« Book Review: Network Forensics, Tracking Hackers Through Hyperspace | Main | Domain Shutdowns, Suspensions, & Seizures… Oh, My! »

Tuesday, 07 August 2012

Reducing Phishing Up Times

In Shadow Warriors, Tom Clancy relates events surrounding the 1985 hijacking of the Italian cruise liner Achille Lauro, one of numerous incidents that influenced the evolution of US special forces. Here's how Clancy describes the four men who hijacked the cruise liner:

"The terrorists were not dumb. They knew our reaction time, based on the distance that had to be traveled and the time the Washington decision-making cycle usually took, and they operated inside these times. Every minute counted."

Had Tom Clancy sought to characterize phishers rather than terrorists, he could well have written:

Phishers are not dumb.  They know our phishing reaction time, based on the time it takes to identify the phish site and the "web site takedown" decision-making cycle, and they operate inside these times.

The time it takes to get to a phish site is the sum of the time to identify an email as a phish, examine the phish URL, extract the domain from the URL, and then identify and report the phish to the domain registrant or web site operator. In most cases, these tasks are accomplished quickly. The "web site takedown" decision-making cycle can involve several parties: registrant, the web site operator's business and technical staff (who should remove the phish site), sponsoring registrar and in the extreme, a registry or a court of law. This cycle can prove a lengthy process.

What do phishing response times look like?

The APWG Global Phishing Surveys report Phishing Site Up Times biannually. The 2H2011 Report provides a graph of up times from 2008 through 2011.

PhishuptimeIn the graph, the mean (average) is larger than the median: the distribution skew is positive. The "tail" extends into multiple days and in some cases weeks or months.

How long is the tail? An ongoing APWG survey of companies reporting phishing incidents gives us some insight. We asked, "How much time elapsed from the first notification of a compromise and when the phishing web site was discovered?" The graph to the right shows that the while ~40% of discoveries and notices are less than one day, the tail among the 415 reported cases extends beyond 14 days.

Phishwebremoved

Improving Reaction time

The mechanics of identifying, reporting, and removing phishing web pages - Clancy's "reaction time" - are becoming more familiar across the security and operations communities. As Rasmussen and Aaron report in 2H2011, this has proven beneficial in several respects:

"sites are now coming down in under 10 hours. That makes for fewer victims, which may partly explain why phishers are putting up more sites. However, if they continue to put up shorter-lived sites, their overall effectiveness is lower, and thus their 'costs' are higher. Making things harder for criminals and raising their 'cost of doing business' is a goal that all anti-abuse forces share."

As we move phishers from their comfort zone, they are responding by putting up more sites. This means that every organization with an online presence is both a potential target for a phishing attack and a potential host for a phishing web page. To continue to improve reaction times, every company should take steps to:

  • "Harden" your web site against attacks.
  • Scan your web site for vulnerabilities and mitigate these before you put it into production.
  • Prepare a plan for how to respond to a compromise of your web site by phishers.
  • Monitor your web site, your domain registrations, your brand, and your DNS for signs of a phish.

In so doing, you'll better protect your own online presence and your efforts to prevent your site from being compromised and serving as a phish page hosting site will help protect other online businesses as well.

Improving the decision making cycle

Clancy describes incidents in Shadow Warriors where special forces were ready to respond but missions were hampered due to poor coordination, lack of authorization or inadequate communications. Some of these same problems plague the "web site takedown" decision-making cycle. Your organization can ensure that you don't contribute drag to this  decision making cycle by making certain that all your comms channels ready and available in the event of an incident:

  1. Provide complete and accurate contact information in your domain name and IP address Whois records. 
  2. Keep accurate contact information for technical or abuse contacts at your sponsoring registrar, ISP, DNS and hosting provider.
  3. Share internal contact information with all parties from whom you may need assistance in the event of an incident (e.g., registrar, ISP, hosting provider).
  4. Join and participate in antiphishing community social networks or mail lists to stay informed, to seek advice from industry colleagues, and to establish contacts.

Helping to reduce the long tail of Phishing Up Times may seem like a strictly "pay it forward" effort, but any involvement in a phishing attack can have direct costs to your organization, so there is an element of self-benefit here as well.

Posted at 07:25 AM in Anti-Malware and Anti-phishing, Domain names and DNS |

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Interesting. Another timing issue that I've wondered about is how long from when a victim provides credentials until those credentials are used by the phisher? If we followup on reported spam by contacting all recipients, we will hear from a few who gave away their password. But we rarely see the evidence that the password has been used yet by the phisher.

Posted by: Bob Bayn | Thursday, 09 August 2012 at 01:30 PM

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name is required. Email address will not be displayed with the comment.)

Find me on Mastodon and Facebook

Spotlight Posts

  • FTC's proposed Trade Regulation Rule on Impersonation of Government and Businesses is important for #infosec
    M3AAWG comments on the FTC's proposed rule Trade Regulation Rule on Impersonation of Government and Businesses is available. I was one of the contributors to the comment. In the comment, M3AAWG "suggests additional regulatory solutions and best practices to complement the goals of this rule, such as clarifying the scope of the rule to include the use of domain names in impersonation schemes and the use of technologies that enable impersonation" and the important role that Whois plays in investigating impersonation and fraud. Several reports that my Interisle colleagues and I published are cited in the comment, along with the...
  • Cybercrime Information Center reports sharp increases in phishing attacks, unique domains reported in August-October 2022 time period
    A recent ebb in domain names reported for phishing created some euphoria in the domain industry. With phishing activity, as with tides, ebbs are invariably followed by flows. In their August- October 2022 Quarterly Phishing Activity, the Cybercrime Information Center observed a 40% increase in phishing attacks and a nearly 20% increase in unique domain names reported for phishing.
  • Cybercrime Information Center's YouTube Channel
    My colleagues and I at Interisle have created a YouTube channel to complement the quarterly reporting and studies of cybercrime we host at the Cybercrime Information Center. Our goal is to share, in a few minutes, the findings and insights from our research in a format that's easily accessible and shareable, informative, and entertaining. The inaugural videos provide 2-5 minute summaries of our annual Phishing and Malware Landscape studies. We'll continue to produce videos of our annual studies. If you like what you see, leave us a comment.
  • Malware Landscape 2022: unabated malware growth, continued exploitation of IoT devices
    My colleagues at Interisle and I have published a study, Malware Landscape 2022: A Study of the Scope and Distribution of Malware. The study, which analyzed 2.5 million records of distinct malware events from May 2021 to April 2022 collected by the Cybercrime Information Center, explains what malware was most prevalent, where malware was served from, and what resources criminals used to pursue their attacks.
  • New TLDs are coming #Dangerclose.
    A Domain Name Wire post, Time to pay attention to the next round of new TLDs, begins with an ominous: They’re coming. Eventually. While not as dramatic or enduring as Arnold Schwarzenegger's "I'll be back", the reporter cites policy activity at ICANN as evidence that new TLDs are coming. Eventually. In a September 2019 post, and in response to the ICANN memorandum, Readiness to Support Future Rounds of New gTLDs, I asked, Has enough been done to study and rectify the concentration of security threats in the new TLD space? In that post, I quoted correspondence from ICANN's security advisory...

Search

My Photo

Categories