RE: [gnso-acc-sgb] RE: [gnso-whois-wg] Phish statistics

["Margie Milam" <Margie.Milam@xxxxxxxxxxxxxxx>]

For Phishing  related purposes, Domain name WHOIS is definitely used.   
 
I'll give an example, although this not the only way WHOIS is used.   Assume 
there is a new domain name registered with the bank's name  i.e,  
bankname-onlinebankingservices.com .  The registrant's WHOIS information 
(including the information that would be shielded under OPOC) is used to 
confirm whether the bank or some other party is the registrant of the new 
domain name, as this information  is compared to the legitimate WHOIS of domain 
names that are registered by the bank.   In this regard, the email is usually 
the piece of information that is most revealing as it would not be an email 
address from the bank's email service but from another provider (ie 
margie@xxxxxxx).   If the registrant information does not match known WHOIS of 
the bank,  this is a red flag indicating that this might be a phish and 
additional analysis is required.
 
Margie
 
 

        -----Original Message----- 
        From: owner-gnso-acc-sgb@xxxxxxxxx on behalf of Jeff Williams 
        Sent: Thu 5/17/2007 11:36 PM 
        To: gnso-acc-sgb@xxxxxxxxx 
        Cc: 
        Subject: Re: [gnso-acc-sgb] RE: [gnso-whois-wg] Phish statistics
        
        

        Dr. Dierker and all,
        
          By IP issues Milton was talking about IP addresses, ergo IP Whois vs
        DNS Whois.
        
          And yes, in regards to Phishing attacks, Patrick earlier brought
        up and broadened the scope of Whois data as these sorts of
        attacks being fraud and involving "IP Whois data" as to access,
        are relevant to determining how, who and under what set of
        conditions ALL Whois data is available or utilized.  What I
        do not know is if "IP Whois data" is actually within the scope
        of this WG and sub groups.  Maybe Milton can answer that??
        
          If so, another reference for getting an idea of how serious
        various forms of Phishing attacks are see:
        http://www.ipgovernance.com/News_on_Phishing__Identity.html
        
          What concerns me most is the increasing frequency from Banks
        of Phishing attacks by disgruntled Bank employees.
        
        Hugh Dierker wrote:
        
        >    Sorry Milton,
        >
        >   But aren't you just asking for more questions regarding "scope". I
        > wholeheartedly agree with your assessment. But I was trying to avoid
        > the IP issues in both a and b work.
        >
        >   Eric
        >
        > Milton Mueller <mueller@xxxxxxx> wrote:
        >   Remember, its not just whether "whois" is used, it's whether its DNS
        > (as
        > opposed to IP) whois and whether the sensitive fields shielded by the
        > OPoC recommendation are used.
        >
        > Dr. Milton Mueller
        > Syracuse University School of Information Studies
        > http://www.digital-convergence.org
        > http://www.internetgovernance.org
        >
        > >>> "Patrick Cain"
        > 05/16/07 10:55 AM >>>
        > Hi,
        >
        > I am unaware of any such specific correlating statistic.
        > The APWG has been leading an informal group to document the various
        > uses
        > of
        > Whois data in phishing detection and mitigation. As soon as I get the
        > ok
        > from the authors, I'll forward it to the group as background
        > information.
        >
        > Pat Cain
        >
        > -----Original Message-----
        > From: owner-gnso-acc-sgb@xxxxxxxxx
        > [mailto:owner-gnso-acc-sgb@xxxxxxxxx]
        > On
        > Behalf Of Milton Mueller
        > Sent: Tuesday, May 15, 2007 11:56 PM
        > To: gnso-acc-sgb@xxxxxxxxx; met@xxxxxxx; cgibson@xxxxxxxxxxx
        > Cc: gnso-whois-wg@xxxxxxxxx
        > Subject: RE: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert
        > procedure
        >
        > Christopher:
        > Are there any statistics establishing a correlation between phishing
        > takedowns and access to street address, email or phone number in the
        > public
        > whois?
        >
        > Dr. Milton Mueller
        > Syracuse University School of Information Studies
        > http://www.digital-convergence.org
        > http://www.internetgovernance.org
        >
        > >>> "Christopher Gibson" 05/15/07 3:07 PM >>>
        > Given some of the legitimate uses of WHOIS data to combat fraudulent
        > practices, here is a snapshot from the March Anti-Phishing Working
        > Group
        > (APWG) statistics that might be helpful to consider. Statistical
        > Highlights
        > for March 2007:
        >
        >
        >
        >
        >
        >
        
        Regards,
        --
        Jeffrey A. Williams
        Spokesman for INEGroup LLA. - (Over 134k members/stakeholders strong!)
        "Obedience of the law is the greatest freedom" -
           Abraham Lincoln
        
        "Credit should go with the performance of duty and not with what is
        very often the accident of glory" - Theodore Roosevelt
        
        "If the probability be called P; the injury, L; and the burden, B;
        liability depends upon whether B is less than L multiplied by
        P: i.e., whether B is less than PL."
        United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
        ===============================================================
        Updated 1/26/04
        CSO/DIR. Internet Network Eng. SR. Eng. Network data security
        IDNS. div. of Information Network Eng.  INEG. INC.
        ABA member in good standing member ID 01257402
        E-Mail jwkckid1@xxxxxxxxxxxxx
         Registered Email addr with the USPS
        Contact Number: 214-244-4827