RE: [gnso-acc-sgb] RE: [gnso-whois-wg] Phish statistics

[jwkckid1@xxxxxxxxxxxxx]

Margie and all sgb members,

  It would not always be the case that the bank in your example
would need to do further analysis given your senerio as many
registrants have multiple eMail addresses.

-----Original Message-----
>From: Margie Milam <Margie.Milam@xxxxxxxxxxxxxxx>
>Sent: May 18, 2007 8:57 AM
>To: gnso-acc-sgb@xxxxxxxxx
>Subject: RE: [gnso-acc-sgb] RE: [gnso-whois-wg] Phish statistics
>
>For Phishing  related purposes, Domain name WHOIS is definitely used.   
> 
>I'll give an example, although this not the only way WHOIS is used.   Assume 
>there is a new domain name registered with the bank's name  i.e,  
>bankname-onlinebankingservices.com .  The registrant's WHOIS information 
>(including the information that would be shielded under OPOC) is used to 
>confirm whether the bank or some other party is the registrant of the new 
>domain name, as this information  is compared to the legitimate WHOIS of 
>domain names that are registered by the bank.   In this regard, the email is 
>usually the piece of information that is most revealing as it would not be an 
>email address from the bank's email service but from another provider (ie 
>margie@xxxxxxx).   If the registrant information does not match known WHOIS of 
>the bank,  this is a red flag indicating that this might be a phish and 
>additional analysis is required.
> 
>Margie
> 
> 
>
>       -----Original Message----- 
>       From: owner-gnso-acc-sgb@xxxxxxxxx on behalf of Jeff Williams 
>       Sent: Thu 5/17/2007 11:36 PM 
>       To: gnso-acc-sgb@xxxxxxxxx 
>       Cc: 
>       Subject: Re: [gnso-acc-sgb] RE: [gnso-whois-wg] Phish statistics
>       
>       
>
>       Dr. Dierker and all,
>       
>         By IP issues Milton was talking about IP addresses, ergo IP Whois vs
>       DNS Whois.
>       
>         And yes, in regards to Phishing attacks, Patrick earlier brought
>       up and broadened the scope of Whois data as these sorts of
>       attacks being fraud and involving "IP Whois data" as to access,
>       are relevant to determining how, who and under what set of
>       conditions ALL Whois data is available or utilized.  What I
>       do not know is if "IP Whois data" is actually within the scope
>       of this WG and sub groups.  Maybe Milton can answer that??
>       
>         If so, another reference for getting an idea of how serious
>       various forms of Phishing attacks are see:
>       http://www.ipgovernance.com/News_on_Phishing__Identity.html
>       
>         What concerns me most is the increasing frequency from Banks
>       of Phishing attacks by disgruntled Bank employees.
>       
>       Hugh Dierker wrote:
>       
>       >    Sorry Milton,
>       >
>       >   But aren't you just asking for more questions regarding "scope". I
>       > wholeheartedly agree with your assessment. But I was trying to avoid
>       > the IP issues in both a and b work.
>       >
>       >   Eric
>       >
>       > Milton Mueller <mueller@xxxxxxx> wrote:
>       >   Remember, its not just whether "whois" is used, it's whether its DNS
>       > (as
>       > opposed to IP) whois and whether the sensitive fields shielded by the
>       > OPoC recommendation are used.
>       >
>       > Dr. Milton Mueller
>       > Syracuse University School of Information Studies
>       > http://www.digital-convergence.org
>       > http://www.internetgovernance.org
>       >
>       > >>> "Patrick Cain"
>       > 05/16/07 10:55 AM >>>
>       > Hi,
>       >
>       > I am unaware of any such specific correlating statistic.
>       > The APWG has been leading an informal group to document the various
>       > uses
>       > of
>       > Whois data in phishing detection and mitigation. As soon as I get the
>       > ok
>       > from the authors, I'll forward it to the group as background
>       > information.
>       >
>       > Pat Cain
>       >
>       > -----Original Message-----
>       > From: owner-gnso-acc-sgb@xxxxxxxxx
>       > [mailto:owner-gnso-acc-sgb@xxxxxxxxx]
>       > On
>       > Behalf Of Milton Mueller
>       > Sent: Tuesday, May 15, 2007 11:56 PM
>       > To: gnso-acc-sgb@xxxxxxxxx; met@xxxxxxx; cgibson@xxxxxxxxxxx
>       > Cc: gnso-whois-wg@xxxxxxxxx
>       > Subject: RE: [gnso-acc-sgb] RE: [gnso-whois-wg] Dutch Govcert
>       > procedure
>       >
>       > Christopher:
>       > Are there any statistics establishing a correlation between phishing
>       > takedowns and access to street address, email or phone number in the
>       > public
>       > whois?
>       >
>       > Dr. Milton Mueller
>       > Syracuse University School of Information Studies
>       > http://www.digital-convergence.org
>       > http://www.internetgovernance.org
>       >
>       > >>> "Christopher Gibson" 05/15/07 3:07 PM >>>
>       > Given some of the legitimate uses of WHOIS data to combat fraudulent
>       > practices, here is a snapshot from the March Anti-Phishing Working
>       > Group
>       > (APWG) statistics that might be helpful to consider. Statistical
>       > Highlights
>       > for March 2007:
>       >
>       >
>       >
>       >
>       >
>       >
>       
>       Regards,
>       --
>       Jeffrey A. Williams
>       Spokesman for INEGroup LLA. - (Over 134k members/stakeholders strong!)
>       "Obedience of the law is the greatest freedom" -
>          Abraham Lincoln
>       
>       "Credit should go with the performance of duty and not with what is
>       very often the accident of glory" - Theodore Roosevelt
>       
>       "If the probability be called P; the injury, L; and the burden, B;
>       liability depends upon whether B is less than L multiplied by
>       P: i.e., whether B is less than PL."
>       United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
>       ===============================================================
>       Updated 1/26/04
>       CSO/DIR. Internet Network Eng. SR. Eng. Network data security
>       IDNS. div. of Information Network Eng.  INEG. INC.
>       ABA member in good standing member ID 01257402
>       E-Mail jwkckid1@xxxxxxxxxxxxx
>        Registered Email addr with the USPS
>       Contact Number: 214-244-4827
>       
>       
>       
>
>
Regards,

Jeffrey A. Williams
Spokesman for INEGroup LLA. - (Over 134k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is very
often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B; liability
depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of
Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402 E-Mail jwkckid1@xxxxxxxxxxxxx
Registered Email addr with the USPS Contact Number: 214-244-4827