APWG Update for ICANN Cross Constituency Meeting Rod Rasmussen Co-Chair APWG Internet Policy Committee President & CTO June 23, 2009.

APWG Update for ICANN Cross Constituency Meeting

Rod RasmussenCo-Chair APWG Internet Policy Committee

President & CTO

June 23, 2009

Topics

• APWG IPC Initiatives Update

• Global Phishing Survey Update

• Use of Malicious Registrations: Avalanche

• Attacks on Registrars: .PR and DomainNZ

• New emphasis on the Internet as critical infrastructure

Current/Recent Initiatives

3

Landing Page Working Well

• Up and running for over 6 months– Hundreds of sites redirected– Available in 20+ languages soon– Thousands of consumers educated– Live example!

• http://www.chapelenterprises.com/index/hsbcbankingonline/IBlogin.html

• Data to be made available to brand holders that are APWG members

Latest APWG Phishing SurveyStudy domain names and URLs to:

• Provide a consistent benchmark for scope of phishing problems worldwide

• Understand what phishers are doing

• Identify new trends

• Find hot-spots and success stories

• Suggest anti-abuse measureshttp://apwg.org/reports/APWG_GlobalPhishingSurvey2H2008.pdf

Overall Stats

Events in 2H2008

• Disappearance of “ROCK” phish– Evident in drop off in .UK and .ES phishing– Replaced? late in year with “Avalanche”

• Started slowly in December - big in 2009!• Similar tactics but uses fast-flux

• Assault on Venezuela (.VE)– Unprepared registry (registry/registrar model)

• Fast Flux attacks based on hundreds of VE domains• Registry was very slow to act to mitigate• No formal policies

– Took months to update policies– Phishers took advantage

Top Phishing TLDs by Score (minimum 30,000 domains and 25 phish)

Rank TLD TLD Location

Unique Domain Names used for phishing 2H2008

Domains in registry in Dec 2008

Score: Phish per 10,000 domains

2H2008

1 ve Venezuela 1,504 82,500 182.32 th Thailand 88 39,880 22.1

3 bz Belize 55 43,377 12.7

4 su Soviet Union 76 85,119 8.9

5 ro Romania 188 310,114 6.1

6 cl Chile 116 232,897 5.0

7 kr Korea 413 983,626 4.2

8 vn Vietnam 37 92,992 4.0

9 ru Russia 676 1,860,179 3.6

10 tw Taiwan 144 406,669 3.5

Malicious Domain Registrations• Of the 30,454 phishing domains, we identified

5,591 (18.5%) clearly registered by phishers.– Of those 5,591, only 1,053 domains contained a

relevant brand name or misspelling. (Only 3.5% of all domains used for phishing.)

• <81% of domains used for phishing were “compromised” or hacked domains.

• The domain name itself usually does not matter to phishers. A hacked domain name of any meaning (or no meaning), in any TLD, will do.

Study Conclusions• Phishers move from registrar to registrar, and

TLD to TLD to exploit the best phishing “holes”• Moving away from IP-based phishing• The amount of Internet names and numbers

used for phishing has remained fairly steady over the past two years.

• Subdomain registration services are nearly as abused as standard domain registrars

• Registry anti-abuse programs have an effect• Malicious registrations >18%• Phishers happy to use any domain name

Avalanche Phishing Attacks

• Successor to infamous “ROCK” phishers• Using dozens of domains daily at targeted

registrar(s)– Varying TLDs– Testing responses of registrars

• Fast Flux Domain Hosting– Using known nameservers– Large but fixed botnet

• Attacking over 30 major brands concurrently• Cashing out millions of dollars

Avalanche Brands Under Attack

Attacks Move Between Registrars

• Once registrar identified, attacks continue until registrar reacts– Blocks bogus registrations– Mitigates domains within 3 hours

• Often looking for weak reseller of larger registrar

Hacking Attacks on Registrars

• Two major hacking attacks in April– DomainZ– PR NIC– http://www.zone-h.org/news/id/4708

• Seven recent attacks around the world• Many by Turkish hacker group “Peace Crew”

– Goal was site take-over for defacement– Proof of concept or bragging rights???

• Appears to be targeted SQL injection against domain management server

Take-over domain accountAssign new nameserversPoint A record to defacement

Wake up Call?

• Will the next attack be for real crime?

• Has it already happened– Mystery data in recent phish set-ups hint at it

• Who’s doing PEN testing?

• Monitoring key resources?

• Monitoring customer domains?

• SSAC working on a report addressing these issues

Registrar Security Posture

• We’ve come a long way• We’ve still got a long way to go…• Attacks now being directed against registrars

and DNS infrastructure providers• Mindset change about the Internet

Protecting Critical Infrastructure

• DNS control is fundamental – recent attacks have proven this repeatedly

• Areas to address for best practices/policy/self-regulation– Protecting access and control systems– Preventing criminal exploitation of systems– Monitoring for attacks and exploit attempts– Incident response– Assist with industry and LE efforts

Summary

• APWG continues to drive initiatives to improve Internet security and trust– Engaging ICANN community to develop

collaborative solutions

• Criminals continue to exploit “weak links”– Sophisticated use of DNS for attacks

– Direct attacks against registrars and infrastructure providers

• Change in attitude on DNS security underway?

For More Information

Studies and Registrars Best Practices’ document posted at:

• http://www.awpg.org/

• Rod Rasmussen, Internet Identityrod.rasmussen <at> internetidentity.com

• +1 253 590 4100

APWG Update for ICANN Cross Constituency Meeting

Rod RasmussenCo-Chair APWG Internet Policy Committee

President & CTO

June 23, 2009