Dave Piscitello and Dr. Colin Strutt
As part of the US Covid-19 virus tax relief effort (American Rescue Plan Act of 2021, H.R.1319), the US Internal Revenue Service (IRS) issued a series of Economic Impact Payments to millions of eligible citizens. The third payment was authorized in March 2021. Criminals took note of this well-publicized program and put a phishing campaign together to profit by stealing and subsequently exploiting personal information of US citizens.
Like many phishing campaigns, EIP phishing emails and text messages mimic correspondence to convince US citizens to submit personal information or an advance fee payment at a bogus IRS web site.
Figure 1. Example EIP Phishing Email
EIP phishing attacks frequently include one or more deceptive strings that are intended to make the IRS impersonation convincing, e.g., EIP-apply-irsgov.com/claim/refund.html. Table 1 shows the most commonly used deceptive strings that investigators have encountered.
Table 1: Deceptive strings used in EIP phishing attacks
Deceptive string in
in the phishing link
By August 2021, the US Internal Revenue Service had received a record number of complaints and victim reports. The relief program continues, the IRS continues to send EIP payments to US citizens, and despite IRS and phishing investigative community efforts, so do EIP phishing campaigns.
We studied 5,700 links to EIP phishing pages that were reported between 1 July 2021 and 11 November 2021 to better understand the nature of this threat. The dates when EIP phishing pages were reported indicate that EIP phishing is an ongoing threat; moreover, the trend line in Figure 1 shows a steady increase in reports over time.
To answer the question, "Where are the bases for these phishing campaigns?", we examined the resources that EIP phishers used. These include domain names used in email campaigns, domains of EIP phishing web pages, and the Internet addresses where the pages were hosted.
A US Nexus revealed…
We extracted 2,500 domain names from 5,700 phishing links marked as EIP phishing. We then identified the domain registrar – the business where the domain name was purchased (leased) – and the Top-level Domain – e.g., .COM, .NET, .ORG – where domain name was delegated from.
We used a methodology that we recently used for a yearly study of phishing to measure the number of these domain names that were purposely registered by phishers, for phishing. For this measurement, we consider the age of the domain name, the content of the domain name, and evidence of common control and usage across the set of domains. We call these malicious domain name registrations.
We next used the Domain Name System (DNS) and Internet Address registration data from Regional Internet Registries to study where the phishing pages where hosted. These analyses show that EIP phishers used US based resources to attack US citizens:
OF THE DOMAIN NAMES FOUND IN EIP PHISHING PAGE LINKS
89% WERE REGISTERED IN THE .COM TOP-LEVEL DOMAIN
70% WERE REGISTERED THROUGH US BASED REGISTRARS
40% WERE REGISTERED THROUGH WILD WEST DOMAINS
64% OF THE DOMAIN NAMES WERE MALICIOUS DOMAIN NAME REGISTRATIONS
98% OF THE WILD WEST DOMAINS WERE PURPOSELY REGISTERED FOR PHISHING
OF THE EIP PHISHING PAGES THAT WERE “LIVE” ON NOVEMBER 18, 2021
67% WERE HOSTED ON IP ADDRESSES ALLOCATED TO US OPERATORS
62% OF THE EIP PHISHING IP ADDRESSES ARE ALLOCATED TO 3 US OPERATORS
What’s impeding EIP phishing takedowns?
Takedowns of any large scale have many moving parts. A registrar or registry must de-register domain names associated with EIP phishing, or they must make the EIP phishing domain name “unreachable” so that would-be victims cannot visit the phishing site. Web site owners or the service where the EIP phishing page is hosted must remove the web page. Contacting all the parties involved, offering evidence of the crime, and coordinating the appropriate mitigation is difficult with one or a few phishing pages.
A look at the numbers of parties that must assist in EIP phishing takedowns illustrates that takedowns for this prolonged campaign is far more involved.
We identified 120 registrars with at least one EIP phishing domain reported and 181 hosting services where the ~5,700 EIP phishing pages were hosted. For most of these businesses, takedowns of a campaign nvolving hundreds of phishing reports daily, and thousands over time, are managed as exceptions. There is no single takedown authority, no uniform takedown policy, and no common agreement on what evidence meets a takedown threshold.
In this environment, when a USG agency or law enforcement requests assistance from registrars, registries or web hosters, the responses vary. Many operators respond, but they don’t necessarily do so with the sense of urgency one would hope that mitigating a crime of this scale would merit. Most harm or loss from phishing occurs within hours of the onset of the attack. However, registrars do not necessarily suspend domains while they review the abuse complaint. But in cases where domains are not suspended, days or weeks may pass, and the victim count increases, before registrars may complete a takedown process. Hosting operators may also be slow to respond to requests to remove phishing pages or suspend hosting accounts.
Cooperation from operators is not always forthcoming:
- Some operators will recommend that anyone should consult with a brand protection or takedown service. Such companies have processes in place to submit fraudulent domains in bulk.
- Some registrars have wholesale business models: they provide a channel for resellers of their registration services. Some resellers defer responsibility and tell the agency or others to contact the registrar, who may refer back to the reseller.
- Some operators will insist on court orders before they take down a domain name or remove content.
- Some operators will forward the complaint to the domain name owner or web site owner and take no further action without consent.
- Some operators do not respond at all.
Even when a registrar agrees to suspend a domain, there is no convention or standard takedown practice. The domain may be parked, or it may be returned to the registry and made available again for registration, and in some cases, registered again for phishing. Similarly, some web hosters will remove content, but they will not mitigate the means by which the content was posted (e.g., a vulnerability that the phisher exploited to gain access to the host). Some operators will suspend domains or remove content, but with few exceptions, phishers can simply create new accounts with no obligation to prove their identity and use these to register new domain names or host new phishing sites.
These circumstances pose challenges for investigators who look for common control and (criminal) usage, but they virtually assure that large scale takedowns cannot be thoroughly and timely mitigated.
What is needed from providers of Internet domain, addressing and hosting resources (“infrastructures”) to mitigate global threats?
- Validation of the identities of parties who register and use Internet infrastructures,
- A baseline acceptable use policy that prohibits use of Internet domain and addressing resources, for cybercrimes. The Convention on Cybercrime can serve as the baseline set and operators can augment the baseline as their policy communities or government regulations choose,
- Rigorous enforcement of the baseline acceptable use policy,
- A common definition of what constitutes sufficient and satisfactory evidence to act on a complaint of criminal activity,
- A program that vets, accredits, and registers investigators or agencies as trusted notifiers, and
- Timely and uniform response (action) on the part of operators presented with a complaint by a trusted notifier (where timely is a matter of hours and days, not weeks or months).
The US needs to manage its own household
EIP phishing and Covid-themed frauds are most recent manifestations of cybercrimes that persist and flourish because policy communities or self-regulation cannot address cybercrime “at scale”.
Two proposals for US legislation show promise.
- Lock-and-suspend. U.S. Rep. David McKinley has proposed an amendment to the Federal Food, Drug, and Cosmetic Act to “provide a process to lock and suspend domain names used to facilitate the online sale of drugs illegally, and for other purposes.” The draft amendment proposes that when a trusted notifier reports a domain name that is “used to facilitate the online sale of drugs illegally”, a registrar or registry operator must lock the domain within 24 hours and suspend it within 7 days following notification. The proposed legislation provides a definition of what the trusted notifier must include in its report (notice) and provides recourse for domain owners to respond to the notice. We believe that this legislation represents a blueprint that could be used to effect by USG agencies like the IRS (as a trusted identifier) to disrupt EIP and future phishing campaigns, as well as other cybercrimes, including malware-based and ransomware attacks.
- Safeguarding Internet as a Service Infrastructures. The US Department of Commerce has published an Advance Notice of Proposed Rulemaking (ANPRM). The ANPRM responds to Executive Order 13984 of January 19, 2021, ‘Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities’. The EO directs the US Commerce Secretary to implement measures to “deter foreign malicious cyber actors' use of United States Infrastructure as a Service (IaaS) products and assist in the investigation of transactions involving foreign malicious cyber actors.” Interisle Consulting Group has commented to NTIA that DNS hosting and domain registration services should be classified as IaaS. We explain how criminals use the DNS and how they register and weaponize thousands of domains to perpetrate online crimes. We contend that the DNS is arguably as much of a critical infrastructure as the mobile and “hard-wired” networks that comprise the Internet.
No private, public, or multi-stakeholder organization has authority to take on this effort. But the US government and others that have an obligation to protect citizens from online fraud, extortion, and other digital crimes.