected communications can be timed and spoofed
Phishing 2.0.08 • We’re entering a new phase with these targeted attacks • More, not less in losses • What do we need? • Better/faster intervention • Better access controls in place for a wider variety of data • Education beyond “don’t click on this” • E-mail and web authentication and reputation actually USED • Better control over the DNS infrastructure • Fewer security holes in software! • Basically everything we’ve been talking about for over four years now. #1 - Change in mindset – assume users are compromised - build and run systems accordingly
Registrar Risks • There are several risky registrars with access to the TLD registry zones • Hiding identities/locations • No or SLOW response to abuse issues • Registrar in-a-box – no one is actually there • Handing out access to criminals posing as “resellers” • No rules or requirements from ICANN on reseller accreditation • Shields financial transaction from registration process • No accountability
Example: Blog.com • Nice website with a great domain name • No one is home! • Registrar in-a-box • US “presence” is a corporate filing in Delaware • Actual site and “owners” in Portugal • Never answer abuse requests (phone, email etc.) • Fully-automated set-up, no humans needed • Actual service provided by Directi (India) • Will suspend abuse domains eventually • The latest favorite registrar for ROCK
Who’s in charge of Risky Registrars? • ICANN compliance almost powerless • Often don’t even have accurate contact data • What is review process? • Insurance checked? • Spot checks on required support? • Mixed messages on their mission • Registries cannot suspend bad actors • Must provide access to ICANN accredited registrars • Still reluctant to take action/responsibility (some changes) • If no one takes responsibility • Some regulator will • Things will break - badly
Initiatives of the APWG Internet Policy Committee • Accelerated Domain Suspension by Registries • Influence ICANN WHOIS issues • Registrar Best Practices • “What to do if your site has been hacked” • Phish Site “Landing page” to educate victims • Collaborate with ICANN constituencies & SSAC • Large-scale data study for 2007 phishing
Accelerated Domain Suspension Plan for Registries: Update • Near final for .ASIA (Afilias back-end) • Most logistics worked out after long consultation • Several other ccTLD registries interested • Still TBD • Accreditation agency • Accredited Intervenor list • Timeframe of registry suspension of DNS to eligible domain • Fast arbitration process for disputes • Penalties for erroneous requests
WHOIS Issues: APWG view • Access needed to WHOIS by • Law enforcement • Brand owners • Third party shutdown providers • The use of WHOIS in phish site remediation: http://www.apwg.com/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf • Future studies – IPC will participate in ICANN framing of studies • Privacy “services” and “proxies” a major concern – they make criminal site suspension much more difficult and time-consuming, especially for hacked sites using otherwise legitimate domain names.
Registrar Best Practices • Goal: Provide recommendations to registrars to help them assist the anti-phishing community and make the Internet safer for all of us • Focus: • Limit NS and IP changes to mitigate ‘fast flux’ crime • Evidence preservation (help LE catch the criminals) • What is useful? How to preserve? Who to provide to? • Registrant screening tips to identify fraud proactively • Phishing domain takedown assistance • Provide resources to help identify malicious activities • Final draft in review by registrars
“What to do if your website has been hacked by phishers” • Intended to be a quick reference guide • Supported by resources on the APWG website • Includes feedback from the wider APWG group • Nearly complete! Final feedback process underway. • If you only do two things… • Ensure your software, hosting and DNS applications are all up to date with the most recent patches • Use hard-to-guess passwords
Phishing Site Landing Page • Website to redirect from removed phishing sites • EDUCATE people who fell for phishing lures • Logistics in process • Hosted by APWG or ISP that hosted phishing site • Could we do this via Registry/Registrar? • Translated to multiple languages • Concerns • Attacks (DDOS, Defacement, Drop Malware) • Potential use for evidence gathering - how? http://www.antiphishing.org/warning/index.html
2007 Phishing Data Study • Goal: Create an in-depth paper on phishing through 2007 that provides useful trends and commonalities to help investigation and provoke action by stakeholders • Special focus on domain name system • Data sets being collected from many sources • Volunteers needed! • Data, data, data! • Analysis and collaborators for the study
Next APWG Meeting Tokyo, Japan May 26-27, 2008 We invite you to participate!
APWG Contacts • Website: http://www.antiphishing.org • Phish Site Reporting: reportphishing@antiphishing.org • Membership: membership@antiphishing.org • IPC Chair’s e-mail: • rod.rasmussen@internetidentity.com Discussion
Anti-Phishing Working Group www.antiphishing.org IPC Initiative Update and Latest Phishing Trends Presented by Mike Rodenbaugh mike@rodenbaugh.com