<<<
Chronological Index
>>> <<<
Thread Index
>>>
RE: [gnso-acc-sgb] Phishing statistics (no longer A Dutch procedure)
- To: <gnso-acc-sgb@xxxxxxxxx>
- Subject: RE: [gnso-acc-sgb] Phishing statistics (no longer A Dutch procedure)
- From: "Patrick Cain" <pcain@xxxxxxxxxxxxxxxx>
- Date: Wed, 16 May 2007 10:55:17 -0400
Hi,
The APWG collects and published a variety of monthly statistics. They are
available at www.antiphishing.org .
There is a big .pdf version, too. Questions about the data can be directed
to me or the APWG; not this list, please.
We do not report per-TLD-domain statistics but emphasize the geographic
location of the hosting site since the take down is more driven by the
server location than the DNS name. If the 'phish site per TLD' is useful I
can try and run the numbers, but I'm not convinced it is.
Using an IP address instead of a DNS name allows use of compromised
home/university/corporation machines that do not normally have DNS names.
I believe that more than half of the phish sites that *I'm* aware of are
located at free/cheap hosting sites, but I have no useful public statistic
to back that up. Another significant chunk is at compromised web servers.
The APWG does not currently have historical data on domain registration data
(e.g., proxy, address fakality, etc), although we have started to collect it
as the phish site is reported to us.
Pat Cain
-----Original Message-----
From: owner-gnso-whois-wg@xxxxxxxxx [mailto:owner-gnso-whois-wg@xxxxxxxxx]
On Behalf Of Paul Stahura
Sent: Tuesday, May 15, 2007 3:33 PM
To: Christopher Gibson; Metalitz, Steven; gnso-acc-sgb@xxxxxxxxx
Cc: gnso-whois-wg@xxxxxxxxx
Subject: RE: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert procedure
This is interesting data.
I see 17% are at IP addresses, not using a domain name.
Do you have data on, a) how many were at names in a ccTLD? and b) how many
URLs were at a "legitimate" name (i.e a name not setup specifically for the
phish, such as at geocities, myspace, a compromised hosting company, etc.)?
Also, how many of the names were using some form of whois proxy service?
________________________________
From: Christopher Gibson [mailto:cgibson@xxxxxxxxxxx]
Sent: Tuesday, May 15, 2007 12:07 PM
To: 'Metalitz, Steven'; gnso-acc-sgb@xxxxxxxxx
Cc: gnso-whois-wg@xxxxxxxxx
Subject: RE: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert procedure
Given some of the legitimate uses of WHOIS data to combat fraudulent
practices, here is a snapshot from the March Anti-Phishing Working Group
(APWG) statistics that might be helpful to consider. Statistical Highlights
for March 2007:
* Number of unique phishing reports received in March: 24853
* Number of unique phishing sites received in March: 20871
* Number of brands hijacked by phishing campaigns in March: 166
* Number of brands comprising the top 80% of phishing campaigns in March:
12
* Country hosting the most phishing websites in March: United States
* Contain some form of target name in URL: 27.9 %
* No hostname just IP address: 17 %
* Percentage of sites not using port 80: 3 %
* Average time online for site: 4 days
* Longest time online for site: 31 days
Countries Hosting Phishing Sites
In March, WebsenseR Security LabsT saw a continuation of the top three
countries hosing phishing websites. The United States remains at the top of
the list with 27.53%. The rest of the top 10 breakdown is as follows:
Republic of Korea 18.19%, China 5.53%, Germany 4.68%, France 2.67%, Chile
2.51%, United Kingdom 2.27%, Russia 2.01%, Canada 1.86%, and Japan with
1.86%.
Chris
________________________________
From: owner-gnso-whois-wg@xxxxxxxxx [mailto:owner-gnso-whois-wg@xxxxxxxxx]
On Behalf Of Hugh Dierker
Sent: Tuesday, May 15, 2007 1:56 PM
To: Metalitz, Steven; gnso-acc-sgb@xxxxxxxxx
Cc: gnso-whois-wg@xxxxxxxxx
Subject: RE: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert procedure
Steven,
Thank you for directing me to the specific area in which you were referring.
I reread it and again state "it is what is left unsaid that speaks volumes".
In this instance I refer specifically that they deal with "commercial", or
as the case of the Red Cross scams-nonprofit.
They leave it unsaid as to how to deal with private not for receipt of money
domains.
Also conspicuously absent was any reference to Banks. And a special absence
was any reference to "legworking".
But what they did say about law enforcement I found sound in logic.
Eric
"Metalitz, Steven" <met@xxxxxxx> wrote:
To the contrary, the FTC congressional testimony discusses at
length, on pages 13-16, how private sector access to Whois helps FTC do its
job, and concludes: "The simple yet crucial point is this: many legitimate
uses of Whois data by the business community and other non-governmental
organizations have an important, and often ignored, consumer protection
dimension. Their continued access to Whois information often helps protect
consumers from online scams and deception."
See http://financialservices.house.gov/media/pdf/071806eh.pdf.
Steve Metalitz
________________________________
From: owner-gnso-whois-wg@xxxxxxxxx
[mailto:owner-gnso-whois-wg@xxxxxxxxx] On Behalf Of Hugh Dierker
Sent: Tuesday, May 15, 2007 10:03 AM
To: Jeff Williams; gnso-acc-sgb@xxxxxxxxx
Cc: gnso-whois-wg@xxxxxxxxx
Subject: Re: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert
procedure
If think the FTC as usual spoke volumes in what they left unsaid.
Where did the concept of banks doing the "legwork" come from.
I would especially like to hear from the Law Enforcement members on
that.
Carole what are your thoughts on this "doing legwork for law
enforcement" concept.
Eric
Jeff Williams <jwkckid1@xxxxxxxxxxxxx> wrote:
Steven and all sgb members,
It is far more important to recognize what the FTC's own
study
did NOT indicate. Ergo that there was no mention of access
to PRIVATE Whois data in order to perform their function
effectively. Hence, why we are here and at the crux of what,
who, and how we need to focus upon. The FTC's own study
also did NOT indicate a need for banks to do the "leg work"
for their study or perform their function.
Metalitz, Steven wrote:
> Of course, the FTC's own study showed the opposite of what
EPIC stated
> -- that Whois is not a significant contributor of e-mail
addresses for
> spamming purposes.
> http://www.ftc.gov/bcp/conline/pubs/alerts/spamalrt.shtm
Another study
> by the Center for Democracy and Technology reached the
same conclusion.
> See http://www.cdt.org/speech/spam/030319spamreport.shtml
{"We tested
> how much spam would be received to an address provided in
the WHOIS
> database. Contrary to our expectations, just one spam
e-mail was
> generated in the six months that our project was
operational.") And the
> other testimony presented to Congress at the hearing where
EPIC
> testified is well worth reviewing, including the
statements of the
> Federal Trade Commission about how they rely upon access
to Whois data
> to enforce laws that protect consumer privacy, and on how
consumer
> access to Whois data also assists the FTC in its consumer
and privacy
> protection mission. See
> http://financialservices.house.gov/media/pdf/071806eh.pdf
(All the
> hearing testimony is compiled at
>
http://financialservices.house.gov/archive/hearings.asp@formmode=detail&
> hearing=491.html)
>
> Steve Metalitz
>
> -----Original Message-----
> From: owner-gnso-whois-wg@xxxxxxxxx
> [mailto:owner-gnso-whois-wg@xxxxxxxxx] On Behalf Of Robin
Gross
> Sent: Sunday, May 13, 2007 2:00 PM
> To: jwkckid1@xxxxxxxxxxxxx
> Cc: gnso-acc-sgb@xxxxxxxxx; gnso-whois-wg@xxxxxxxxx
> Subject: Re: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch
Govcert procedure
>
> Indeed. Let's not forget that in 2006, the US Federal
Trade Commission
> stated that online data mining is the number one crime in
the United
> States. Privacy experts at EPIC, testified before US
Congress that
> databases such as whois are among the most significant
contributors to
> this problem:
> http://www.epic.org/privacy/whois/phishing_test.pdf
>
> jwkckid1@xxxxxxxxxxxxx wrote:
>
> >Dan and all,
> >
> > To sum up what you seem to ge getting at is that
allowing
> >banks regardless of which one ergo blanket access, is a
bad
> >and possibly a dangerous idea. And I amongst a growing
number
> >or knowledgable consumers, registrants, and even LEA's,
agree.
> >In fact according to the DOJ fraud, misuse, and other
financial
> >illegal scheme's by banks, financial institutions, and
auditing
> >firms has more than doubled sense 2002.
> >
> >-----Original Message-----
> >
> >
> >>From: Dan Krimm
> >>Sent: May 11, 2007 11:20 PM
> >>To: gnso-acc-sgb@xxxxxxxxx
> >>Cc: gnso-whois-wg@xxxxxxxxx
> >>Subject: Re: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch
Govcert
> procedure
> >>
> >>Hope,
> >>
> >>I am not saying that phishing is not a problem that
needs to be dealt
> with.
> >>I am simply saying that it should be dealt with in a
measured way and
> with
> >>proper controls. And, that there are other serious
problems that crop
> up
> >>
> >>
> >Regards,
> >
> >Jeffrey A. Williams
> >Spokesman for INEGroup LLA. - (Over 134k
members/stakeholders strong!)
> >"Obedience of the law is the greatest freedom" -
> > Abraham Lincoln
> >
> >"Credit should go with the performance of duty and not
with what is
> very
> >often the accident of glory" - Theodore Roosevelt
> >
> >"If the probability be called P; the injury, L; and the
burden, B;
> liability
> >depends upon whether B is less than L multiplied by
> >P: i.e., whether B is less than PL."
> >United States v. Carroll Towing (159 F.2d 169 [2d Cir.
1947]
>
>===============================================================
> >Updated 1/26/04
> >CSO/DIR. Internet Network Eng. SR. Eng. Network data
security IDNS.
> div. of
> >Information Network Eng. INEG. INC.
> >ABA member in good standing member ID 01257402 E-Mail
> jwkckid1@xxxxxxxxxxxxx
> >Registered Email addr with the USPS Contact Number:
214-244-4827
> >
> >
> >
> >Regards,
> >
> >Jeffrey A. Williams
> >Spokesman for INEGroup LLA. - (Over 134k
members/stakeholders strong!)
> >"Obedience of the law is the greatest freedom" -
> > Abraham Lincoln
> >
> >"Credit should go with the performance of duty and not
with what is
> very
> >often the accident of glory" - Theodore Roosevelt
> >
> >"If the probability be called P; the injury, L; and the
burden, B;
> liability
> >depends upon whether B is less than L multiplied by
> >P: i.e., whether B is less than PL."
> >United States v. Carroll Towing (159 F.2d 169 [2d Cir.
1947]
>
>===============================================================
> >Updated 1/26/04
> >CSO/DIR. Internet Network Eng. SR. Eng. Network data
security IDNS.
> div. of
> >Information Network Eng. INEG. INC.
> >ABA member in good standing member ID 01257402 E-Mail
> jwkckid1@xxxxxxxxxxxxx
> >Registered Email addr with the USPS Contact Number:
214-244-4827
> >
> >
> >
> >gnso-acc-sgb@xxxxxxxxx
> >
> >
> >
> >>when the method of dealing with it is not measured and
does not have
> proper
> >>controls.
> >>
> >>Secondly, our deliberations here are about more than
just banks, even
> if
> >>Palmer's suggestion was constrained to banks.
> >>
> >>My comment about consumers versus customers is about the
fact that
> giving
> >>blanket access to banks for all Whois data provides
access to personal
> >>information about consumers who are not their direct
customers, and
> the
> >>banks are not regulatorily restricted from using data
about consumers
> that
> >>are not their direct customers, as they are with regard
to their own
> direct
> >>customers.
> >>
> >>Example: I have an account with bank A. I do not have an
account
> with
> >>bank B. If bank B has blanket access to Whois data in
order to find
> >>phishers, because I am an Internet domain registrant,
bank B gets my
> >>personal data from Whois even if I am not a phisher.
Bank B is
> regulated
> >>in many cases with respect to its own customers, as bank
A is
> regulated
> >>with regard to personal data it collects from me by
virtue of being a
> >>customer. But bank B is not regulated with respect to
the data about
> me
> >>that it gleans from sources such as Whois, because I am
not a customer
> of
> >>bank B. I cannot opt-out of bank B using my personal
data for
> anything it
> >>wishes the way I can opt-out of bank A using my personal
data in that
> way.
> >>
> >>Personally, that bothers me, because I don't believe
that "banks are
> not
> >>interested in information about millions upon millions
(of) people" --
> if
> >>they can make a buck off of it, why wouldn't they be? If
they have
> access
> >>to that data, they can build a business selling it to
people who use
> it for
> >>marketing (or other) purposes, just as they used to do
with their
> >>customers' information before regulation allowed some
customers in
> some
> >>jurisdictions to opt out from those uses.
> >>
> >>Just because the anti-fraud departments of banks are not
interested in
> the
> >>broad range of data doesn't mean that the
ancillary-business
> departments
> >>(connected to marketing, etc.) of banks are not
interested in the
> data.
> >>They'd be dumb not to be interested, where there's money
to be made.
> They
> >>already have big businesses built on (currently) legal
use of personal
> data
> >>collected from their customers. It's only because of
regulation that
> I
> >>have the option to opt-out of that use in some cases
today. It's not
> like
> >>the banks have been particularly trustworthy actors in
this arena:
> they
> >>have done only what has been forced down their throats
by law,
> typically
> >>nothing more, and even that much has not been without a
fight.
> >>
> >>As a consumer, I am as alarmed as anyone about the
problems of misuse
> of
> >>data leading to fraud and ID theft, etc. The problem
with granting
> blanket
> >>access to private entities without meaningful
enforcement against
> abuse is
> >>that this creates a systematic incentive for misuse of
data in
> precisely
> >>the way that can lead secondarily to ID theft, etc.
Example: Bank B
> sells
> >>my personal data to someone posing as a marketer who
then tries to
> scam me.
> >>Bank B may not have done the deed directly, but their
"legitimate
> marketing
> >>data business" leads to misuse by others in a fraudulent
manner.
> Unless we
> >>place enforceable limits on what banks may do with all
this data, this
> >>potential remains large. I don't see anything in
Palmer's proposal
> that
> >>suggests meaningful enforcement procedures to prevent
this sort of
> thing,
> >>or even demonstrates that meaningful enforcement is
possible.
> >>
> >>I support providing legitimate anti-fraud efforts what
they need to do
> >>their jobs, but no more than that. Blanket access
proposals without
> due
> >>process go *way* beyond the specific needs required to
get the bad
> guys,
> >>and place orders of magnitude more good guys at
unnecessary risk of
> abuse
> >>(without recourse, if the source of the abuse cannot be
traced).
> >>
> >>Blanket access is easy for banks, but it goes too far
and thus
> endangers
> >>many others in the process. Our job should not be
exclusively to make
> >>things easy for banks at the expense of significant
costs to other
> >>stakeholders. Banks should be able to get the job done,
but with
> >>enforceable controls and appropriate pre-screening. Just
like any
> other
> >>private entities that are involved in anti-fraud
activities.
> >>
> >>Dan
> >>
> >>
> >>
> >>At 8:59 PM -0500 5/11/07, Hope.Mehlman@xxxxxxxxxxx
wrote:
> >>
> >>
> >>>Dan,
> >>>
> >>>I glad that you are able to recognize a phishing email
when you see
> one,
> >>>unfortunately, not everyone is able to do so. We
wouldn't have a
> problem
> >>>if that were the case. The fraudsters have become more
and more
> >>>sophisticated every day and I have seen highly educated
people not be
> able
> >>>to recognize phishing emails or be confused as to
whether an email is
> >>>legitimate or not. For example, people are often times
confused or
> fall
> >>>for fraudulent emails when their bank merges with
another bank. The
> >>>phishing emails address the merger and request.
Information stating
> that
> >>>it necessary for conversion purposes. Of course, this
seems legitmate
> to
> >>>customers because they know their bank is in the
process of merging
> and in
> >>>combination with legitimate advertising or
communications via regular
> >>>mail, television or print, even highly sophisticated
individuals
> fall for
> >>>these schemes.
> >>>
> >>>Secondly, I am not sure why you are mixing Credit.
Reporting Agencies
> with
> >>>banks, these are separate and distinct industries.
> >>>
> >>>Finally, I am not sure I understand the connection with
regard to
> your
> >>>comment that banks should not have access to Whois
information
> because
> >>>they have enough information about their customers. One
has nothing
> to do
> >>>with the other. Banks are not interested in information
about
> millions
> >>>upon millions people but instead are interested in the
Whois
> information
> >>>specifically related to domains used to perpetrate
fraud upon
> millions of
> >>>innocent victims. Banks use Whois information in order
to combat
> fraud
> >>>and identity theft which results from phishing emails.
Again, banks
> aren't
> >>>looking at information of anyone who is not a
fraudster. If you have
> the
> >>>opportunity to speak with someone who has been a victim
of identity
> theft
> >>>or fraud, I would encourage you to do so.
> >>>
> >>>
> >>>----- Original Message -----
> >>>From: Dan Krimm [dan@xxxxxxxxxxxxxxxx]
> >>>Sent: 05/11/2007 05:32 PM MST
> >>>To:
> >>>Cc:
> >>>Subject: Re: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch
Govcert
> procedure
> >>>
> >>>
> >>>
> >>>I'll let Eric speak for himself with regard to the
email he receives,
> but
> >>>the phishing scams I get are easily recognized and
discarded. (The
> first
> >>>one I ever got -- before it had become prevalent, and
before there
> was a
> >>>word coined for it -- I was temporarily confused, but I
was alert
> enough to
> >>>check out the domain before supplying any info. I have
been
> personally
> >>>immune ever since.)
> >>>
> >>>While I opt-out of all uses of my info by financial
institutions that
> I can
> >>>(and in California I can opt out of more than in other
states or
> countries,
> >>>because of consumer-friendly state regulation), I am
still troubled
> by
> >>>information collected by credit reporting agencies and
other sources
> that I
> >>>do not know about. I refuse to allow DoubleClick to
place cookies on
> my
> >>>browsers. And still I know this is not enough to be
secure in the
> >>>knowledge that data about me is not being used against
my interests,
> >>>usually by private entities out to make a buck.
> >>>
> >>>Banks already get a lot of personal information from
their immediate
> >>>customers. There is no reason to give them unsupervised
blanket
> access to
> >>>all information in the Whois database about millions
upon millions of
> >>>people who are not their direct customers.
> >>>
> >>>Information used for legitimate anti-fraud efforts
needs to be
> >>>well-targeted as much as possible, and checks and
balances need to be
> in
> >>>place to assure appropriateness of access as a rule,
since recourse
> is not
> >>>always available in the case of abuse (and thus
deterrence may be
> >>>ineffective).
> >>>
> >>>If ICANN is not in position to become a
fully-functional public law
> >>>enforcement entity in and of itself, with all of the
due process and
> >>>accountability that such a role calls for (and it seems
pretty clear
> that
> >>>it is not), then that dynamic needs to be in the system
somewhere,
> somehow,
> >>>and it needs to be designed with some serious
effectiveness, not just
> as a
> >>>cosmetic ruse.
> >>>
> >>>Dan
> >>>
> >>>
> >>>
> >>>At 5:54 PM -0500 5/11/07, Hope.Mehlman@xxxxxxxxxxx
wrote:
> >>>
> >>>
> >>>>Those 20 or so spam emails are likely phishing emails
or scams.
> Banks do
> >>>>not send spam emails. These emails you are referring
to are not
> legitmate
> >>>>emails, and this is exactly what banks are trying to
prevent in
> order to
> >>>>protect consumers from identity theft and fraud. Your
email
> highlights
> >>>>how significant and prevalent this problem is.
> >>>>
> >>>>
> >>>>----- Original Message -----
> >>>> From: Hugh Dierker [hdierker2204@xxxxxxxxx]
> >>>> Sent: 05/11/2007 03:26 PM MST
> >>>> To: gnso-acc-sgb@xxxxxxxxx
> >>>> Cc: gnso-whois-wg@xxxxxxxxx
> >>>> Subject: RE: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch
Govcert
> procedure
> >>>>
> >>>>
> >>>>This really assumes alot. Hypothetical "who done its".
Does not
> justify
> >>>>giving out confidential information to banks. I get 20
or so spams
> a day
> >>>>
> >>>>
> >>>>from Banks. Junk mail another 5 a day- credit cards
galore.
> >>>
> >>>
> >>>>I do not buy that "banks" want my info for purely
secure reasons.
> >>>>
> >>>>Eric
> >>>>
> >>>>Palmer Hamilton wrote:
> >>>>
> >>>>
> >>>>Dan,
> >>>>
> >>>>The problem is a practical one. Law enforcement has
limited
> resources.
> >>>>We might wish that were not the case, but it is, and,
realistically,
> it
> >>>>will always be the case. Law enforcement, as I set out
in my earlier
> >>>>emails to Milton, expects banks to do the legwork
before it will
> act.
> >>>>Maybe it should be otherwise, but this is not the case
nor will it
> ever
> >>>>be the case. In various roles, both in government and
working on the
> >>>>side of government, I have spent years working on the
side of law
> >>>>enforcement. I think it is fair to say that law
enforcement's
> approach
> >>>>is virtually an immutable law of nature. And frankly
from law
> >>>>enforcement's standpoint, it must set priorities given
its limited
> >>>>resources.
> >>>>
> >>>>If banks do not have access to the necessary
information, internet
> users
> >>>>and consumers will be put at much greater risk. It
would be nice to
> >>>>think that banks and consumers could simply lodge a
complaint and
REgards,
--
Jeffrey A. Williams
Spokesman for INEGroup LLA. - (Over 134k
members/stakeholders strong!)
"Obediance of the law is the greatest freedom" -
Abraham Lincoln
"Credit should go with the performance of duty and not with
what is
very often the accident of glory" - Theodore Roosevelt
"If the probability be called P; the injury, L; and the
burden, B;
liability depends upon whether B is less than L multiplied
by
P: i.e., whether B is less than PL."
United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data
security
IDNS. div. of Information Network Eng. INEG. INC.
ABA member in good standing member ID 01257402
E-Mail jwkckid1@xxxxxxxxxxxxx
Registered Email addr with the USPS
Contact Number: 214-244-4827
________________________________
You snooze, you lose. Get messages ASAP with AutoCheck
<http://us.rd.yahoo.com/evt=47959/*http:/advision.webevents.yahoo.com/mailbe
ta/newmail_html.html>
in the all-new Yahoo! Mail Beta.
________________________________
Luggage? GPS? Comic books?
Check out fitting gifts for grads
<http://us.rd.yahoo.com/evt=48249/*http:/search.yahoo.com/search?fr=oni_on_m
ail&p=graduation+gifts&cs=bz> at Yahoo! Search.
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|