« Study reports a 70% increase in phishing from May 2020 through April 2021 | Main | New TLDs are coming #Dangerclose. »

Tuesday, 30 November 2021

Economic impact payments (EIP) Phishing: US citizens under attack from US bases of phishing operations

Dave Piscitello and Dr. Colin Strutt

As part of the US Covid-19 virus tax relief effort (American Rescue Plan Act of 2021, H.R.1319), the US Internal Revenue Service (IRS) issued a series of Economic Impact Payments to millions of eligible citizens. The third payment was authorized in March 2021. Criminals took note of this well-publicized program and put a phishing campaign together to profit by stealing and subsequently exploiting personal information of US citizens.

Like many phishing campaigns, EIP phishing emails and text messages mimic correspondence to convince US citizens to submit personal information or an advance fee payment at a bogus IRS web site.

Figure 1. Example EIP Phishing Email

IrsEIPphishing

EIP phishing attacks frequently include one or more deceptive strings that are intended to make the IRS impersonation convincing, e.g., EIP-apply-irsgov.com/claim/refund.html. Table 1 shows the most commonly used deceptive strings that investigators have encountered.

Table 1: Deceptive strings used in EIP phishing attacks 
 

Deceptive string in
domain name

Deceptive string
in the phishing link

IRS

136

1139

US

259

1043

economic

31

56

impact

51

74

tax

153

313

relief

43

183

claim

180

479

payment

52

208

government

55

135

refund

24

65

By August 2021, the US Internal Revenue Service had received a record number of complaints and victim reports.  The relief program continues, the IRS continues to send EIP payments to US citizens, and despite IRS and phishing investigative community efforts, so do EIP phishing campaigns. 

We studied 5,700 links to EIP phishing pages that were reported between 1 July 2021 and 11 November 2021 to better understand the nature of this threat. The dates when EIP phishing pages were reported indicate that EIP phishing is an ongoing threat; moreover, the trend line in Figure 1 shows a steady increase in reports over time.

Figure 2. Reported EIP Phishing PagesReportedEIPphishingURLs

To answer the question, "Where are the bases for these phishing campaigns?", we examined the resources that EIP phishers used. These include domain names used in email campaigns, domains of EIP phishing web pages, and the Internet addresses where the pages were hosted. 

A US Nexus revealed…

We extracted 2,500 domain names from  5,700 phishing links marked as EIP phishing.  We then identified the domain registrar – the business where the domain name was purchased (leased) – and the Top-level Domain – e.g., .COM, .NET, .ORG – where domain name was delegated from.

We used a methodology that we recently used for a yearly study of phishing to measure the number of these domain names that were purposely registered by phishers, for phishing. For this measurement, we consider the age of the domain name, the content of the domain name, and evidence of common control and usage across the set of domains. We call these malicious domain name registrations.

We next used the Domain Name System (DNS) and Internet Address registration data from Regional Internet Registries to study where the phishing pages where hosted. These analyses show that EIP phishers used US based resources to attack US citizens:

OF THE DOMAIN NAMES FOUND IN EIP PHISHING PAGE LINKS

89% WERE REGISTERED IN THE .COM TOP-LEVEL DOMAIN

70% WERE REGISTERED THROUGH US BASED REGISTRARS

40% WERE REGISTERED THROUGH WILD WEST DOMAINS

64% OF THE DOMAIN NAMES WERE MALICIOUS DOMAIN NAME REGISTRATIONS

98% OF THE WILD WEST DOMAINS WERE PURPOSELY REGISTERED FOR PHISHING

OF THE EIP PHISHING PAGES THAT WERE “LIVE” ON NOVEMBER 18, 2021

67% WERE HOSTED ON IP ADDRESSES ALLOCATED TO US OPERATORS

62% OF THE EIP PHISHING IP ADDRESSES ARE ALLOCATED TO 3 US OPERATORS 

What’s impeding EIP phishing takedowns?

Takedowns of any large scale have many moving parts. A registrar or registry must de-register domain names associated with EIP phishing, or they must make the EIP phishing domain name “unreachable” so that would-be victims cannot visit the phishing site. Web site owners or the service where the EIP phishing page is hosted must remove the web page. Contacting all the parties involved, offering evidence of the crime, and coordinating the appropriate mitigation is difficult with one or a few phishing pages. 

A look at the numbers of parties that must assist in EIP phishing takedowns illustrates that takedowns for this prolonged campaign is far more involved.

We identified 120 registrars with at least one EIP phishing domain reported and 181 hosting services where the ~5,700 EIP phishing pages were hosted. For most of these businesses, takedowns of a campaign nvolving hundreds of phishing reports daily, and thousands over time, are managed as exceptions. There is no single takedown authority, no uniform takedown policy, and no common agreement on what evidence meets a takedown threshold. 

In this environment, when a USG agency or law enforcement requests assistance from registrars, registries or web hosters, the responses vary. Many operators respond, but they don’t necessarily do so with the sense of urgency one would hope that mitigating a crime of this scale would merit. Most harm or loss from phishing occurs within hours of the onset of the attack. However, registrars do not necessarily suspend domains while they review the abuse complaint. But in cases where domains are not suspended, days or weeks may pass, and the victim count increases, before registrars may complete a takedown process.  Hosting operators may also be slow to respond to requests to remove phishing pages or suspend hosting accounts.

Cooperation from operators is not always forthcoming: 

  1. Some operators will recommend that anyone should consult with a brand protection or takedown service. Such companies have processes in place to submit fraudulent domains in bulk.

  2. Some registrars have wholesale business models: they provide a channel for resellers of their registration services. Some resellers defer responsibility and tell the agency or others to contact the registrar, who may refer back to the reseller.
     
  3. Some operators will insist on court orders before they take down a domain name or remove content.

  4. Some operators will forward the complaint to the domain name owner or web site owner and take no further action without consent.
  5. Some operators do not respond at all.

Even when a registrar agrees to suspend a domain, there is no convention or standard takedown practice. The domain may be parked, or it may be returned to the registry and made available again for registration, and in some cases, registered again for phishing. Similarly, some web hosters will remove content, but they will not mitigate the means by which the content was posted (e.g., a vulnerability that the phisher exploited to gain access to the host). Some operators will suspend domains or remove content, but with few exceptions, phishers can simply create new accounts with no obligation to prove their identity and use these to register new domain names or host new phishing sites. 

These circumstances pose challenges for investigators who look for common control and (criminal) usage, but they virtually assure that large scale takedowns cannot be thoroughly and timely mitigated. 

What is needed from providers of Internet domain, addressing and hosting resources (“infrastructures”) to mitigate global threats?

  • Validation of the identities of parties who register and use Internet infrastructures, 

  • A baseline acceptable use policy that prohibits use of Internet domain and addressing resources, for cybercrimes. The Convention on Cybercrime can serve as the baseline set and operators can augment the baseline as their policy communities or government regulations choose,

  • Rigorous enforcement of the baseline acceptable use policy,

  • A common definition of what constitutes sufficient and satisfactory evidence to act on a complaint of criminal activity,

  • A program that vets, accredits, and registers investigators or agencies as trusted notifiers, and

  • Timely and uniform response (action) on the part of operators presented with a complaint by a trusted notifier (where timely is a matter of hours and days, not weeks or months).

The US needs to manage its own household

EIP phishing and Covid-themed frauds are most recent manifestations of cybercrimes that persist and flourish because policy communities or self-regulation cannot address cybercrime “at scale”.

Two proposals for US legislation show promise. 

  1. Lock-and-suspend. U.S. Rep. David McKinley has proposed an amendment to the Federal Food, Drug, and Cosmetic Act to “provide a process to lock and suspend domain names used to facilitate the online sale of drugs illegally, and for other purposes.” The draft amendment proposes that when a trusted notifier reports a domain name that is “used to facilitate the online sale of drugs illegally”, a registrar or registry operator must lock the domain within 24 hours and suspend it within 7 days following notification. The proposed legislation provides a definition of what the trusted notifier must include in its report (notice) and provides recourse for domain owners to respond to the notice. We believe that this legislation represents a blueprint that could be used to effect by USG agencies like the IRS (as a trusted identifier) to disrupt EIP and future phishing campaigns, as well as other cybercrimes, including malware-based and ransomware attacks.  

  2. Safeguarding Internet as a Service Infrastructures. The US Department of Commerce has published an Advance Notice of Proposed Rulemaking (ANPRM). The ANPRM responds to Executive Order 13984 of January 19, 2021, ‘Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities’. The EO directs the US Commerce Secretary to implement measures to “deter foreign malicious cyber actors' use of United States Infrastructure as a Service (IaaS) products and assist in the investigation of transactions involving foreign malicious cyber actors.” Interisle Consulting Group has commented to NTIA that DNS hosting and domain registration services should be classified as IaaS. We explain how criminals use the DNS and how they register and weaponize thousands of domains to perpetrate online crimes. We contend that the DNS is arguably as much of a critical infrastructure as the mobile and “hard-wired” networks that comprise the Internet. 

No private, public, or multi-stakeholder organization has authority to take on this effort. But the US government and others that have an obligation to protect citizens from online fraud, extortion, and other digital crimes.

Posted at 09:10 AM in Anti-Malware and Anti-phishing, Domain names and DNS |

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.

Find me on Mastodon and Facebook

Spotlight Posts

  • FTC's proposed Trade Regulation Rule on Impersonation of Government and Businesses is important for #infosec
    M3AAWG comments on the FTC's proposed rule Trade Regulation Rule on Impersonation of Government and Businesses is available. I was one of the contributors to the comment. In the comment, M3AAWG "suggests additional regulatory solutions and best practices to complement the goals of this rule, such as clarifying the scope of the rule to include the use of domain names in impersonation schemes and the use of technologies that enable impersonation" and the important role that Whois plays in investigating impersonation and fraud. Several reports that my Interisle colleagues and I published are cited in the comment, along with the...
  • Cybercrime Information Center reports sharp increases in phishing attacks, unique domains reported in August-October 2022 time period
    A recent ebb in domain names reported for phishing created some euphoria in the domain industry. With phishing activity, as with tides, ebbs are invariably followed by flows. In their August- October 2022 Quarterly Phishing Activity, the Cybercrime Information Center observed a 40% increase in phishing attacks and a nearly 20% increase in unique domain names reported for phishing.
  • Cybercrime Information Center's YouTube Channel
    My colleagues and I at Interisle have created a YouTube channel to complement the quarterly reporting and studies of cybercrime we host at the Cybercrime Information Center. Our goal is to share, in a few minutes, the findings and insights from our research in a format that's easily accessible and shareable, informative, and entertaining. The inaugural videos provide 2-5 minute summaries of our annual Phishing and Malware Landscape studies. We'll continue to produce videos of our annual studies. If you like what you see, leave us a comment.
  • Malware Landscape 2022: unabated malware growth, continued exploitation of IoT devices
    My colleagues at Interisle and I have published a study, Malware Landscape 2022: A Study of the Scope and Distribution of Malware. The study, which analyzed 2.5 million records of distinct malware events from May 2021 to April 2022 collected by the Cybercrime Information Center, explains what malware was most prevalent, where malware was served from, and what resources criminals used to pursue their attacks.
  • New TLDs are coming #Dangerclose.
    A Domain Name Wire post, Time to pay attention to the next round of new TLDs, begins with an ominous: They’re coming. Eventually. While not as dramatic or enduring as Arnold Schwarzenegger's "I'll be back", the reporter cites policy activity at ICANN as evidence that new TLDs are coming. Eventually. In a September 2019 post, and in response to the ICANN memorandum, Readiness to Support Future Rounds of New gTLDs, I asked, Has enough been done to study and rectify the concentration of security threats in the new TLD space? In that post, I quoted correspondence from ICANN's security advisory...

Search

My Photo

Categories