« In 2015, take #spearphishing seriously | Main | The Uncomfortable Truth about Breach Statistics and Prevention »

Wednesday, 07 January 2015

APWG UBL integrates Facebook phish feed

 

6457165789_dccab629ec_m
Image by Widjaya Ivan

The URL Block List at APWG’s eCrime eXchange (ECX UBL) is about to change in several, dramatic ways. 

Data volume. APWG is folding Facebook’s phish feed into the UBL database. When the merge of the Facebook and APWG UBL archives is complete, the UBL will grow from just under two million to an estimated fourteen million records. Once current, APWG anticipates that the Facebook feed will add approximately 160,000 unique phish records per day. In an email to ECX members, APWG Lead Developer, Mike D'Ambrogia, notes that, “We have a few other large new feeds from other corporate entities beginning to submit phish URLs to us as well over the next few weeks that will continue the development of the UBL into a global corpus of crime event data.”

Data expansion. Facebook data are dominated by shortened URLs. APWG intends to add a new process to expand and track the shortened links by following the 30x redirects to the final destination tracking the IPs and FQDNs we encounter along the way.  Mike explains that APWG intends to fold three records into the UBL: the original reported shortened URL, the expanded URL (redirects), and the landing location. APWG will also maintain a record of the parent-child relationship between these records, to “make the data interrelationships visible/accessible via the eCX UBL API to help members understand where the data originated.”  

API will evolve. The ECX API provides data query capability with replies in XML or JSON schemas and also provides canned downloads (now last 72 hours or last week).  Mike explains that the API now provides “a much improved ability for you to get exactly what you want out of the data versus the current strategy of grabbing everything and then filtering the data on your end you can search for exactly what you are after”. The API currently allows members to filter by confidence percentage ranges, URL sub-strings, IP subnet ranges, and brands. As new metadata becomes associated with UBL data, APWG intends to add the query filtering options to further filter on other data or metadata, including the shortened URL data sets, whois, registry and registrar data. APWG intends to move from the current RPC-based API to a REST-based application in the future.

My ICANN colleague Rick Lamb and I are currently experimenting with the ECX UBL to track and study phishing activity in the new TLDs. The UBL data had already proven valuable. The near tenfold increase in volume, the additional data and metadata associated with shortened URLs, and the anticipated expanded search capabilities has us really excited.

APWG members can access the expanded and enhanced data using their existing eCrime eXchange accounts. Enhancements to the API are documented in each UBL section of the site (e.g., downloads, submissions). 

What if you’re not currently a member and want to explore the cybercrime event data and API I’ve described here?  APWG has established a trial access program to the ECX UBL and  for all eligible enterprises. Send requests for access to APWG Engineering to [email protected].

Posted at 09:00 AM in Anti-Malware and Anti-phishing |

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name is required. Email address will not be displayed with the comment.)

Find me on Mastodon and Facebook

Spotlight Posts

  • Cybercrime Reported in June 2025
    Today, my colleague Colin Strutt looks at cybercrime activity for the month of June 2025. In these monthly reports, we note anything that strikes us as particularly interesting in overall numbers as well as significant changes in ranking for Top Level Domains (TLDs), Registrars, and Hosting Networks. https://interisle.substack.com/p/cybercrime-reported-in-june-2025 #cybercrime #phishing #malware #dnsabuse #spam
  • February 1–April 30, 2025 phishing activity available at the Cybercrime Information Center
    Phishing activity reports for the period February 1–April 30, 2025, are now available at the Cybercrime Information Center. Top 20 rankings of Top-level Domain, Domain Registrar and Hosting operator (by ASN) as well as aggregate records of all operators with phishing activity are available. - Modest declines - Small hosting networks leap into top 20 - Meta and cryptocurrency brands most targeted - .TOP, .XIN and Dominet (HK) remain persistent threats https://interisle.substack.com/p/phishing-trends-february-april-2025
  • Cybercrime Reported in April 2025
    In today's Interisle Insights, Colin Strutt looks at cybercrime activity collected at the Cybercrime Information Center for the month of April 2025.We point out anything that strikes us as particularly interesting in overall numbers as well as significant changes in ranking for Top Level Domains (TLDs), Registrars, and Hosting Networks. Read Cybercrime Reported in April 2025. Interisle Insights is a reader-supported publication. To receive new posts and support our work, consider becoming a free or paid subscriber. Join now!
  • Malware Trends: January - March 2025
    Malware activity reports for the quarter are now posted at the Cybercrime Information Center. Our key statistics show small quarter-over-quarter increases in malicious IP address malware records (Traffic Injectors and Attackware) and unique IPv4 addresses reported as serving or distributing malware, and but meaningful decreases in both endpoint and IoT malware reported. Read Malware Trends: January - March 2025
  • The World's Phishiest Neighborhoods
    In this Interisle Insights article, we take a closer look at our data to better understand what’s hosted at three autonomous systems which have appeared at or near the top in recent quarters. We’ll also review who’s being targeted by these attacks and what corresponding name and address resources are most frequently exploited. Autonomous systems are blocks of Internet addresses, which you can compare to "neighborhoods" in a city. And like any city, some neighborhoods are safe and some are not. The full article, The World's Phishiest Neighborhoods, is hosted here.

Search

My Photo

Categories