APWG Update for ICANN Cross Constituency Meeting Rod Rasmussen Co-Chair APWG Internet Policy...
-
Upload
adrian-dean -
Category
Documents
-
view
215 -
download
0
Transcript of APWG Update for ICANN Cross Constituency Meeting Rod Rasmussen Co-Chair APWG Internet Policy...
![Page 1: APWG Update for ICANN Cross Constituency Meeting Rod Rasmussen Co-Chair APWG Internet Policy Committee President & CTO June 23, 2009.](https://reader035.fdocuments.us/reader035/viewer/2022070305/5514c0c5550346b0478b4788/html5/thumbnails/1.jpg)
APWG Update for ICANN Cross Constituency Meeting
Rod RasmussenCo-Chair APWG Internet Policy Committee
President & CTO
June 23, 2009
![Page 2: APWG Update for ICANN Cross Constituency Meeting Rod Rasmussen Co-Chair APWG Internet Policy Committee President & CTO June 23, 2009.](https://reader035.fdocuments.us/reader035/viewer/2022070305/5514c0c5550346b0478b4788/html5/thumbnails/2.jpg)
Topics
• APWG IPC Initiatives Update
• Global Phishing Survey Update
• Use of Malicious Registrations: Avalanche
• Attacks on Registrars: .PR and DomainNZ
• New emphasis on the Internet as critical infrastructure
![Page 3: APWG Update for ICANN Cross Constituency Meeting Rod Rasmussen Co-Chair APWG Internet Policy Committee President & CTO June 23, 2009.](https://reader035.fdocuments.us/reader035/viewer/2022070305/5514c0c5550346b0478b4788/html5/thumbnails/3.jpg)
Current/Recent Initiatives
3
![Page 4: APWG Update for ICANN Cross Constituency Meeting Rod Rasmussen Co-Chair APWG Internet Policy Committee President & CTO June 23, 2009.](https://reader035.fdocuments.us/reader035/viewer/2022070305/5514c0c5550346b0478b4788/html5/thumbnails/4.jpg)
Landing Page Working Well
• Up and running for over 6 months– Hundreds of sites redirected– Available in 20+ languages soon– Thousands of consumers educated– Live example!
• http://www.chapelenterprises.com/index/hsbcbankingonline/IBlogin.html
• Data to be made available to brand holders that are APWG members
![Page 5: APWG Update for ICANN Cross Constituency Meeting Rod Rasmussen Co-Chair APWG Internet Policy Committee President & CTO June 23, 2009.](https://reader035.fdocuments.us/reader035/viewer/2022070305/5514c0c5550346b0478b4788/html5/thumbnails/5.jpg)
Latest APWG Phishing SurveyStudy domain names and URLs to:
• Provide a consistent benchmark for scope of phishing problems worldwide
• Understand what phishers are doing
• Identify new trends
• Find hot-spots and success stories
• Suggest anti-abuse measureshttp://apwg.org/reports/APWG_GlobalPhishingSurvey2H2008.pdf
![Page 6: APWG Update for ICANN Cross Constituency Meeting Rod Rasmussen Co-Chair APWG Internet Policy Committee President & CTO June 23, 2009.](https://reader035.fdocuments.us/reader035/viewer/2022070305/5514c0c5550346b0478b4788/html5/thumbnails/6.jpg)
Overall Stats
![Page 7: APWG Update for ICANN Cross Constituency Meeting Rod Rasmussen Co-Chair APWG Internet Policy Committee President & CTO June 23, 2009.](https://reader035.fdocuments.us/reader035/viewer/2022070305/5514c0c5550346b0478b4788/html5/thumbnails/7.jpg)
Events in 2H2008
• Disappearance of “ROCK” phish– Evident in drop off in .UK and .ES phishing– Replaced? late in year with “Avalanche”
• Started slowly in December - big in 2009!• Similar tactics but uses fast-flux
• Assault on Venezuela (.VE)– Unprepared registry (registry/registrar model)
• Fast Flux attacks based on hundreds of VE domains• Registry was very slow to act to mitigate• No formal policies
– Took months to update policies– Phishers took advantage
![Page 8: APWG Update for ICANN Cross Constituency Meeting Rod Rasmussen Co-Chair APWG Internet Policy Committee President & CTO June 23, 2009.](https://reader035.fdocuments.us/reader035/viewer/2022070305/5514c0c5550346b0478b4788/html5/thumbnails/8.jpg)
Top Phishing TLDs by Score (minimum 30,000 domains and 25 phish)
Rank TLD TLD Location
Unique Domain Names used for phishing 2H2008
Domains in registry in Dec 2008
Score: Phish per 10,000 domains
2H2008
1 ve Venezuela 1,504 82,500 182.32 th Thailand 88 39,880 22.1
3 bz Belize 55 43,377 12.7
4 su Soviet Union 76 85,119 8.9
5 ro Romania 188 310,114 6.1
6 cl Chile 116 232,897 5.0
7 kr Korea 413 983,626 4.2
8 vn Vietnam 37 92,992 4.0
9 ru Russia 676 1,860,179 3.6
10 tw Taiwan 144 406,669 3.5
![Page 9: APWG Update for ICANN Cross Constituency Meeting Rod Rasmussen Co-Chair APWG Internet Policy Committee President & CTO June 23, 2009.](https://reader035.fdocuments.us/reader035/viewer/2022070305/5514c0c5550346b0478b4788/html5/thumbnails/9.jpg)
![Page 10: APWG Update for ICANN Cross Constituency Meeting Rod Rasmussen Co-Chair APWG Internet Policy Committee President & CTO June 23, 2009.](https://reader035.fdocuments.us/reader035/viewer/2022070305/5514c0c5550346b0478b4788/html5/thumbnails/10.jpg)
Malicious Domain Registrations• Of the 30,454 phishing domains, we identified
5,591 (18.5%) clearly registered by phishers.– Of those 5,591, only 1,053 domains contained a
relevant brand name or misspelling. (Only 3.5% of all domains used for phishing.)
• <81% of domains used for phishing were “compromised” or hacked domains.
• The domain name itself usually does not matter to phishers. A hacked domain name of any meaning (or no meaning), in any TLD, will do.
![Page 11: APWG Update for ICANN Cross Constituency Meeting Rod Rasmussen Co-Chair APWG Internet Policy Committee President & CTO June 23, 2009.](https://reader035.fdocuments.us/reader035/viewer/2022070305/5514c0c5550346b0478b4788/html5/thumbnails/11.jpg)
Study Conclusions• Phishers move from registrar to registrar, and
TLD to TLD to exploit the best phishing “holes”• Moving away from IP-based phishing• The amount of Internet names and numbers
used for phishing has remained fairly steady over the past two years.
• Subdomain registration services are nearly as abused as standard domain registrars
• Registry anti-abuse programs have an effect• Malicious registrations >18%• Phishers happy to use any domain name
![Page 12: APWG Update for ICANN Cross Constituency Meeting Rod Rasmussen Co-Chair APWG Internet Policy Committee President & CTO June 23, 2009.](https://reader035.fdocuments.us/reader035/viewer/2022070305/5514c0c5550346b0478b4788/html5/thumbnails/12.jpg)
Avalanche Phishing Attacks
• Successor to infamous “ROCK” phishers• Using dozens of domains daily at targeted
registrar(s)– Varying TLDs– Testing responses of registrars
• Fast Flux Domain Hosting– Using known nameservers– Large but fixed botnet
• Attacking over 30 major brands concurrently• Cashing out millions of dollars
![Page 13: APWG Update for ICANN Cross Constituency Meeting Rod Rasmussen Co-Chair APWG Internet Policy Committee President & CTO June 23, 2009.](https://reader035.fdocuments.us/reader035/viewer/2022070305/5514c0c5550346b0478b4788/html5/thumbnails/13.jpg)
Avalanche Brands Under Attack
![Page 14: APWG Update for ICANN Cross Constituency Meeting Rod Rasmussen Co-Chair APWG Internet Policy Committee President & CTO June 23, 2009.](https://reader035.fdocuments.us/reader035/viewer/2022070305/5514c0c5550346b0478b4788/html5/thumbnails/14.jpg)
Attacks Move Between Registrars
• Once registrar identified, attacks continue until registrar reacts– Blocks bogus registrations– Mitigates domains within 3 hours
• Often looking for weak reseller of larger registrar
![Page 15: APWG Update for ICANN Cross Constituency Meeting Rod Rasmussen Co-Chair APWG Internet Policy Committee President & CTO June 23, 2009.](https://reader035.fdocuments.us/reader035/viewer/2022070305/5514c0c5550346b0478b4788/html5/thumbnails/15.jpg)
Hacking Attacks on Registrars
• Two major hacking attacks in April– DomainZ– PR NIC– http://www.zone-h.org/news/id/4708
• Seven recent attacks around the world• Many by Turkish hacker group “Peace Crew”
– Goal was site take-over for defacement– Proof of concept or bragging rights???
• Appears to be targeted SQL injection against domain management server
![Page 16: APWG Update for ICANN Cross Constituency Meeting Rod Rasmussen Co-Chair APWG Internet Policy Committee President & CTO June 23, 2009.](https://reader035.fdocuments.us/reader035/viewer/2022070305/5514c0c5550346b0478b4788/html5/thumbnails/16.jpg)
Take-over domain accountAssign new nameserversPoint A record to defacement
![Page 17: APWG Update for ICANN Cross Constituency Meeting Rod Rasmussen Co-Chair APWG Internet Policy Committee President & CTO June 23, 2009.](https://reader035.fdocuments.us/reader035/viewer/2022070305/5514c0c5550346b0478b4788/html5/thumbnails/17.jpg)
Wake up Call?
• Will the next attack be for real crime?
• Has it already happened– Mystery data in recent phish set-ups hint at it
• Who’s doing PEN testing?
• Monitoring key resources?
• Monitoring customer domains?
• SSAC working on a report addressing these issues
![Page 18: APWG Update for ICANN Cross Constituency Meeting Rod Rasmussen Co-Chair APWG Internet Policy Committee President & CTO June 23, 2009.](https://reader035.fdocuments.us/reader035/viewer/2022070305/5514c0c5550346b0478b4788/html5/thumbnails/18.jpg)
Registrar Security Posture
• We’ve come a long way• We’ve still got a long way to go…• Attacks now being directed against registrars
and DNS infrastructure providers• Mindset change about the Internet
![Page 19: APWG Update for ICANN Cross Constituency Meeting Rod Rasmussen Co-Chair APWG Internet Policy Committee President & CTO June 23, 2009.](https://reader035.fdocuments.us/reader035/viewer/2022070305/5514c0c5550346b0478b4788/html5/thumbnails/19.jpg)
Protecting Critical Infrastructure
• DNS control is fundamental – recent attacks have proven this repeatedly
• Areas to address for best practices/policy/self-regulation– Protecting access and control systems– Preventing criminal exploitation of systems– Monitoring for attacks and exploit attempts– Incident response– Assist with industry and LE efforts
![Page 20: APWG Update for ICANN Cross Constituency Meeting Rod Rasmussen Co-Chair APWG Internet Policy Committee President & CTO June 23, 2009.](https://reader035.fdocuments.us/reader035/viewer/2022070305/5514c0c5550346b0478b4788/html5/thumbnails/20.jpg)
Summary
• APWG continues to drive initiatives to improve Internet security and trust– Engaging ICANN community to develop
collaborative solutions
• Criminals continue to exploit “weak links”– Sophisticated use of DNS for attacks
– Direct attacks against registrars and infrastructure providers
• Change in attitude on DNS security underway?
![Page 21: APWG Update for ICANN Cross Constituency Meeting Rod Rasmussen Co-Chair APWG Internet Policy Committee President & CTO June 23, 2009.](https://reader035.fdocuments.us/reader035/viewer/2022070305/5514c0c5550346b0478b4788/html5/thumbnails/21.jpg)
For More Information
Studies and Registrars Best Practices’ document posted at:
• http://www.awpg.org/
• Rod Rasmussen, Internet Identityrod.rasmussen <at> internetidentity.com
• +1 253 590 4100
![Page 22: APWG Update for ICANN Cross Constituency Meeting Rod Rasmussen Co-Chair APWG Internet Policy Committee President & CTO June 23, 2009.](https://reader035.fdocuments.us/reader035/viewer/2022070305/5514c0c5550346b0478b4788/html5/thumbnails/22.jpg)
APWG Update for ICANN Cross Constituency Meeting
Rod RasmussenCo-Chair APWG Internet Policy Committee
President & CTO
June 23, 2009