“Phishing's not going away. It's too profitable”
An interview with Greg Aaron, Senior Research Fellow at the Anti-Phishing Working Group
An interview with Greg Aaron, Senior Research Fellow at the Anti-Phishing Working Group
The Anti-Phishing Working Group (APWG) recently published its Q3 report on worldwide trends in phishing in 2021. The results are worrying. 2021 seems to be surpassing 2020, which already saw a record number of phishing attempts. We interviewed Greg Aaron, an authority on the subject of cybersecurity and domain name abuse, about this trend and the role of the domain name industry. Greg is a Senior Research Fellow at the APWG, President of consulting firm Illumintel Inc. and a member of ICANN's Security and Stability Advisory Committee (SSAC).
“These kinds of phenomena do have ebbs and flows over time. What we did see in 2020 is that the amount of phishing reported did go up significantly and it has stayed at that relatively high level ever since. I was involved in a separate study using a large set of data by Interisle Consulting and what we saw there is that, over a time period of a year, the amount of phishing seemed to go up by about 70 per cent. The level of phishing rose in 2020 and has stayed there since. The way I see it, it wouldn’t stay there unless it was effective. What makes phishing and cybercrime attractive is that a lot of it is perpetrated by people who don't live in the same community as the victims. This means that, from a criminal's perspective, it’s harder to get caught.”
“There's always been that arms race. A phishing attack is most effective in the first seven or eight hours from when it goes up and is advertised to people. Research by Google and PayPal has shown that. So, the diminished uptime has a relatively low impact on the profitability, as most revenue from phishing is generated in the first eight hours. And, as the uptime of a site is often measured from the moment the site is detected, the official figures don’t always adequately reflect the actual uptime and damage done. So, even if we do a good job as defenders, it's still not good enough because cybercriminals keep launching more sites. Which they wouldn’t do if it wasn’t profitable.”
“Most domain names where phishing occurs are maliciously registered. In some cases, a phisher can break into someone else’s hosting account and put a phishing page on an innocent party's website. And then the domain owner and its provider are compromised and not to blame. But in most cases, a phisher maliciously registers some domain names. The COMAR project, for which SIDN Labs did some very good work, showed 60 per cent of domain names used for phishing were malicious registrations.
Registries and registrars can shut down these maliciously registered domains without causing any collateral damage or inconveniencing any innocent parties. I was doing that at a domain name registry starting in 2007, with no false-positives, and it’s an effective and practical practice. Some registries, such as SIDN and Nominet, have been progressive in that respect, but overall, the industry has been slow to act effectively and uniformly. Phishers are still able to register large numbers of malicious domains with impunity.”
“In my opinion, and that of the APWG, the GDPR [in the Netherlands the AVG, ed.] has been overapplied. ICANN policy allows registrars to redact domain name contact data from publication no matter where the registrant or registrar is, and whether or not GDPR applies to the data subject. That is not what the GDPR requires, and it is not a balanced solution. In a recent study, we found that this blocking of data in the Whois is probably five or six times more than it needs to be according to the law. Instead, registries and registrars should protect what data is required under the law and should publish data that is not protected under the law. That is precisely what the lawmakers have proposed in the new Network Information Security Directive. The APWG and M3AAWG are the two industry groups studying how this problem has affected the fight against cybercrime, and their latest observations were published on the M3AAWG website in June.
“Well, one can only control what happens in one's own yard, and the consensus among experts is that it is always worthwhile to make things harder for criminals. TLDs like .nl and .uk have excellent reputations because they're managed well, and they know that they must do a good job of maintaining that reputation. Many new gTLDs have tried to compete on price, which has made them extra attractive to cybercriminals.”
“My personal view is that many new TLDs are operated by specific companies for their own limited, branding purposes [brand TLDs, ed.] and those have not been shown to be a problem as far as abuse is concerned. Instead, the abuse problems have occurred specifically in the generally available gTLDs, where anyone can register domains, and where they are often sold at low prices. To combat the abuse problems, the ICANN Board should incorporate better anti-abuse requirements into both the registry and registrar contracts. Anti-abuse will only be effective if both links in the chain are involved-- registry and registrar.”
“e-ID will not be available for a while in many places, but you don’t need it to do some meaningful identity validation and verification, especially in the markets in which one operates. For example, you can find out whether a physical address really exists or not, and that a given individual lives at that address. The data and services to do so are available for cents per check. And then you have one way to verify that the data is accurate.”
“The APWG is best known for its anti-phishing work, but more broadly it's always been devoted to preventing all kinds of online fraud and identity theft. One of the things we've been doing recently is running an exchange of cryptocurrency data, because cryptocurrency is often used in phishing attempts and to transmit payments for ransomware. In our exchange, we’re sharing information about cryptocurrency addresses and wallets that have been used in criminal activity. The information is used by, for example, credit card companies in their anti-fraud programmes Cryptocurrency is hard for a lot of people to understand. The ordinary person hasn't ever owned any cryptocurrency, but it appears that a lot of investment is going into making cryptocurrency more widely available and easier to use. MasterCard, for example, is planning on offering cryptocurrency as a purchasing loyalty reward. This will make cryptocurrency more attractive for consumers, but it will also offer an opportunity for cybercriminals.”
Greg Aaron can be reached through the website of his company Illumintel. The latest APWG phishing report to which he contributed can be downloaded here.