[gnso-ff-pdp-may08] RSA Summary Data

[Rod Rasmussen <rod.rasmussen@xxxxxxxxxxxxxxxxxxxx>]

Folks,

Finally got permission from the powers-that-be at RSA that this can be  
released and included in the public report appendices - with  
attribution to RSA of course.  More body-of-knowledge stuff to add to  
the overall picture here.  Thanks to Yinon Glasner of RSA for pulling  
this data together from their databases - I know all too well how hard  
it can be to get summary data from a database designed to run anti- 
crime operations!
Best,

Rod

Rod Rasmussen
President and CTO
Internet Identity
1 (253) 590-4088

Begin forwarded message:

> I hope this is of use, although the numbers are quite crude. I'll  
> start with some definitions and constraints related to the data:
> -          Most of the figures here are aggregated, and include Fast- 
> Flux attacks, Rock attacks and other phishing attacks which are  
> hosted on Botnets
> -          "Phishing attacks" – a "phishing attack" was counted as a  
> unique URL that targets a specific brand. For example – a single  
> Rock Phish domain, as you most definitely know, usually targets  
> several brands. Under the same domain, 5 different URLs can host  
> attacks against 5 different brands. So – we counted it as 5 distinct  
> Rock Phish attacks.
> -          In some cases I counted domains rather than "attacks". A  
> domain is, well, simply a domain… J
> -          Data range is January 08 – June 08
> -          In general, I think it will be very useful for you to say  
> that in usual months, Rock and/or Fast-Flux attacks constitute more  
> than 50% of all phishing attacks
>
> And now, the figures:
>
> 1.       The number of Rock Phish domains detected:
> Jan
> 403
> Feb
> 443
> Mar
> 450
> Apr
> 420
> May
> 461
> Jun
> 190
>
> 2.       The number of Fast-Flux / Rock Phish / Botnet phishing  
> attacks detected:
> Jan
> 770
> Feb
> 1158
> Mar
> 1408
> Apr
> 1647
> May
> 1866
> Jun
> 608
>
> 3.       The number of brands targeted by Fast-Flux / Rock / Botnet- 
> hosted attacks – 40
> 4.       The list of top-20 registrars where Fast-Flux / Rock /  
> Botnet phishing domains were registered in 2008 + the number of  
> attacks hosted on these domains. Top-20 registrars were measured by  
> the number of attacks, not domains.
> Now.cn
> 1031
> Eurodns.com
> 809
> 123-Reg
> 536
> WildWest Domains
> 505
> Key Systems
> 502
> HKDNR
> 406
> Melbourne IT
> 325
> PublicDomainRegistry
> 305
> Dot.tk
> 291
> Register.com
> 273
> Network Solutions
> 264
> Today Nic
> 251
> eNom
> 161
> Nic.St - ST Registry
> 150
> Yahoo
> 137
> Tucows
> 133
> COMMUNIGAL COMMUNICATIONS LTD
> 117
> IA Registry
> 115
> Bizcn
> 96
> Online SAS
>
>
> 5.       The list of countries where Fast-Flux / Rock / Botnet  
> phishing attacks were hosted (country determined by the domain  
> registrar's location):
> United States
> 2413
> China
> 1481
> Germany
> 482
> Luxembourg
> 472
> United Kingdom
> 452
> Hong Kong
> 406
> Tokelau
> 228
> India
> 196
> Australia
> 173
> Sao Tome Principe
> 149
> Afghanistan
> 148
> Israel
> 139
> France
> 128
> Canada
> 114
> Netherlands
> 83
> Ukraine
> 63
> Spain
> 56
> Belize
> 41
> Kyrgyzstan
> 39
> Turkey
> 36
> Switzerland
> 25
> Taiwan
> 22
> Belgium
> 19
> Sweden
> 17
> Estonia
> 16
>
> I hope this helps,
>
> Yinon Glasner | Fraud Intelligence Business Analyst, OTMS | Identity  
> and Access Assurance Group | RSA, The Security Division of EMC |  
> Phone: +972.9.9728158 | Please note that my email address has  
> changed to yinon.glasner@xxxxxxx