APWG Publishes Anti-Phishing Advisory on Troubling Abuse of Subdomains for Phishing Attacks

[news release] The APWG, the global, independent coalition combating electronic crime, today announced the availability of a new industry advisory that examines the abuse of subdomain registries by criminals engaged in phishing attacks. Over 10-percent of all phishing sites, representing tens of thousands of scams worldwide, originate on subdomains available for registration at subdomain registry services, the advisory reports.

Subdomains are easily exploited due to their low- or no-cost pricing model, anonymity, easy setup, and lack of internal organization, dispute rules, or policing. Misappropriation of dynamic IP addressing, proxies, bots, and scam sites that disguise themselves with bank or credit card logos then play havoc from a wide variety of services and platforms which “host” these accounts unawares.

“Making Waves in the Phishers’ Safest Harbors: Exposing the Dark Side of Subdomain Registries,” investigated and authored by Dave Piscitello (ICANN) and Rod Rasmussen (Internet Identity), is available now at no cost from the APWG at: www.antiphishing.org/reports/APWG_Advisory_on_Subdomain_Registries.pdf “Once a subdomain account is created, phishers are able to bilk unsuspecting and/or careless users from the scam sites they host,” explained Piscitello.

Rasmussen said, “Phishing domains created as subdomains of free web hosting companies can be particularly difficult to take down. An attacker can create an account and host a site in minutes, in complete anonymity, with a hosting provider who has no formal abuse or dispute procedures.” “Many of these hosting companies have tens of thousands of subdomains, so it prevents responders from asking a registrar to suspend the parent domain,” Rasmussen added.

The Advisory reports that phishers are always on the lookout for effective ways to distribute phish email to lure victims to scam web sites. At the same time they attempt to shield their online scams from discovery and takedown by law enforcement and Internet Service providers (ISP)s.

In their constant efforts to counter anti-phishing measures, phishers are using subdomain registries to provide safe harbors for malicious and criminal activities in part because of their automated processing models. “Subdomains are easily exploited due to their low- or no-cost, anonymity, easy setup, and lack of internal organization dispute rules or policing”, reports Mr. Piscitello.

Upon creating a subdomain account, phishers are able to wreck havoc from fraud and scam sites they host. “The phishers basically hide in the weeds – a few or dozens of illegal sites operating among thousands of mom and pop sites are insidious and extremely difficult to locate and take down,” Mr. Piscitello said.

According to the authors, the purpose of this advisory is, “to bring awareness to this industry segment about the serious abuse problems that are threatening their operations. APWG would like to see best practices for dealing with abuse issues adopted throughout this community.” The Advisory recommends a program of policies and practices that subdomain registries can implement today just as top-level domain registrars already have in place: 1. Require customers to read and agree to a Uniform Terms of Service (UTS) agreement (UTS) that prohibits use of subdomains for malicious or illegal activities.

2. Collect and maintain accurate contact information.

3. Provide an abuse handling process for subdomains where users and anti-phishing agents can identify abusive sites.

4. Monitor the zone file activity for all domains used to register subdomains to detect activities that violate the UTS.

5. Collaborate with anti-phishing agencies to reduce the time required to confirm and take down phishing sites.

6. Implement a trusted appeal or dispute resolution process.

Additional measures could include: a) Obtain a list of commonly phished brands and prohibit customers from creating names that infringe on brand, IP or copyrights.

b) Create an access policy for zone files used to register third level labels to allow law enforcement, brand protection companies, and other trusted parties to monitor for abuse.

c) Use CAPTCHA or similar methods to defeat registration and DNS configuration automation.

ABOUT APWG: The APWG, founded in 2003 as the Anti-Phishing Working Group, is a global industry, law enforcement, and government coalition focused on eliminating the identity theft and fraud that result from the growing problem of phishing, email spoofing, and crimeware. Membership is open to qualified financial institutions, online retailers, ISPs, the law enforcement community and solutions providers. There are more than 1,800 companies, government agencies and NGOs participating in the APWG and more than 3,300 members worldwide. The APWG’s Web site (www.antiphishing.org) offers the public and industry information about phishing and email fraud, including identification and promotion of pragmatic technical solutions that provide immediate protection.

The APWG, founded as the Anti-Phishing Working Group in 2003, is an industry, law enforcement and government coalition focused on eliminating the identity theft and fraud that result from the growing problem of phishing, email spoofing, and crimeware. Membership is open to qualified financial institutions, online retailers, ISPs, the law enforcement community, researchers and solutions providers. There are more than 1,800 companies and government agencies worldwide participating in the APWG and more than 3,200 members. The APWG’s Web site (www.antiphishing.org) offers the public and industry information about phishing and email fraud, including identification and promotion of pragmatic technical solutions that provide immediate protection. APWG’s corporate sponsors include: 8e6 Technologies, AT&T (T), Able NV, Afilias Ltd., AhnLab, AVG Technologies, BillMeLater, BBN Technologies, Blue Coat, BlueStreak, BrandMail, BrandProtect, Bsecure Technologies, Cisco (CSCO), Clear Search, Cloudmark, Cyveillance, DigiCert, DigitalEnvoy, DigitalResolve, Digital River, Earthlink (ELNK), eBay/PayPal (EBAY), Entrust (ENTU), Experian, eEye, Fortinet, FraudWatch International, FrontPorch, F-Secure, Goodmail Systems, GeoTrust, GlobalSign, GoDaddy, Goodmail Systems, GuardID Systems, HomeAway, IronPort, HitachiJoHo, ING Bank, Iconix, Internet Identity, Internet Security Systems, IOvation, IronPort, IS3, IT Matrix, Kaspersky Labs, Lenos Software, LightSpeed Systems, MailFrontier, MailShell, MarkMonitor, McAfee (MFE), MasterCard, MessageLevel, Microsoft (MSFT), MicroWorld, Mirapoint, MySpace (NWS), MyPW, MX Logic, NameProtect, National Australia Bank (ASX: NAB) Netcraft, NetStar, Network Solutions, NeuStar, Nominum, Panda Software, Phoenix Technologies Inc. (PTEC), Phishme.com, Phorm, The Planet, SalesForce, Radialpoint, RSA Security (EMC), SecureBrain, Secure Computing (SCUR), S21sec, Sigaba, SoftForum, SOPHOS, SquareTrade, SurfControl, SunTrust, Symantec (SYMC), TDS Telecom, Telefonica (TEF), Trend Micro (TMIC), Tricerion, TriCipher, TrustedID, Tumbleweed Communications (TMWD), Vasco (VDSI), VeriSign (VRSN), Visa, Wal-Mart (WMT), Websense Inc. (WBSN) and Yahoo! (YHOO).