Tuesday, 30 November 2021

Economic impact payments (EIP) Phishing: US citizens under attack from US bases of phishing operations

Dave Piscitello and Dr. Colin Strutt

As part of the US Covid-19 virus tax relief effort (American Rescue Plan Act of 2021, H.R.1319), the US Internal Revenue Service (IRS) issued a series of Economic Impact Payments to millions of eligible citizens. The third payment was authorized in March 2021. Criminals took note of this well-publicized program and put a phishing campaign together to profit by stealing and subsequently exploiting personal information of US citizens.

Like many phishing campaigns, EIP phishing emails and text messages mimic correspondence to convince US citizens to submit personal information or an advance fee payment at a bogus IRS web site.

Figure 1. Example EIP Phishing Email

IrsEIPphishing

EIP phishing attacks frequently include one or more deceptive strings that are intended to make the IRS impersonation convincing, e.g., EIP-apply-irsgov.com/claim/refund.html. Table 1 shows the most commonly used deceptive strings that investigators have encountered.

Table 1: Deceptive strings used in EIP phishing attacks 
 

Deceptive string in
domain name

Deceptive string
in the phishing link

IRS

136

1139

US

259

1043

economic

31

56

impact

51

74

tax

153

313

relief

43

183

claim

180

479

payment

52

208

government

55

135

refund

24

65

By August 2021, the US Internal Revenue Service had received a record number of complaints and victim reports.  The relief program continues, the IRS continues to send EIP payments to US citizens, and despite IRS and phishing investigative community efforts, so do EIP phishing campaigns. 

We studied 5,700 links to EIP phishing pages that were reported between 1 July 2021 and 11 November 2021 to better understand the nature of this threat. The dates when EIP phishing pages were reported indicate that EIP phishing is an ongoing threat; moreover, the trend line in Figure 1 shows a steady increase in reports over time.

Figure 2. Reported EIP Phishing PagesReportedEIPphishingURLs

To answer the question, "Where are the bases for these phishing campaigns?", we examined the resources that EIP phishers used. These include domain names used in email campaigns, domains of EIP phishing web pages, and the Internet addresses where the pages were hosted. 

A US Nexus revealed…

We extracted 2,500 domain names from  5,700 phishing links marked as EIP phishing.  We then identified the domain registrar – the business where the domain name was purchased (leased) – and the Top-level Domain – e.g., .COM, .NET, .ORG – where domain name was delegated from.

We used a methodology that we recently used for a yearly study of phishing to measure the number of these domain names that were purposely registered by phishers, for phishing. For this measurement, we consider the age of the domain name, the content of the domain name, and evidence of common control and usage across the set of domains. We call these malicious domain name registrations.

We next used the Domain Name System (DNS) and Internet Address registration data from Regional Internet Registries to study where the phishing pages where hosted. These analyses show that EIP phishers used US based resources to attack US citizens:

OF THE DOMAIN NAMES FOUND IN EIP PHISHING PAGE LINKS

89% WERE REGISTERED IN THE .COM TOP-LEVEL DOMAIN

70% WERE REGISTERED THROUGH US BASED REGISTRARS

40% WERE REGISTERED THROUGH WILD WEST DOMAINS

64% OF THE DOMAIN NAMES WERE MALICIOUS DOMAIN NAME REGISTRATIONS

98% OF THE WILD WEST DOMAINS WERE PURPOSELY REGISTERED FOR PHISHING

OF THE EIP PHISHING PAGES THAT WERE “LIVE” ON NOVEMBER 18, 2021

67% WERE HOSTED ON IP ADDRESSES ALLOCATED TO US OPERATORS

62% OF THE EIP PHISHING IP ADDRESSES ARE ALLOCATED TO 3 US OPERATORS 

What’s impeding EIP phishing takedowns?

Takedowns of any large scale have many moving parts. A registrar or registry must de-register domain names associated with EIP phishing, or they must make the EIP phishing domain name “unreachable” so that would-be victims cannot visit the phishing site. Web site owners or the service where the EIP phishing page is hosted must remove the web page. Contacting all the parties involved, offering evidence of the crime, and coordinating the appropriate mitigation is difficult with one or a few phishing pages. 

A look at the numbers of parties that must assist in EIP phishing takedowns illustrates that takedowns for this prolonged campaign is far more involved.

We identified 120 registrars with at least one EIP phishing domain reported and 181 hosting services where the ~5,700 EIP phishing pages were hosted. For most of these businesses, takedowns of a campaign nvolving hundreds of phishing reports daily, and thousands over time, are managed as exceptions. There is no single takedown authority, no uniform takedown policy, and no common agreement on what evidence meets a takedown threshold. 

In this environment, when a USG agency or law enforcement requests assistance from registrars, registries or web hosters, the responses vary. Many operators respond, but they don’t necessarily do so with the sense of urgency one would hope that mitigating a crime of this scale would merit. Most harm or loss from phishing occurs within hours of the onset of the attack. However, registrars do not necessarily suspend domains while they review the abuse complaint. But in cases where domains are not suspended, days or weeks may pass, and the victim count increases, before registrars may complete a takedown process.  Hosting operators may also be slow to respond to requests to remove phishing pages or suspend hosting accounts.

Cooperation from operators is not always forthcoming: 

  1. Some operators will recommend that anyone should consult with a brand protection or takedown service. Such companies have processes in place to submit fraudulent domains in bulk.

  2. Some registrars have wholesale business models: they provide a channel for resellers of their registration services. Some resellers defer responsibility and tell the agency or others to contact the registrar, who may refer back to the reseller.
     
  3. Some operators will insist on court orders before they take down a domain name or remove content.

  4. Some operators will forward the complaint to the domain name owner or web site owner and take no further action without consent.
  5. Some operators do not respond at all.

Even when a registrar agrees to suspend a domain, there is no convention or standard takedown practice. The domain may be parked, or it may be returned to the registry and made available again for registration, and in some cases, registered again for phishing. Similarly, some web hosters will remove content, but they will not mitigate the means by which the content was posted (e.g., a vulnerability that the phisher exploited to gain access to the host). Some operators will suspend domains or remove content, but with few exceptions, phishers can simply create new accounts with no obligation to prove their identity and use these to register new domain names or host new phishing sites. 

These circumstances pose challenges for investigators who look for common control and (criminal) usage, but they virtually assure that large scale takedowns cannot be thoroughly and timely mitigated. 

What is needed from providers of Internet domain, addressing and hosting resources (“infrastructures”) to mitigate global threats?

  • Validation of the identities of parties who register and use Internet infrastructures, 

  • A baseline acceptable use policy that prohibits use of Internet domain and addressing resources, for cybercrimes. The Convention on Cybercrime can serve as the baseline set and operators can augment the baseline as their policy communities or government regulations choose,

  • Rigorous enforcement of the baseline acceptable use policy,

  • A common definition of what constitutes sufficient and satisfactory evidence to act on a complaint of criminal activity,

  • A program that vets, accredits, and registers investigators or agencies as trusted notifiers, and

  • Timely and uniform response (action) on the part of operators presented with a complaint by a trusted notifier (where timely is a matter of hours and days, not weeks or months).

The US needs to manage its own household

EIP phishing and Covid-themed frauds are most recent manifestations of cybercrimes that persist and flourish because policy communities or self-regulation cannot address cybercrime “at scale”.

Two proposals for US legislation show promise. 

  1. Lock-and-suspend. U.S. Rep. David McKinley has proposed an amendment to the Federal Food, Drug, and Cosmetic Act to “provide a process to lock and suspend domain names used to facilitate the online sale of drugs illegally, and for other purposes.” The draft amendment proposes that when a trusted notifier reports a domain name that is “used to facilitate the online sale of drugs illegally”, a registrar or registry operator must lock the domain within 24 hours and suspend it within 7 days following notification. The proposed legislation provides a definition of what the trusted notifier must include in its report (notice) and provides recourse for domain owners to respond to the notice. We believe that this legislation represents a blueprint that could be used to effect by USG agencies like the IRS (as a trusted identifier) to disrupt EIP and future phishing campaigns, as well as other cybercrimes, including malware-based and ransomware attacks.  

  2. Safeguarding Internet as a Service Infrastructures. The US Department of Commerce has published an Advance Notice of Proposed Rulemaking (ANPRM). The ANPRM responds to Executive Order 13984 of January 19, 2021, ‘Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities’. The EO directs the US Commerce Secretary to implement measures to “deter foreign malicious cyber actors' use of United States Infrastructure as a Service (IaaS) products and assist in the investigation of transactions involving foreign malicious cyber actors.” Interisle Consulting Group has commented to NTIA that DNS hosting and domain registration services should be classified as IaaS. We explain how criminals use the DNS and how they register and weaponize thousands of domains to perpetrate online crimes. We contend that the DNS is arguably as much of a critical infrastructure as the mobile and “hard-wired” networks that comprise the Internet. 

No private, public, or multi-stakeholder organization has authority to take on this effort. But the US government and others that have an obligation to protect citizens from online fraud, extortion, and other digital crimes.

Posted at 09:10 AM in Anti-Malware and Anti-phishing, Domain names and DNS | | Comments (0)

Next »

Search

My Photo
The Skeptic's email address

Categories

Spotlight Posts

  • Economic impact payments (EIP) Phishing: US citizens under attack from US bases of phishing operations
    Dave Piscitello and Dr. Colin Strutt As part of the US Covid-19 virus tax relief effort (American Rescue Plan Act of 2021, H.R.1319), the US Internal Revenue Service (IRS) issued a series of Economic Impact Payments to millions of eligible citizens. The third payment was authorized in March 2021. Criminals took note of this well-publicized program and put a phishing campaign together to profit by stealing and subsequently exploiting personal information of US citizens. Like many phishing campaigns, EIP phishing emails and text messages mimic correspondence to convince US citizens to submit personal information or an advance fee payment at...
  • Study reports a 70% increase in phishing from May 2020 through April 2021
    My Interisle colleagues, together with Greg Aaron of Illumintel, have published a study of the scope and distribution of phishing. From 1 May 2020 through 30 April 2021, we collected nearly 1.5 million phishing reports. Our analyses found ~700,000 phishing attacks among the reports collected. Highlights from the study: Phishing increased by nearly 70% over the yearly period. Most phishing is concentrated at small numbers of domain registrars, domain registries, and hosting providers. The top 10 brands targeted accounted for 46% of the phishing attacks associated with specific brands. Phishing attacks are disproportionately concentrated in new Top-level Domains (TLD). We...
  • In new study Interisle Reveals Excessive Withholding of Internet WHOIS Data
    My Interisle colleagues, together with Greg Aaron, have completed an in-depth analysis of the effects of ICANN policy for WHOIS, a public lookup service that has until recently made it possible to identify who registered and controls a domain name. The European Union’s General Data Protection Regulation (GDPR), adopted in May 2018, restricted the publication of personally identifiable data in WHOIS. In response, the Internet Corporation for Assigned Names and Numbers (ICANN) established a new policy, allowing registrars and registry operators to redact (withhold) personally identifiable data from publication in WHOIS. The implementation of this policy has been widely criticized,...
  • New study: Phishing Landscape 2020
    My colleagues Greg Aaron, Dr. Colin Strutt, Lyman Chapin and I have published a new research report, Phishing Landscape 2020: A Study of the Scope and Distribution of Phishing. The report can be found at http://www.interisle.net/PhishingLandscape2020.html Our goal in this study was to capture and analyze a large set of information about phishing attacks, to better understand how much phishing is taking place and where it is taking place, and to see if the data suggests better ways to fight phishing. We studied where phishers are getting the resources they need to perpetrate their crimes — where they obtain domain...
  • Widespread Issues with Domain Registration Accountability Have a COVID Nexus
    My Interisle partners and colleague Greg Aaron have published a detailed study that measures the effectiveness and impact of ICANN's registration data access policies and procedures. This study reveals widespread problems with access to and the reliability of domain name registration data systems (WHOIS). These failures have real-life security implications, which are being seen in the current wave of cybercrime accompanying the COVID-19 pandemic. In our Press Release I make the comment that, “The COVID-19 pandemic has led to a recent explosion of cybercrime, with thousands of new domain names using terms like ‘covid’ or ‘corona’ being used to perpetrate...