APWG Global Phishing Survey 2H2011: Trends both encouraging and disturbing

Colleagues Greg Aaron and Rod Rasmussen have published the 2H2011 APWG study on global phishing trends. Some of the major findings from the report are encouraging. The average up time for phishing attacks has noticeably decreased, down from 73 hours in 2H2010 to a much improved 46 hours in 2H2011, with a median uptime of 11 hours. Most of the damage a phish inflicts occurs in the first two days of a campaign so the dramatic improvement in the average uptime is welcomed. While the median uptime for 2H2011 is roughly the same as 2H2011 and more improvement would be welcome (the 11 hours is a larger window than a suggested 4 hours, see Clayton2009, Moore2008) .

Also encouraging finding is that the number of brands targeted by phishers decreased. Well, this is at least encouraging to those brands that fell off the phishers' radars.  Those that remained targeted, however, are weathering a storm. Greg and Rod comment that "phishers launched fewer attacks on such targets through 2011, concentrating on larger, more prominent targets. We believe they did so because:

1. "There is less money to be made off the smaller targets. It is easier for phishers to sell stolen credentials associated with more popular institutions.
2. "Phishers advertise via spam. It is less efficient for them to spam out lures related to smaller targets, unless the phishers possesses a qualified list of e-mail addresses.
3. "There is a growing emphasis on gaining access to e-mail accounts, which enable phishers to spam from whitelisted services such as Gmail, Hotmail, and so on."

CNNIC, APAC Join the Hunt

The staff at China Internet Network Information Center (CNNIC) and the Anti-Phishing Alliance of Chine (APAC) provided more information about Chinese phishing than was available for prior surveys. These data allowed Greg and Rod to call attention to behaviors unique to Chinese phishers, who prefer to use malicious registrations to host phishing attacks, for example, than to host phishing URLs on compromised servers. The data also show Taobao.com as second only to PayPal as the most targeted brand.

Whois from Domain Tools

The 2H2011 Survey is the first in this series to analyze where phishers register domain names. This kind of analysis relies on acquiring the Whois records that reflect the registration data that was used by the phisher at the time of registration. This analysis was made possible via WHOIS data captured byDomainTools.com. Domain Tools attempts to maintain histories of registration records from the time of domain name creation, so their contribution was critical to this analysis. The scores for registrars with more than 25 phishing domains and 1000 domains (from the Report):

Subdomain registrations: 'told you so...

In November 2008, Rod Rasmussen and I published an APWG report, Making Waves in the Phisher’ Safest Harbors: Exposing the Dark Side of Subdomain Registries, where we observed that phishers were beginning to use what subdomain registrations to host phish sites. We discussed measures individuals and organizations can consider if they opt to make these harbors less attractive and effective to phishers. Apparently, few people paid attention, because phishers registered more subdomains in 2H2012 than domain names.

As with all the bi-annual reports of this series, Global Phishing Survey: Domain Name Use and Trends in 2H2011 analyzes data from multiple phish reporting and monitoring resources to assess phishing and e-criminal activity. Greg and Rod are also able to use past survey results to illustrate trends that reports from anti-malware companies often do not include.

The report is always worth reading in its entirety. It's always done professionally, with great attention to detail and a disciplined approach to intepreting data that is hard to find and easy to admire.

Domain Name Seizures Prominent in Dismantling the ZeuS botnet

On 19 March 2012 Microsoft, FS-ISAC , and NACHA filed a Complaint with the US District Court, Eastern District of New York, against thirty nine John Doe defendants who allegedly participated in a criminal enterprise, the Zeus botnet.

Microsoft alleges that ZeuS botnets have purportedly infected an estimated 13 million PCs and have been used to steal over $100M during the past five years. The official Microsoft blog post provides a summary of Operation b71, which involved seizures by US Marshalls of command and control servers in Scranton, PA and Lombard, IL., sinkholing of traffic for subsequent analysis, and the seizure of Harmful Domains and IP addresses used to manage and operate the criminal botnet infrastructure.

Photo by ElDave

Gary Warner and Brian Krebs have again posted excellent analyses of the ZeuS botnet takedown.  Rather than duplicate their efforts,  I’ll instead highlight what I thought to be aspects of the ZeuS Complaint that went beyond actions from earlier takedowns (see Coreflood). I’ll then focus on the seizure of Harmful Domains and comment on the value of providing complete and accurate DNS, Whois, and registry information in legal orders. 

The Complaint and the xTRO 

Microsoft, FC-ISAC, and NACHA identify the 39 John Doe Defendants by their fictitious names: the user IDs of email addresses of the defendants found in Whois records for the thousands of domains enumerated in the Complaint. The claims for relief include the usual suspects Microsoft has included in prior complaints against Rustock, Coreflood or Kelihos: computer fraud or abuse, spam, electronic communications privacy violations, trademark or Lanham Act violations, trespass, unjust enrichment...

New among the claims for relief is the allegation that the 39 defendants acted in concert and conspiracy and thus violated the RICO (Racketeer Influenced and Corrupt Organizations) Act.

John Does 1-3 are alleged to have organized the racketeering enterprise and John Does 4-39 to have contributed various skills to the enterprise: botnet, exploit, and web software development, mule recruiting, botnet and hosting administration, domain and IP registrations.  Botnet customers and "cash out" operators who sold credit card and credentials obtained via infected PCs were also listed.

The Complaint thus alleges that certain defendants conspired as a group to construct the botnet, others used (“leased”) to commit criminal acts, and still others turned stolen properties into cash.

The Temporary Restraining Order is ex parte because the fraudulently composed Whois records are the only identification available to the plaintiffs.The Court accepted the plaintiffs' claims that harms cited in the Complaint will continue unless the defendants are restrained, and ordered simultaneous actions at hosting companies (Continuum Data Center LLC and Burstnet Technologies, Inc.) 'to disable and seize servers and associated stored data' at hosting centers and to monitor and collect traffic for analysis.

Photo by xfordy

John Doe Defendants

The Court also ordered domain registries with US presence to assist in discovering the true identities of John Does 1-39, redirect traffic to servers at a Microsoft secured IP address and to disable Defendants' IP addresses.

It's noteworthy that the order sought to minimize collateral damage to parties that are not named as defendants but are affected by the seizure of equipment and disconnects.

Seizing Harmful Domains

Domain names and name servers play a prominent roles in the ZeuS criminal enterprises. "eCrime" name servers operated by criminals are used to resolve host names for command and control servers and for servers that host ZeuS files.  In Guidance for Preparing Domain Name Orders, Seizures & Takedowns, I explain that providing complete and unambiguous information to domain name registration providers can prevent confusion or delay, and may help prevent or minimize collateral damage. The ZeuS xTRO is a good case study for why I believe this guidance paper is important. 

In my thought paper, I point out that seizures typically instruct registries or registrars to modify the TLD zone file, the domain name registration record (and what is displayed by Whois), and the registry database (of domain names). In the ZeuS botnet xTRO, the Plaintiffs instruct the TLD registry operators to take the following action:

"2. For currently registered domains, the domain name registrant information and point of contact shall not be changed and associated WHOIS information shall not be changed;

"3. Domain names shall not be deleted or otherwise made available for registration by any party, but rather should remain active and redirected to IP address 199.2.137.141;

"4. Domain names shall not be transfered to any other person or registrar, pending further notice from the court.

"5. The Registries shall assume authority for name resolution of domain names to IP address 199.2.137.141 using the name servers of the Registries;

"6. Name resolution services shall not be suspended"

Instruction (2) is clear with respect to preserving registrant and point of contact information, but a consequence of saying only that "associated WHOIS information shall not be changed" is that some of the Whois returned is exactly what was in the registration data "pre-seizure",some of the Whois returned has the registrant/contact information the same as "pre-seizure" but the name server information is changed to NS1.MICROSOFTINTERNETSAFETY.NET, and Whois for some (try FILMV.NET) returns conflicting NS data from the the "thin" .NET registry and the sponsoring registrar. These inconsistencies might have been prevented if specific instructions for how name server information associated with the domain name had been provided.

(3) and (4) instruct registries or registrars to set domain status codes. These are adequately clear, but to eliminate any ambiguity, the order might have specified the exact EPP Status Codes for both registrar (client) and registry (server).

(3) further instructs the registries to keep the domain names "active and redirected to IP address 199.2.137.141." Neither instructions (3) nor (5) make clear whether the Plaintiffs are asking for changes to TLD name server configuration, name service for each domain name listed in the Complaint, or hosting, so they could be interpreted to mean that the registries are supposed to modify the name server configuration information ("glue") in the TLD zone file. They could also mean that Registries should provide name resolution for the Harmful Domains (which would be well out of scope).

A DNS lookup using the dig command shows that 199.2.137.141 is asssociated with a name server, NS1.MICROSOFTINTERNETSAFETY.NET.  In this case it was easy to deduce that the Plaintiffs' intention was that Microsoft was to act as the authority for the nameservers and would provide authoritative name resolution for the domains from a name server operating at IP address 199.2.137.141. In other (future) cases, orders could more accurately say "we want TLD name servers to be configured so that the authoritative name server for all the Harmful Domains listed in the Complaint is NS1.MICROSOFTINTERNETSAFETY.NET/199.2.137.141". The Plaintiffs are then in a position to decide whether to host zone data for the Harmful Domains or to return NXDOMAIN for hosts in the Harmful Domains".

(6) instructs that "name resolution services shall not be suspended". A random sample of the names in the xTRO shows that some return non-existent domain (NXDOMAIN) and some timeout without a response. So by some definition, either (6) was not executed properly by some parties subject to the order but the instruction did not make clear whether "name resolution services" applied to the TLD, which is responsible for identfying the name server(s) associated with the Harmful Domains listed in the Complaint, or resolution of host names associated with the Harmful Domains.

Closing remarks

Inaccuracies and ambiguities are not uncommon in legal orders, in part because the courts or plaintiffs are unfamiliar with the DNS or domain registrations, are imprecise when using domain name-related technology, operations, and terminology, or pressed for time. Checklists like those provided in Guidance for Preparing Domain Name Orders, Seizures & Takedowns may be beneficial in minimizing omissions and inaccuracies. 

David Dittrich has written a brilliant post on the Zeus botnet civil action entitled Thoughts on the Microsoft "Operation b71". One of the points he makes dovetails nicely with what I've discussed here:

"The act of writing up a complaint, backing it up with declarations in support of the plaintiff's motions, and having a federal judge review and grant plaintiff's motions is a very clear, very thorough, and very public justification for taking bold action. This process explains of who is being harmed, how they are being harmed, what can be done to stop the harm, and why the court should grant the plaintiff's motions. If this were a federally funded research study on developing a treatment for a disease, it is this level of detail that must be provided in order to get approval from ethics review boards. If we require such justification of doctors doing risky medical research that can harm us, why should we not have to similarly justify risky actions we take to resolve infected computers? This is the kind of standard that is warranted in order to show defensible justification for taking risky and aggressive action, before such action is initiated."

A late, final word

A recent analysis of operation b71 by Michael Sandee calls attention to the easily overlooked issue that collateral damage is not limited to suspending or making legitimate domains or web sites unreachable. A criminal enterprise the size of ZeuS will no doubt be the target for numerous investigations. Absent sufficient information sharing, cooperation, coordination and trust among investigating parties, there is too much room for error or interference, and one party's success can hamper the erstwhile and equally important efforts of others. Looking ahead, providing clear instructions for domain registries or registrars can be an important part of the level of detail that Dittrich insists must be provided.  Coupling this with the kinds of reasonable efforts Sandee encourages to verify that domains listed in complaints are "harmful" when the legal orders are executed is equally important to minimize collateral damage.

Presentation: Guidance for Preparing Domain Name Orders, Seizures & Takedowns

Here is a copy of my presentation, Guidance for Preparing Domain Name Orders, Seizures & Takedowns. The thought paper can be found here.

Thought paper on Domain Name Seizures

This post was originally made 8 March 2012 and was revised 16 March 2012.

On behalf of the ICANN Security Team, I've written a paper that offers guidelines for anyone who prepares or contributes to the preparation of legal orders that include domain name seizuress, modifications of DNS configurations, or domain name registration transfers.

The paper offers a technical and operational perspective, based on input and insights collected from a variety of sources, including law enforcement agents, security professionals, TLD registry and registrar technical staff and others who are familiar with  the business or legal aspects of operating DNS or domain registration services.  Several of the contributors had first-hand experience in dealing with the botnet dismantling operations in 2011 (Rustock, Coreflood, Kelihos).

The primary purpose of the paper is to help folks ask the right questions and gather the right information as they prepare a court order, to make clear exactly what actions the issuer expects. The paper assumes that a court may serve registries or registrars with an order and that they often comply. It also explains how three sets of data that are critical to the Internet's name system - DNS, registry databases, and Whois - will be affected when the order is satisfied. Asking certain questions during preparation will increase the likelihood that the information made available to registries or registrars will be sufficient for them to comply with the order. The answers will also make clear what terms like  "takedown" or "seizure" mean to the issuer.  

The announcement and the thought paper itself are hosted at ICANN's web site. 

Are you "pro takedown"?

Despite my attempt to place the paper in a non-legal context, and despite assertions here and elsewhere that the paper does not discuss whether or not a takedown or seizure is constitutional, meets due process criteria, some comments accuse me of being pro censorship and ICANN of capitulating to government control.

Rather than immediately reacting by defending the paper, I and others decided to let the "thought paper" stimulate thought. Several comments posted subsequent to the criticisms correct certain misconceptions as well or better than I might have. A comment from Elgin correctly dismisses the notion that the paper endorses domain seizures, saying,

"The paper is not an endorsement of seizures, and has nothing to do with ICANN being a party to such. It merely acknowledges that court orders are issued regarding domain names, and that people issuing those orders need to understand how domain names and DNS work so they don’t get things wrong and cause collateral damage."

Thank you, Elgin. This is exactly what was intended.

A comment from Franck makes a complementary observation that,

"This document does not encourage nor discourage take downs, it just says, if you want to do it, here is the information to provide to have the request considered in a timely manner... This will help normalize the process and hopefully avoid silly things like SOPA."

Thanks, Franck. Friends and followers who read my blog are familiar with my opposition to SOPA. I sincerely hope that the thought paper will help people work with existing legislation rather than create new, misguided legislation. 

Rod Rasmussen's comment confirms that the desire to minimize collateral damage is clear in the thought paper:

"Providing guidance for being precise in what is requested and who it is requested of (whether it’s a registrar or registry) is vitally important to allow law enforcement, prosecutors, judges, and others to do their jobs appropriately and without harm to the greater community... this document simply tries to assist the court or whoever is making a request to be more precise, and should be invaluable to help get things done right, and avoid some of the very bad effects we’ve seen with some court sanctioned take-downs that have done harm to other innocent parties "

I wrote about one of those bad effects in an earlier post (JotForm).  It's important to recognize that today, courts serve registries and registrars with  legal or regulatory orders that request changes to the DNS, Whois, or domain name registrations. Providing preparers of such orders with a list of questions to consider during preparation that aso illustrates how orders affect the Internet name system may result in more thoughtful preparation, execution, or less collateral damage.

I want to thank everyone who read the paper thoroughly and thoughtfully. I'm encouraged that the positive remarks posted at the ICANN blog as well as those I've received directly come from people who have to deal with seizures at ground zero.

Domain Name System welcomes #313

With the addition of the IDN string қаз (Kazakhstan), the number of IDN and country code Top Level Domains has reached 280. The total number of TLDs, including Latin and non-Latin (IDN) country codes, generic and special purpose, is now 313. The number 313, of course, has the distinction of being a palindromic number, which is certainly cause for celebration. 

Total Number of Top Level Domains (TLDs)

Graphic courtesy of Kim Davies, ICANN

Is Jotform a poster child for domain shutdown overkill?

JotForm, like so many domains, is a multi-user site; specifically, the site provides a web developer community with a way to create and share web forms.  On 15 February, co-founder Aytekin Tank posted the following on the JotForm blog:

"As a part of an ongoing investigation about a content posted in our site, a US government agency has temporarily suspended our jotform.com domain. We are fully cooperating with them, but it is not possible to say when the domain would be unblocked."

The details of the investigation are covered elsewhere, but for the sake of summary, reports (1,2) claim that a Secret Service agent asked (or ordered) GoDaddy to suspend name resolution for jotform.com. GoDaddy allegedly complied with this request without a court order. JotForm.com went dark, and according to Aytekin Tank, without notice.

Registrars or registries do take actions against registrants who violate acceptable use or terms of service, or when law enforcement or security practitioners involved in anticrime, antiphishing, or antispam present compelling data that expose criminal acts. Internet users mostly benefit from these actions. I'm an advocate of this practice, which is usually highly efficient and protective of the rights of domain holders and Internet users.

Collateral Damage in Virtual Space

Without commenting on whether GoDaddy or the Secret Service correctly handled the event, JotForm gives us a concrete and timely example of a domain name suspension with collateral damage to study. Let's  take a moment to consider how legislation that would compel providers to respond to every request of the JotForm kind would play out if passed, and how differently the reaction might be were a similar law enacted in the physical world.

In this event, name resolution for JotForm.com was suspended to prevent a JotForm user from making an alleged phishing web form available. This action did more than this. It blocked every JotForm user from creating, sharing and utilizing web forms for legitimate purposes. This is a fairly draconian act but acts of this kind are easily trivialized by anti-piracy advocates because the collateral damage can be dismissed by phrases like "it's just users" or "what's the fuss, it's just one domain name".

Collateral Damage in Meat Space

Let's consider how a similar event would play out in meatspace. An occupant of a multi-tenant dwelling is suspected of printing music CDs in his apartment. Under a Stop Piracy In MeatSpace act, the apartment building landlord receives an order to bar the building's entry doors to prevent the "pirate" tenant from entering his apartment, gaining access to (and perhaps destroying his stash of) illegal music CDs. 

Is this any more draconian than an online piracy act? Does "it's just tenants" and "it's just a single building" sound reasonable? Constitutional?  Would any politician support such legislation in the physical world?

No, no, and no. Whether virtual space or meatspace, we must exercise care in drafting legislation so that it is "scalpel" precise.

One congressman's opposition to SOPA worth noting

On November 16, 2011, during a House Judiciary Committee hearing, Senator Ron Wyden asked that he be permitted to include a statement opposing the Stop Online Piracy Act. The full statement is published as a press release at Senator Wyden's web site. It is a thoughtful and carefully constructed expression of concern regarding SOPA and PIPA.  In his closing statements, Senator Wyden asks that members of Congress respect the following principles:

Photo by DonkeyHotey

"1.  Be deliberate.   While rights holders and law enforcement are understandably eager to go after bad actors, we must be mindful of the precedents we set here at home, and around the world. 

"2.  Get the scope right.  Narrowly focus law enforcement’s authority on those who are willfully and deliberately breaking the law or infringing on others’ property rights for commercial gain. 

"3.  Avoid collateral damage.  Rather than frustrating the architecture of the Internet or establishing a censoring regime, consider instead promoting approaches that empower users and do no harm to the ‘Net.  More simply, fish for tuna without catching dolphins. 

"4.   Promote innovation over litigation.  Our efforts should be to protect copyrights and trademarks, not outdated business models."

These principles align very closely with an Advisory my SSAC colleagues and I prepared entitled DNS Blocking: Benefits Versus Harms. In our Advisory, we explain circumstances and care exercised where DNS blocking is used today and recommend these as principles to guide any blocking actions. Reworded slightly from the Advisory, the principles Congress should consider follow:

1. Only imposelegislation on a network and users over which you exercise control.

2. Determine that the legislation serves the objectives and/or the interests of your citizens.

3. Implement the legislation using a technique that is least disruptive to network operations and users.

4. Make a concerted effort to do no harm to networks or users outside your legislative domain. 

The similarites are striking. It's both comforting and disturbing that there is one Congressman who appreciates the gravity of the issues and the consequences of hasty, poorly constructed legislation. If you are a US citizen, contact your congressmen and encourage them to read Senator Wyden's thoughtful statement opposing SOPA.

SOPA: a great example of failing to know your enemy...or your friends

Proponents of SOPA want Congress to believe that DNS filtering will strike a death blow to online piracy. They argue that preventing the domain names that criminals use for infringing sites from resolving to Internet addresses will prevent criminals from distributing copyrighted material or selling knockoff versions of "brand" goods. The premise is false.

Photo by LesHoward

Know Your Enemy

If we have learned nothing else about electronic crime in the past decade, we do know one thing for certain. Online criminals adapt.

When an attack, stealth, or evasion technique ceases to be effective, online criminals try something different. A recent article at Dark Reading reports that security consultants and government agencies are tracking a dozen groups responsible for advanced persistent threats. What these parties have learned about one group in particular provides a wonderful teaching moment for SOPA proponents. 

APT actors identified as the Comment Crew uses HTML comments (information for web developers that is not use by a browser to render a page) to remotely control infected computers that form its botnet. An obvious countermeasure here is to strip comments from web traffic. This will disrupt communications, the botnet will be contained, and additional measures will be taken to dismantle it. 

Blocking HTML comments will be effective against Comment Crew, but for how long? History suggests that the answer is "not long at all". Does anyone seriously believe that the Comment Crew will throw their hands up in dismay and abandon their criminal or state sponsored activities?  The Comment Crew will employ a different means to communicate with its bots; specifically, they'll find a way to bypass or evade the countermeasures deployed against them.  

An important aside here is that stripping HTML comments is a good example of a proportional measure. Organizations or ISPs will voluntarily implement the HTML comment filtering countermeasure at their own site. They will enforce it within the boundaries of their own administrative domain, and will try not to harm or interfere with the daily operations of other networks in the process. Blocking the domain names of every web site that hosts HTML containing comments is not proportional. It overreaches, the results are unpredictable, and there is a high probability of disruption of desired and intended operations or collateral damage.

An unintended consequence of implementing Draconian filters when a more granular solution would suffice is that not only will criminal actors seek a way to evade such measures but legitimate users will do so as well. In Mandates Can't Alter the Facts, Paul Vixie explains that users will evade mandated filtering by using any of "dozens if not thousands of off-shore Domain Name servers they can switch to with the click of a mouse." Paul's claim is corroborated by a recent Cisco 2011 Security Report that 7 of 10 employees admit to violating IT policies in order to access the Internet. We live in a world where the prevailing attitude is that Internet access is a basic human right, US citizens will no doubt scoff the law. 

[ED: With nearly perfect timing for my article, an Addon for Mozilla Firefox - DNS Evasion to Stop Oppressive Policy in America (DeSOPA) - is now available. "When turned on, DeSopa intercepts URLs, sends the base URL to three offshore DNS services via HTTP, makes a best effort to check that two of them are equivalent, caches the IP for the browser session, redirects to the equivalent URL using the IP, and substitutes out the domain name in the source code with the IP address for future requests."]

Comment Crew is one of dozens I could cite to illustrate that SOPA proponents neither understand nor respect their adversaries. SOPA presupposes that criminals, faced with a DNS filtering shock and awe campaign, will fold tents and leave the Internet. Good luck with this.

Friend or Foe?

Sadly, SOPA proponents neither know nor respect their friends nor do they distinguish friend from foe. Individuals who oppose SOPA are portrayed as "pro-piracy", insensitive to the harm and loss musicians suffer, and other equally ludicrous characterizations. 

Does anyone seriously think that the best Internet and security minds in the world have never considered broad brush filtering of domain names as a measure to stop online piracy? We have, and we concluded long ago that this measure will not work, is not scalable or enforceable, and not without consequences. Despite this, SOPA proponents argue something along the lines of "despite the warnings and criticisms you've offered regarding DNS filtering we still want to add the considerable weight of federal legislation and force everyone to use it because doing this is better than doing nothing." In doing so, these proponents dismiss and disrespect the members of the technical community that work daily to defeat all forms of online criminal activity. Ironically, some of these members are employed by the very organizations most vocal in supporting SOPA, and they are probably collaborating with security and law enforcement to takedown a piracy site as you read this article. 

APWG Global Phishing Survey: Phishers like it cheap or free

Colleagues Greg Aaron and Rod Rasmussen have released the 1H2011 APWG Global Phishing Survey which again provides a wealth of statistics and insights into phishing behavior and methodology. One very positive bit of news is that the average duration of a phishing "uptime" (the amount of time phishers can inflict loss or harm) dropped over 25% from 2H2010 and the median of 10 hours 44 minutes is the lowest the authors have reported in four years. On the down side, phishers continue to prefer  to

exploit compromised hosts over malicious registrations and have recycled an old attack tomake this even more confounding to interveners and profitable for themselves. The Report explains that phishers have been very successful in exploiting virtual hosting services: by compromising a single server that supports virtual hosting, phishers can host the same phishing content in dozens of subdirectories.

The Report notes that phishers are also registering fewer domain names. Fewer than one in five phishing URLs included in the study were malicious registrations. However, there's a dark lining in this seemingly silver cloud.

Phishers are Bargain Hunters

When phishers do register malicious domains, they are definitively bargain shoppers. They look for free or cheap registrations, or opportunities to buy in bulk, and they aren't picky about the TLD. Of course, given the choice, phishers are happy to choose free over for fee. But free registrations are costly to everyone but phishers.

Free domain name registrations are offered by registries seeking to grow their market share but according to the Report, phishers flocked to the Tokelau registry. Malicious registrations in TK accounted for a staggering 88% of attacks against Chinese companies. TK's operators have since increased measures to eliminate this attack vector through the unique approach of giving direct access to the registry so that their trusted partners can "automatically cancel any domain name registrations which they find are abused for spam, phishing, or malware". This program will no doubt be exposed to considerable scrutiny but for the moment, it's effectively reducing abuse.

Free domain name registrations by TLDs are not the only source of pain. Hosting companies that offer free "vanity names" to customers who host email or web sites of the form <customer_term>.<service_provider_sld>.TLD also cause considerable pain. According to the Report, subdomain registrations used for phishing now account for the bulk of phishing activity in certain TLDs. 

Subdomain Registrations on the Rise

Subdomain registrations are problematic for brand and trademark protection: while measures taken to detect confusingly similar strings in domain name registrations have proven effective, the same is not so for subdomain "names". The Report confirms that phishers routinely include brand names "somewhere in the URL, where potential victims may see it and be fooled. Internet users are rarely knowledgeable enough to be able to pick out the 'base' or true domain name being used in a URL."

The subdomain registry CO.CC (the Cocos/Keeling Islands), the top offender in 1H2011, is taking measures to reduce abuse. Other operators in the Top 20 may voluntarily do so as well in 2H2011. If they don't, the operators may find themselves in the company of CZ.CC at the receiving end of criminal complaints and restraining orders if other major brands follow Microsoft in aggressively seeking relief.

There's much more in the Report. I find it worthwhile to compare past reports to present, to compare methodologies, observe trends and flocking behavior. I hope you find it as valuable as I have.

The color of lies: DNSchanger, error resolution services, and ProtectIP/SOPA

Operation Ghost Click/DNSchanger dismantled a long running criminal exploitation of the domain name system. As the name of the malware suggests, DNSchanger interfered with the expected and intended behavior of domain name resolution by causing the DNS to return different IP address information when Internet users try to resolve certain domain names from the addresses the owner of the domain name intended. In the case of DNSchanger, the false information returned enabled criminals to defraud Internet advertisers (click ad or pay per click), collect bogus credit card payments, and prevent users from updating or patching security software (See Gary Warner's post for an excellent, detailed analysis). The criminal intent of the actors here is quite apparent. DNSchanger forces the DNS to tell lies, very black lies.  Other actors change the DNS in similar ways.  Service providers who use error resolution services modify and return synthesizedresponses to DNS requests when domains do not exist (NXDOMAIN). Whether you call these responses synthesized, conjured, or "made up," they are at best grey lies for several reasons. While certain Internet users may benefit from a helpful positive response over a non-existent domain, the registered domain name holder has no control over what this response looks like and does not profit from any proceeds resulting from the redirection. Synthesized responses also have the potential to put the domain name owner and users at risk: analyses by Dan Kaminsky [1] and Bruce Schneier [2] demonstrate that it's possible to hack the web pages users are redirected to by using iframe, Javascript or other injection techniques; thus, in certain circumstances, synthesized responses may have the same impact as black lies. Recent bills under consideration in the US Congress - S.968 ProtectIP and H.R.3261 SOPA -contain provisions for the DOJ to issue court orders that compel DNS operators to (i) block resolution of domains that are allegedly associated with online piracy and brand infringement (ii) return synthesized responses, a.k.a., a Text of Notice, stating that "an action is being taken [against the domain name owner] pursuant to a court order obtained by the Attorney General". Supporters of these bills believe that these synthesized responses are white lies. Those who oppose the bill see them as grey or black. Respected members of the Internet technical community note in a white paper that blocking (DNS filtering) creates serious security and operational problems and is easily circumvented. Others worry

that the bill overreaches in defining wrongdoing and may easily be abused. Opponents and supporters argue over whether due process protections are upheld or set aside in the interestof protecting copyrights and IP.

What Color is Your Lie?

Comparing how DNSchanger, error resolution services, and Protect IP/SOPA affect users and the DNS sheds some light on why deciding whether redirection is a black, grey or white lie is not a simple matter of black and white.

	Redirection	Discussion
DNSchanger	Yes	To ad fraud or malicious pages
Error Resolution	Yes	To ad or landing pages
ProtectIP/SOPA	Yes	To a notice page, text determined by US AG
	Control over Redirection	Discussion
DNSchanger	Criminal	Specific domains are targeted, domain registrant is often unaware that redirection is occuring
Error Resolution	3rd party	"Non-existent domain" responses (user sees "page not found), domain name registrant has no control over landing page content or security
ProtectIP/SOPA	US AG	Domains identified in court order, registrant has no control over landing page content
	User notification
DNSchanger	No	Criminals want malware to operate unobtrusively
Error Resolution	Not assured	Certain error resolution affiliates may provide notice
ProtectIP/SOPA	No	US AG may block or sinkhole rather than redirect domain
	Ad revenue
DNSchanger	Yes	Criminal profits
Error Resolution	Yes	Error resolution provider or affiliate(s) profit
ProtectIP/SOPA	No
	Infection from DNS changed sites
DNSchanger	Possible	If criminals redirect to affiliate that hosts malicious executables
Error Resolution	Possible	If criminals hack site to which users are directed
ProtectIP/SOPA	Possible	If criminals hack site to which users are directed (no site is immune to attack)
	Affect on DNSSEC
DNSchanger	Bypass	The endpoint is compromised, and the malware points the client application to a different resolver that returns different data than requested.
Error Resolution	Disruptive	A DNSSEC-enabled resolver that does its own validation will not accept a redirected response nor will it trust an unsigned NXDOMAIN.
ProtectIP/SOPA	Disruptive	A DNSSEC-enabled resolver that does its own validation will not accept a redirected response. Indistinguishable from error resolution or other kinds of redirection.
	Remedy: mitigation, circumvention, bypass
DNSchanger	Not assured	Like all infections, the only certain remedy is to wipe clean and reinstall from scratch
Error Resolution	Not assured	Some providers may offer opt-out to user
ProtectIP/SOPA	Prohibited	Attempts to circumvent may cause US AG to seek injunctive relief

One final example of redirection may lend clarity to the discussion. Organizations that have been phished work with security professionals, law enforcement to identify malicious registrations or compromised servers where phish URLs are hosted. They work in cooperation, often with court orders but always with sufficient evidence of criminal activity that false positives are rare. Once phishing sites are taken down, organizations are encouraged to redirect would be victims to a APWG Phishing Education Landing Page. This is done at the discretion or direction of the phished organization, with full understanding and consent to the content and security of the landing page.

The process is not always as expedient as victims and victimized brands would like, but it is effective and it can be implemented in a manner that doesn't break DNS security, infringe on free speech or abuse due process. But rather than propose bills out of frustration, isn't it worth considering how to improve and accelerate processes that are working, and to consider ways to make them scale and work smoothly, internationally? 

Thanks to Steve Crocker, Joe St. Sauver and Paul Vixie for sanity checks and valuable input.