“Phishing's not going away. It's too profitable”

An interview with Greg Aaron, Senior Research Fellow at the Anti-Phishing Working Group

The word phishing on a digital background

The Anti-Phishing Working Group (APWG) recently published its Q3 report on worldwide trends in phishing in 2021. The results are worrying. 2021 seems to be surpassing 2020, which already saw a record number of phishing attempts. We interviewed Greg Aaron, an authority on the subject of cybersecurity and domain name abuse, about this trend and the role of the domain name industry. Greg is a Senior Research Fellow at the APWG, President of consulting firm Illumintel Inc. and a member of ICANN's Security and Stability Advisory Committee (SSAC).

The number of phishing attempts in 2021 has broken several records. No fewer than 250,000 attempts were spotted in June alone. How worried should we as an industry be about this?

Phishing requires proactive prevention No let-up in the growth of phishing in 2021
Portrait of Greg Aaron, Senior Research Fellow at the Anti-Phishing Working Group
Greg Aaron, Senior Research Fellow at the APWG

“These kinds of phenomena do have ebbs and flows over time. What we did see in 2020 is that the amount of phishing reported did go up significantly and it has stayed at that relatively high level ever since. I was involved in a separate study using a large set of data by Interisle Consulting and what we saw there is that, over a time period of a year, the amount of phishing seemed to go up by about 70 per cent. The level of phishing rose in 2020 and has stayed there since. The way I see it, it wouldn’t stay there unless it was effective. What makes phishing and cybercrime attractive is that a lot of it is perpetrated by people who don't live in the same community as the victims. This means that, from a criminal's perspective, it’s harder to get caught.”

The rising number of attempts is even more worrying as the average uptime of phishing websites has gone down in many areas. The Netherlands among them. Does this mean the countermeasures are fuelling an arms race between phishers and security-professionals? With ever more sites being taken down faster?

“There's always been that arms race. A phishing attack is most effective in the first seven or eight hours from when it goes up and is advertised to people. Research by Google and PayPal has shown that. So, the diminished uptime has a relatively low impact on the profitability, as most revenue from phishing is generated in the first eight hours. And, as the uptime of a site is often measured from the moment the site is detected, the official figures don’t always adequately reflect the actual uptime and damage done. So, even if we do a good job as defenders, it's still not good enough because cybercriminals keep launching more sites. Which they wouldn’t do if it wasn’t profitable.”

How have you seen the role of the domain name industry – and, by that, I mean specifically registries and registrars – develop with regard to phishing over the past few years?

“Most domain names where phishing occurs are maliciously registered. In some cases, a phisher can break into someone else’s hosting account and put a phishing page on an innocent party's website. And then the domain owner and its provider are compromised and not to blame. But in most cases, a phisher maliciously registers some domain names. The COMAR project, for which SIDN Labs did some very good work, showed 60 per cent of domain names used for phishing were malicious registrations.

Registries and registrars can shut down these maliciously registered domains without causing any collateral damage or inconveniencing any innocent parties. I was doing that at a domain name registry starting in 2007, with no false-positives, and it’s an effective and practical practice. Some registries, such as SIDN and Nominet, have been progressive in that respect, but overall, the industry has been slow to act effectively and uniformly. Phishers are still able to register large numbers of malicious domains with impunity.”

A lot of European legislation on cybersecurity is being prepared. Most notably the Network Information Security Directive. Do you feel current legislation offers sufficient tools to combat phishing?

“In my opinion, and that of the APWG, the GDPR [in the Netherlands the AVG, ed.] has been overapplied. ICANN policy allows registrars to redact domain name contact data from publication no matter where the registrant or registrar is, and whether or not GDPR applies to the data subject. That is not what the GDPR requires, and it is not a balanced solution. In a recent study, we found that this blocking of data in the Whois is probably five or six times more than it needs to be according to the law. Instead, registries and registrars should protect what data is required under the law and should publish data that is not protected under the law. That is precisely what the lawmakers have proposed in the new Network Information Security Directive. The APWG and M3AAWG are the two industry groups studying how this problem has affected the fight against cybercrime, and their latest observations were published on the M3AAWG website in June.

Many parties in the industry find the present legislation frustrating, as it only covers a certain geographical area, and it is easy for phishers to register domains outside that jurisdiction.

“Well, one can only control what happens in one's own yard, and the consensus among experts is that it is always worthwhile to make things harder for criminals. TLDs like .nl and .uk have excellent reputations because they're managed well, and they know that they must do a good job of maintaining that reputation. Many new gTLDs have tried to compete on price, which has made them extra attractive to cybercriminals.”

Speaking of new gTLDs, there is currently a discussion about the new window for new gTLDs, which is now probably scheduled for 2023. Many in ICANN's governmental community would like to see more safeguards against DNS abuse in place before giving their blessing to a new window. How do you feel about that?

“My personal view is that many new TLDs are operated by specific companies for their own limited, branding purposes [brand TLDs, ed.] and those have not been shown to be a problem as far as abuse is concerned. Instead, the abuse problems have occurred specifically in the generally available gTLDs, where anyone can register domains, and where they are often sold at low prices. To combat the abuse problems, the ICANN Board should incorporate better anti-abuse requirements into both the registry and registrar contracts. Anti-abuse will only be effective if both links in the chain are involved-- registry and registrar.”

One key issue in combatting malicious registrations is verifying the registrant's identity. Some see new forms of e-ID as an effective way to combat cybercrime. What is your view on that?

“e-ID will not be available for a while in many places, but you don’t need it to do some meaningful identity validation and verification, especially in the markets in which one operates. For example, you can find out whether a physical address really exists or not, and that a given individual lives at that address. The data and services to do so are available for cents per check. And then you have one way to verify that the data is accurate.”

You are a Senior Research Fellow at the APWG. Looking at the years to come, what role do you foresee for the APWG in combatting the rise of cybercrime? What developments are in store?

“The APWG is best known for its anti-phishing work, but more broadly it's always been devoted to preventing all kinds of online fraud and identity theft. One of the things we've been doing recently is running an exchange of cryptocurrency data, because cryptocurrency is often used in phishing attempts and to transmit payments for ransomware. In our exchange, we’re sharing information about cryptocurrency addresses and wallets that have been used in criminal activity. The information is used by, for example, credit card companies in their anti-fraud programmes Cryptocurrency is hard for a lot of people to understand. The ordinary person hasn't ever owned any cryptocurrency, but it appears that a lot of investment is going into making cryptocurrency more widely available and easier to use. MasterCard, for example, is planning on offering cryptocurrency as a purchasing loyalty reward. This will make cryptocurrency more attractive for consumers, but it will also offer an opportunity for cybercriminals.”

Greg Aaron can be reached through the website of his company Illumintel. The latest APWG phishing report to which he contributed can be downloaded here.