An APWG Panel Lobbies Web Registries to Shut Down Phishing Sites

A potent new technique that phishing fraudsters have started using to thwart efforts to shut down their bogus Web sites has inspired a panel at the Anti-Phishing Working Group to hammer out a new policy that would get domain registries to disable criminal sites. The new policy, called the domain suspension initiative, would shut down a site across an entire Internet domain, rather than just on the servers of a particular Internet Service Provider (ISP), says Laura Mather, co-chair of the APWG's domain name systems policy working group and until recently an executive at San Francisco-based security firm MarkMonitor Inc. A computer scientist who once worked on anti-fraud techniques for eBay Inc. and its PayPal unit, Mather says three unnamed domain registries have said they're interested in considering the policy and in working with her 50-member group on a final draft. By summer, she hopes, all three will have implemented the proposal. Her panel began developing the policy after noticing about a year ago that fraudsters were using a technique called fast flux to evade efforts by banks, merchants, and vendors to disable, or “take down,” the fake Web sites they use to trick consumers into giving up PINs, passwords, and other confidential information. Used legitimately, fast flux is a useful technique that allows a Web site to redirect users when it changes from one ISP to another. But phishers are using it to rapidly set up shop at new ISPs when their sites have been shut down. This frustrates a law-enforcement tactic that had been working “fairly well,” Mather says, until criminals discovered fast flux. “Phishers have figured out how to do it and can move their sites to lots of different ISPs,” she says. In response, the APWG panel has decided to attack the problem at the domain registries, which administer domains from the familiar .com and .org to the hundreds of individual domains for various countries. If a registry disables a site, the site can't resolve on that domain regardless of the ISP it uses. Mather says her group is talking to domain registrars, as well, and would be “thrilled” if they adopted the policy, though its effectiveness is greatest when adopted by registries. While registries are generally non-profit entities, registrars are the for-profit companies that act as middlemen between registries and Internet users and charge fees to register new Web sites. The policy would work best if all registries adopted it, but Mather says safety on the Internet will improve even if only some do. “If you can cordon off areas where [fraudsters] can't go, even that's a win,” she says. “It makes things a little easier.” Mather concedes, however, that the domain-suspension proposal needs to resolve issues such as what happens should a registry mistakenly disable a legitimate site. “What we're worried about is if we have a third party saying these guys are dirty rotten scoundrels, there are some legal risks” if the site turns out to be harmless, says David W. Maher, senior vice president of law and policy at Public Interest Registry, the Reston, Va.-based registry for the .org domain. PIR supports the general idea of registries acting against phishing sites, but “the devil is in the details,” says Maher. Mather says her group is working on an accreditation process that would certify site-takedown vendors, banks, and merchants as the only entities allowed to report phishing sites to registries. They're also working out an arbitration process for sites that feel they've been wrongly targeted. Some 23,630 sites were known to be associated with phishing in November, says the APWG in its most recent report, down from 34,266 in October. The number of consumer brands hijacked by phishers grew to a record 178, however, up from 120 in October. The APWG, which has been tracking phishing since 2003, claims among its members payments companies, software vendors, and law-enforcement agencies.