analysis 2H2009 : .be and .eu domainextensions were the hardest hit by phishers among the big domainzones

This is what one can conclude from this published report. Curious what the response will be.

First I also want to make clear that more methodological data should be published together with each report (as it can change) to be fully professional. and scientific clear definitions and comparaisons between different datasets are a necessity for a good understanding. None the less, the report gives us some clear indications. And these indications can be coupled with other information.

APWG  (Anti phishing workgroup) is the international organisation that coordinates and analyzes the fight against phishing (the stealing of logins of customers from for example banks by setting up fake login pages and sending links with so called security alerts). Their yearly reports about the state of phishing in the world is based on one of the most complete databases global databases around, thanks to the collaboration with many local and other initiatives.

The researchers make a distinction between a phishing host and a phishing attack because a phishing host can host many attacks against the same or different institutions. It is for this reason important to bring down phishing hosts as quickly as possible. Not only to limit the number of victims but also to limit the number of attacks. As the phishing hosts may be part of a fastflux botnet it is more difficult for the botnetmaster to coordinate new more sophisticated attacks if his phishing hosts are brought down and cleaned up.

The main conclusion of the research is that more than half of all the phishing attacks around the world in 2009 could be attributed to one group, called the Avalanche gang. They professionalized the tactics of the Storm gang by using fast flux hosting domainnames bought with registries and registrars that don't mind about security on individual infected computers around the world. In the second half of 2009 the gang had to change tactics and diminished its numbers of attacks (it was responsible for about 2/3 of all phishing attacks because each of their phishing domains hosted around 40 phishing attacks) after one of its main control centers was brought down because the criminal ISP was cut off the internet by its peers (other ISP's refused to accept traffic from that ISP or to send traffic). The effect of that action was dramatic but limited in time.

Fastflux attacks don't use one domain one server architecture, but use domains are somthing that can be used on tens or hunderds of infected PC's or hacked servers around the world. This means that it is no use to bring down a physical server because the domainname will pop up somewhere else around the world. The only way to take down these domains is by blocking the domainname in the central DNS of the organisations responsable for the domainzone.

In global numbers there were nearly 60.000 domains used for phishing active per year since 2008 which are bought with at  more than 300 different TLD's (but mainly with 5). They are used for about 180.000 attacks against 40 financial institutes in the second half of 2009 (or one site is used for 3 attacks in general).

IDN attacks (in which numbers and letters are interchanged to confuse the user) are seldom used while only about 5000 to 6000 phishing domains are located on an IP address.

The 'Avalanche gang' tested and selected several domain registrars to see how long it would take them to suspend their fastflux phishing domainnames. These domainnames were often just a series of letters and numbers that varied a little bit and were often registered in several domain extensions. We saw it here quite often with the .be and .eu domain extension. It seems that a crosscheck between domain extensions would have prevented them from doing this (if one domain is a clear phisher in one domain extension a cross check with the whois data and a screenshot could have shown up the other phishing hosts on other domain extensions - the checks could all be automated).

Several registries have augmented their security and take-down procedures because of this attack. This was the case in general for several big registries (.biz, .info, .org, .UK) and some small ones after they were attacked (like .hn and .im).

In April 2010 the 'Avalanche gang' seemed to have diminished its operation quite dramatically. From 12.793 attacks on 498 domains in July 2009 the 'Avalanche gang' was only responsible for 59 attacks on 59 phishing hosts in april 2010.  The real question remains the same as when the Storm spamgang disappeared. What or who next ?  There is a lot of talk about the Canadian Pharmacy spamgang nowadays.

The report prouds itself that the lifecycle of the 'Avalanche' fastflux phishing hosts was shorter than the other phishing hosts because of the interest everyone was giving to this gang, but in other professional antiphishing literature you read that a phishing host has to be taken down in 4 hours time because most of the victims are made within 4 hours of the launch of the spam for the phishing domain.

This is far from being the case but it is difficult to interpret the numbers because they may be influenced by some domains or ISP's or hosts that don't react very quickly, if at all. The numbers would be even more interesting if they would be cleaned from phishing hosts with criminal ISP's who advertise the fact that they don't take down any criminal website (bullet-proof hosting). Nevertheless the median time needed to bring down a phishing host is still nearly 12 hours. This is still 8 hours too long to make online phishing ineffective.  If you want to discourage online phishers, you should invest your main resources in a fast response and take-down.

Becauise the difference between the fastflux Phishing domains from the Avalanche group and the others  is a too big difference you can't have a meaningful general inication for all the phishing domains.

The median uptime for phishing .be domains from the 'Avalanche group' is still 10 hours which is the 6th  of the 9 domain extensions that hosted the most Avalanche phishing domains in the second half of 2009. You could also note that 3 big domain extensions (.cn, .info and .org) kept this uptime under or just above 4 hours.

This is totally not the case for the other phishing attacks where NOT one domain extension can bring down the phishing host in the same timeframe. The best is .info with 10 hours which is 8 hours longer (a working day) to bring down a non-Avalanche gang phishing host. The .be domain needs more than 20 hours (median time) to bring down a phishing host which is the 9th slowest (out of the 10 main domain extensions with phishing hosts). The .eu is the LAST. It needs 22 hours to bring down a phishing host that is not from the Avalanche gang (and those were very few which means that it took a lot of time for most of these phishing hosts). The .eu is also the LAST one in bringing down Avalanche gang phishing domains which shows that even when it was heavily abused it didn't set up the necessary fast tracks to fend off the attackers and discourage them. As the internet is the Wild Wild West the best defence for now is to try to fend off the attacker in the hope that he will concentrate on another victim that hasn't put so much time and money in security.

One should remember that taking down the domain name of the host is the ONLY way to deactivate a phishing host if the phishers use a botnet with fast flux botnet. With fastlux hosting the domain name is hosted on another server in another country every so many visits or minutes. THis is done by an infrastructure of DNS servers or procedures set up by the botnet and the infection software on the individual hosts or zombies. This makes it more or less impossible for law officers to bring down phishing domains by bringing down one server or infected PC. They have to take down the core to bring down the phishing domains and these are or the botnet infrastructure (or its criminal ISP) or the domainnames themselves at the root dns of the domain extension.

This blog was active in pushing the FCCU and in bringing down a number of fast flux domains in the .be and in trying to convince them to use a fast track between them. But it is clear that a more permanent and automated system is necessary. At the time this blog said that the reputation of the domain extension .be an sich was at stake if no drastic actions were taken. What was surprising was that most of the information in the Whois (identification of the owner) seemed false or needed verification before activation.  This process can also be automated. Checking telephone numbers with countries and checking the emailadresses can be automated for example. At the time a process was put in place by which the Cyberpolice FCCU contacted the justice department based upon a standardized demand to take down a fastflux phishing domain based upon the Belgian Cybercrime law (I suppose) which was sent to DNS.BE after signature by a judge for the effective take-down (or should we say blocking) of the respective domainnames in the rootserver of the .be domainextension.

When we look now at the numbers and the time necessary for a take-down it is clear that those efforts may have been gigantic and effective at the time but have been bypassed by those from a whole series of other domainextensions. The net effect of this is that as the other domainextensions became less interesting the .eu and .be domainextensions became increasingly more interesting. It didn’t help the .be domainextension that it is often sold together with the .eu domainextension and that the main crimegangs online had already some experience with the .be domainextension from the period in which they could try it totally free for a year. As this blogger at the time discovered, this campaign was abused by international crimegangs to infiltrate the Belgian webspace. If such a campaign were to be relaunched today the effects would be even more disastrous because the online crimeworld is much better organized and experienced than ever before, thanks to all the money they have amazed during the last years.

If you look at the numbers of the phishing domains for each of the main domain extensions that were used by phishers worldwide in the second half of 2009 you will see clearly that the .be and .eu domain extension were at that time the favourites from criminals. There are practical reasons for that. You don't need to live in Belgium to be a .be domain name and the registration is quasi automated without many controls. Your domain name can be immediately activated which leaves you - in a weekend for example easily the opportunity to launch a phishing campaign (without being downed in 4 hours). And even during working days it would take more or less 10 hours to take them down.

When we analyze the numbers we can conclude the following for the .be domain (the numbers are even worse for the .eu domain extension).

For all the domain extensions of the world the .be domainextion was in the second half of 2009 with 297 unique .be phishing domains the 6th domainextension in the world based upon the total number of unique registered domainnames used solely for phishing and of these 287 were registered by the Avalanche gang which makes the .be domainextension the 4th of all domainextensions worldwide that were used by that gang.

These .be domains were used by the Avalanche gang for 915 attacks against the users of 40 financial institutions. This means that the .be Belgium domainspace was the 9th worldwide in the number of such attacks by the Avalanche gang. I am not sure that we should be proud about that.

I know will say that even these numbers are very limited as a percentage (we had nearly 1 million .be domainnames at that time) but APWG states clearly that independently of the number of domains a domain extention has, they should be very alarmed if more than 2.9% of those are used for phishing. For the .be domain it is about 3.1%  Icann has also issued several alarms in 2009 and has tried to help several registrars to stop the infiltration. Several domainextensions have taken drastic actions in 2009 and 2010 (.ru, .hk and .cn) to stop the flood of registrering domainnames for malicious use. It is time for .be to take appropriate actions in their marketplace if it doesn’t want to be seen as a dangerous domain by firewalls (blocking now on domainextension and geography) and malware reputationtools.

In that respect one can say that .be has passed the 1 million domains but that makes the problem only worse. If we exclude all the smaller domains and only take the  domain extensions into account with more than nearly a million domains than the .EU and .be domainextensions were the most used as a percentage by the phishers. It means that if you want to play in the garden of the big boys that you will have to change the way you are doing things and you will have take on new responsabilities and will have to invest enough to keep the domain extension safe.

When you have that many users and investors you are morally obliged to invest much more in security and make it an obligation throughout your organisation and operation, even if some people and vested interests didn’t make the mental switch yet. It is not possible anymore to block a domain extension with one million domains but the loss would be enourmous if that would become more and more the case, if more and more enterprises and networks all over the world start asking, do we need websites from Belgium if all that malware and phishing starts spreading over its domains ?  For 95% of the internet the .be domains are not necessary and most of the important .be domains have also bought other domainextensions and can switch their main focus easily.

And what would it take. Look at the numbers. We are looking at a total of nearly 300 domains in 6 months, which means generally bout 50 each month or nearly two take-downs from the central dns server a day. And this even ain’t true because those domains are registered in small packages that are even not so difficult to spot in the registrationdatabase (for insiders).  With backup and so on, you would in fact need two to three take-down officers who follow up all the incoming demands and forward the complaints to the CERT for control if not enough proof is added or the FCCU if it comes from certificed security sources. It is not that these securityresearchers wouldn’t be willing to work together with official resources to take down these sites immediately as long as they see an immediate effect.

So you have the 1 million domains, you have a new direction and now it is time to show that you are ready to make from the .be domain extension a domain extension where it is “safe to .be”(copyright)


The comments are closed.