In Shadow Warriors, Tom Clancy relates events surrounding the 1985 hijacking of the Italian cruise liner Achille Lauro, one of numerous incidents that influenced the evolution of US special forces. Here's how Clancy describes the four men who hijacked the cruise liner:
"The terrorists were not dumb. They knew our reaction time, based on the distance that had to be traveled and the time the Washington decision-making cycle usually took, and they operated inside these times. Every minute counted."
Had Tom Clancy sought to characterize phishers rather than terrorists, he could well have written:
Phishers are not dumb. They know our phishing reaction time, based on the time it takes to identify the phish site and the "web site takedown" decision-making cycle, and they operate inside these times.
The time it takes to get to a phish site is the sum of the time to identify an email as a phish, examine the phish URL, extract the domain from the URL, and then identify and report the phish to the domain registrant or web site operator. In most cases, these tasks are accomplished quickly. The "web site takedown" decision-making cycle can involve several parties: registrant, the web site operator's business and technical staff (who should remove the phish site), sponsoring registrar and in the extreme, a registry or a court of law. This cycle can prove a lengthy process.
What do phishing response times look like?
The APWG Global Phishing Surveys report Phishing Site Up Times biannually. The 2H2011 Report provides a graph of up times from 2008 through 2011.
In the graph, the mean (average) is larger than the median: the distribution skew is positive. The "tail" extends into multiple days and in some cases weeks or months.
How long is the tail? An ongoing APWG survey of companies reporting phishing incidents gives us some insight. We asked, "How much time elapsed from the first notification of a compromise and when the phishing web site was discovered?" The graph to the right shows that the while ~40% of discoveries and notices are less than one day, the tail among the 415 reported cases extends beyond 14 days.
Improving Reaction time
The mechanics of identifying, reporting, and removing phishing web pages - Clancy's "reaction time" - are becoming more familiar across the security and operations communities. As Rasmussen and Aaron report in 2H2011, this has proven beneficial in several respects:
"sites are now coming down in under 10 hours. That makes for fewer victims, which may partly explain why phishers are putting up more sites. However, if they continue to put up shorter-lived sites, their overall effectiveness is lower, and thus their 'costs' are higher. Making things harder for criminals and raising their 'cost of doing business' is a goal that all anti-abuse forces share."
As we move phishers from their comfort zone, they are responding by putting up more sites. This means that every organization with an online presence is both a potential target for a phishing attack and a potential host for a phishing web page. To continue to improve reaction times, every company should take steps to:
- "Harden" your web site against attacks.
- Scan your web site for vulnerabilities and mitigate these before you put it into production.
- Prepare a plan for how to respond to a compromise of your web site by phishers.
- Monitor your web site, your domain registrations, your brand, and your DNS for signs of a phish.
In so doing, you'll better protect your own online presence and your efforts to prevent your site from being compromised and serving as a phish page hosting site will help protect other online businesses as well.
Improving the decision making cycle
Clancy describes incidents in Shadow Warriors where special forces were ready to respond but missions were hampered due to poor coordination, lack of authorization or inadequate communications. Some of these same problems plague the "web site takedown" decision-making cycle. Your organization can ensure that you don't contribute drag to this decision making cycle by making certain that all your comms channels ready and available in the event of an incident:
- Provide complete and accurate contact information in your domain name and IP address Whois records.
- Keep accurate contact information for technical or abuse contacts at your sponsoring registrar, ISP, DNS and hosting provider.
- Share internal contact information with all parties from whom you may need assistance in the event of an incident (e.g., registrar, ISP, hosting provider).
- Join and participate in antiphishing community social networks or mail lists to stay informed, to seek advice from industry colleagues, and to establish contacts.
Helping to reduce the long tail of Phishing Up Times may seem like a strictly "pay it forward" effort, but any involvement in a phishing attack can have direct costs to your organization, so there is an element of self-benefit here as well.
Interesting. Another timing issue that I've wondered about is how long from when a victim provides credentials until those credentials are used by the phisher? If we followup on reported spam by contacting all recipients, we will hear from a few who gave away their password. But we rarely see the evidence that the password has been used yet by the phisher.
Posted by: Bob Bayn | Thursday, 09 August 2012 at 01:30 PM