APWG Update for ICANN Cross Constituency Meeting Rod Rasmussen Co-Chair APWG Internet Policy Committee President & CTO June 23, 2009
Mar 27, 2015
APWG Update for ICANN Cross Constituency Meeting
Rod RasmussenCo-Chair APWG Internet Policy Committee
President & CTO
June 23, 2009
Topics
• APWG IPC Initiatives Update
• Global Phishing Survey Update
• Use of Malicious Registrations: Avalanche
• Attacks on Registrars: .PR and DomainNZ
• New emphasis on the Internet as critical infrastructure
Current/Recent Initiatives
3
Landing Page Working Well
• Up and running for over 6 months– Hundreds of sites redirected– Available in 20+ languages soon– Thousands of consumers educated– Live example!
• http://www.chapelenterprises.com/index/hsbcbankingonline/IBlogin.html
• Data to be made available to brand holders that are APWG members
Latest APWG Phishing SurveyStudy domain names and URLs to:
• Provide a consistent benchmark for scope of phishing problems worldwide
• Understand what phishers are doing
• Identify new trends
• Find hot-spots and success stories
• Suggest anti-abuse measureshttp://apwg.org/reports/APWG_GlobalPhishingSurvey2H2008.pdf
Overall Stats
Events in 2H2008
• Disappearance of “ROCK” phish– Evident in drop off in .UK and .ES phishing– Replaced? late in year with “Avalanche”
• Started slowly in December - big in 2009!• Similar tactics but uses fast-flux
• Assault on Venezuela (.VE)– Unprepared registry (registry/registrar model)
• Fast Flux attacks based on hundreds of VE domains• Registry was very slow to act to mitigate• No formal policies
– Took months to update policies– Phishers took advantage
Top Phishing TLDs by Score (minimum 30,000 domains and 25 phish)
Rank TLD TLD Location
Unique Domain Names used for phishing 2H2008
Domains in registry in Dec 2008
Score: Phish per 10,000 domains
2H2008
1 ve Venezuela 1,504 82,500 182.32 th Thailand 88 39,880 22.1
3 bz Belize 55 43,377 12.7
4 su Soviet Union 76 85,119 8.9
5 ro Romania 188 310,114 6.1
6 cl Chile 116 232,897 5.0
7 kr Korea 413 983,626 4.2
8 vn Vietnam 37 92,992 4.0
9 ru Russia 676 1,860,179 3.6
10 tw Taiwan 144 406,669 3.5
Malicious Domain Registrations• Of the 30,454 phishing domains, we identified
5,591 (18.5%) clearly registered by phishers.– Of those 5,591, only 1,053 domains contained a
relevant brand name or misspelling. (Only 3.5% of all domains used for phishing.)
• <81% of domains used for phishing were “compromised” or hacked domains.
• The domain name itself usually does not matter to phishers. A hacked domain name of any meaning (or no meaning), in any TLD, will do.
Study Conclusions• Phishers move from registrar to registrar, and
TLD to TLD to exploit the best phishing “holes”• Moving away from IP-based phishing• The amount of Internet names and numbers
used for phishing has remained fairly steady over the past two years.
• Subdomain registration services are nearly as abused as standard domain registrars
• Registry anti-abuse programs have an effect• Malicious registrations >18%• Phishers happy to use any domain name
Avalanche Phishing Attacks
• Successor to infamous “ROCK” phishers• Using dozens of domains daily at targeted
registrar(s)– Varying TLDs– Testing responses of registrars
• Fast Flux Domain Hosting– Using known nameservers– Large but fixed botnet
• Attacking over 30 major brands concurrently• Cashing out millions of dollars
Avalanche Brands Under Attack
Attacks Move Between Registrars
• Once registrar identified, attacks continue until registrar reacts– Blocks bogus registrations– Mitigates domains within 3 hours
• Often looking for weak reseller of larger registrar
Hacking Attacks on Registrars
• Two major hacking attacks in April– DomainZ– PR NIC– http://www.zone-h.org/news/id/4708
• Seven recent attacks around the world• Many by Turkish hacker group “Peace Crew”
– Goal was site take-over for defacement– Proof of concept or bragging rights???
• Appears to be targeted SQL injection against domain management server
Take-over domain accountAssign new nameserversPoint A record to defacement
Wake up Call?
• Will the next attack be for real crime?
• Has it already happened– Mystery data in recent phish set-ups hint at it
• Who’s doing PEN testing?
• Monitoring key resources?
• Monitoring customer domains?
• SSAC working on a report addressing these issues
Registrar Security Posture
• We’ve come a long way• We’ve still got a long way to go…• Attacks now being directed against registrars
and DNS infrastructure providers• Mindset change about the Internet
Protecting Critical Infrastructure
• DNS control is fundamental – recent attacks have proven this repeatedly
• Areas to address for best practices/policy/self-regulation– Protecting access and control systems– Preventing criminal exploitation of systems– Monitoring for attacks and exploit attempts– Incident response– Assist with industry and LE efforts
Summary
• APWG continues to drive initiatives to improve Internet security and trust– Engaging ICANN community to develop
collaborative solutions
• Criminals continue to exploit “weak links”– Sophisticated use of DNS for attacks
– Direct attacks against registrars and infrastructure providers
• Change in attitude on DNS security underway?
For More Information
Studies and Registrars Best Practices’ document posted at:
• http://www.awpg.org/
• Rod Rasmussen, Internet Identityrod.rasmussen <at> internetidentity.com
• +1 253 590 4100
APWG Update for ICANN Cross Constituency Meeting
Rod RasmussenCo-Chair APWG Internet Policy Committee
President & CTO
June 23, 2009