1 / 22

APWG Update for ICANN Cross Constituency Meeting

APWG Update for ICANN Cross Constituency Meeting. Rod Rasmussen Co-Chair APWG Internet Policy Committee President & CTO June 23, 2009. Topics. APWG IPC Initiatives Update Global Phishing Survey Update Use of Malicious Registrations: Avalanche Attacks on Registrars: .PR and DomainNZ

lorie
Download Presentation

APWG Update for ICANN Cross Constituency Meeting

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. APWG Update for ICANN Cross Constituency Meeting Rod Rasmussen Co-Chair APWG Internet Policy Committee President & CTO June 23, 2009

  2. Topics • APWG IPC Initiatives Update • Global Phishing Survey Update • Use of Malicious Registrations: Avalanche • Attacks on Registrars: .PR and DomainNZ • New emphasis on the Internet as critical infrastructure

  3. Current/Recent Initiatives

  4. Landing Page Working Well • Up and running for over 6 months • Hundreds of sites redirected • Available in 20+ languages soon • Thousands of consumers educated • Live example! • http://www.chapelenterprises.com/index/hsbcbankingonline/IBlogin.html • Data to be made available to brand holders that are APWG members

  5. Latest APWG Phishing Survey Study domain names and URLs to: • Provide a consistent benchmark for scope of phishing problems worldwide • Understand what phishers are doing • Identify new trends • Find hot-spots and success stories • Suggest anti-abuse measures http://apwg.org/reports/APWG_GlobalPhishingSurvey2H2008.pdf

  6. Overall Stats

  7. Events in 2H2008 • Disappearance of “ROCK” phish • Evident in drop off in .UK and .ES phishing • Replaced? late in year with “Avalanche” • Started slowly in December - big in 2009! • Similar tactics but uses fast-flux • Assault on Venezuela (.VE) • Unprepared registry (registry/registrar model) • Fast Flux attacks based on hundreds of VE domains • Registry was very slow to act to mitigate • No formal policies • Took months to update policies • Phishers took advantage

  8. Top Phishing TLDs by Score(minimum 30,000 domains and 25 phish)

  9. Malicious Domain Registrations • Of the 30,454 phishing domains, we identified 5,591 (18.5%) clearly registered by phishers. • Of those 5,591, only 1,053 domains contained a relevant brand name or misspelling. (Only 3.5% of all domains used for phishing.) • <81% of domains used for phishing were “compromised” or hacked domains. • The domain name itself usually does not matter to phishers. A hacked domain name of any meaning (or no meaning), in any TLD, will do.

  10. Study Conclusions • Phishers move from registrar to registrar, and TLD to TLD to exploit the best phishing “holes” • Moving away from IP-based phishing • The amount of Internet names and numbers used for phishing has remained fairly steady over the past two years. • Subdomain registration services are nearly as abused as standard domain registrars • Registry anti-abuse programs have an effect • Malicious registrations >18% • Phishers happy to use any domain name

  11. Avalanche Phishing Attacks • Successor to infamous “ROCK” phishers • Using dozens of domains daily at targeted registrar(s) • Varying TLDs • Testing responses of registrars • Fast Flux Domain Hosting • Using known nameservers • Large but fixed botnet • Attacking over 30 major brands concurrently • Cashing out millions of dollars

  12. Avalanche Brands Under Attack

  13. Attacks Move Between Registrars • Once registrar identified, attacks continue until registrar reacts • Blocks bogus registrations • Mitigates domains within 3 hours • Often looking for weak reseller of larger registrar

  14. Hacking Attacks on Registrars • Two major hacking attacks in April • DomainZ • PR NIC • http://www.zone-h.org/news/id/4708 • Seven recent attacks around the world • Many by Turkish hacker group “Peace Crew” • Goal was site take-over for defacement • Proof of concept or bragging rights??? • Appears to be targeted SQL injection against domain management server

  15. Take-over domain account Assign new nameservers Point A record to defacement

  16. Wake up Call? • Will the next attack be for real crime? • Has it already happened • Mystery data in recent phish set-ups hint at it • Who’s doing PEN testing? • Monitoring key resources? • Monitoring customer domains? • SSAC working on a report addressing these issues

  17. Registrar Security Posture “From now on our digital infrastructure, the networks and computers we depend on every day, will be treated as they should be — as a strategic national asset” - President Barak Obama 5/29/2009 We’ve come a long way We’ve still got a long way to go… Attacks now being directed against registrars and DNS infrastructure providers Mindset change about the Internet

  18. Protecting Critical Infrastructure • DNS control is fundamental – recent attacks have proven this repeatedly • Areas to address for best practices/policy/self-regulation • Protecting access and control systems • Preventing criminal exploitation of systems • Monitoring for attacks and exploit attempts • Incident response • Assist with industry and LE efforts

  19. Summary • APWG continues to drive initiatives to improve Internet security and trust • Engaging ICANN community to develop collaborative solutions • Criminals continue to exploit “weak links” • Sophisticated use of DNS for attacks • Direct attacks against registrars and infrastructure providers • Change in attitude on DNS security underway?

  20. For More Information Studies and Registrars Best Practices’ document posted at: • http://www.awpg.org/ • Rod Rasmussen, Internet Identityrod.rasmussen <at> internetidentity.com • +1 253 590 4100

  21. APWG Update for ICANN Cross Constituency Meeting Rod Rasmussen Co-Chair APWG Internet Policy Committee President & CTO June 23, 2009

More Related