Re: [gnso-ff-pdp-may08] RSA Summary Data

[Eric Brunner-Williams <ebw@xxxxxxxxxxxxxxxxxxxx>]

Rod,

Yinon's used "country determined by the domain registrar's location". I 
suspect he means "registrar" in a sense other than what is customary in 
ICANN policy discussion, possibly meaning the location of the registrant 
(or the technical or administrative contact). As dubious as the value of 
that particular representation may be, taking the location of the 
registrar of record for the location of a domain registered through that 
registrar seems peculiar to me, unless the point is the legal regime to 
which the registrar is subject, which is necessarily outside the scope 
(sorry) of the ajurisdictional (or crypto-Californian jurisdiction via 
ICANN's choice of incorporation) nature of GNSO policy.
There is something I didn't expect to see in Yinon's data, a 
distribution by registrar not simply defined by total market share. In 
the registries question, other data showed com/net/cn/org/info/biz or 
there abouts (from memory), or to a first approximation, total market 
share. I suppose the existence of a village in Romania and other actual 
clusters of people engaged in network exploits may be manifested in the 
marketing footprints of various registrars, rather than what barriers 
they present to attempts to acquire a resource at less than cost.
Because we work in domains, not "attacks", could you add a note that 
translates Yinon's metrics into metrics we can use?
Eric



Rod Rasmussen wrote:
> Folks,
>
> Finally got permission from the powers-that-be at RSA that this can be 
> released and included in the public report appendices - with 
> attribution to RSA of course.  More body-of-knowledge stuff to add to 
> the overall picture here.  Thanks to Yinon Glasner of RSA for pulling 
> this data together from their databases - I know all too well how hard 
> it can be to get summary data from a database designed to run 
> anti-crime operations!
> Best,
>
> Rod
>
> Rod Rasmussen
> President and CTO
> Internet Identity
> 1 (253) 590-4088
>
> Begin forwarded message:
>
> > I hope this is of use, although the numbers are quite crude. I'll 
> > start with some definitions and constraints related to the data:
> > -          Most of the figures here are aggregated, and include 
> > Fast-Flux attacks, Rock attacks and other phishing attacks which are 
> > hosted on Botnets
> > -          "Phishing attacks" – a "phishing attack" was counted as a 
> > unique URL that targets a specific brand. For example – a single Rock 
> > Phish domain, as you most definitely know, usually targets several 
> > brands. Under the same domain, 5 different URLs can host attacks 
> > against 5 different brands. So – we counted it as 5 distinct Rock 
> > Phish attacks.
> > -          In some cases I counted domains rather than "attacks". A 
> > domain is, well, simply a domain… J
> > -          Data range is January 08 – June 08
> > -          In general, I think it will be very useful for you to say 
> > that in usual months, Rock and/or Fast-Flux attacks constitute more 
> > than 50% of all phishing attacks    
> >
> >  
> > *_And now, the figures:_*
> >  
> > 1.       The number of Rock Phish *domains* detected:
> > Jan
> >         
> > 403
> > Feb
> >         
> > 443
> > Mar
> >         
> > 450
> > Apr
> >         
> > 420
> > May
> >         
> > 461
> > Jun
> >         
> > 190
> >
> >  
> > 2.       The number of Fast-Flux / Rock Phish / Botnet 
> > phishing *attacks* detected:
> > Jan
> >         
> > 770
> > Feb
> >         
> > 1158
> > Mar
> >         
> > 1408
> > Apr
> >         
> > 1647
> > May
> >         
> > 1866
> > Jun
> >         
> > 608
> >
> >  
> > 3.       The number of brands targeted by Fast-Flux / Rock / 
> > Botnet-hosted attacks – 40
> >  
> > 4.       The list of top-20 registrars where Fast-Flux / Rock / 
> > Botnet phishing domains were registered in 2008 + *the number 
> > of* *attacks* hosted on these domains. Top-20 registrars were 
> > measured by the number of *attacks*, not domains.  
> >  
> > Now.cn
> >         
> > 1031
> > Eurodns.com
> >         
> > 809
> > 123-Reg
> >         
> > 536
> > WildWest Domains
> >         
> > 505
> > Key Systems
> >         
> > 502
> > HKDNR
> >         
> > 406
> > Melbourne IT
> >         
> > 325
> > PublicDomainRegistry
> >         
> > 305
> > Dot.tk
> >         
> > 291
> > Register.com
> >         
> > 273
> > Network Solutions
> >         
> > 264
> > Today Nic
> >         
> > 251
> > eNom
> >         
> > 161
> > Nic.St - ST Registry
> >         
> > 150
> > Yahoo
> >         
> > 137
> > Tucows
> >         
> > 133
> > COMMUNIGAL COMMUNICATIONS LTD
> >         
> > 117
> > IA Registry
> >         
> > 115
> > Bizcn
> >         
> > 96
> > Online SAS
> >         
> >  
> >
> >  
> > 5.       The list of countries where Fast-Flux / Rock / Botnet 
> > phishing *attacks* were hosted (country determined by the domain 
> > registrar's location):
> >  
> > United States
> >         
> > 2413
> > China
> >         
> > 1481
> > Germany
> >         
> > 482
> > Luxembourg
> >         
> > 472
> > United Kingdom
> >         
> > 452
> > Hong Kong
> >         
> > 406
> > Tokelau
> >         
> > 228
> > India
> >         
> > 196
> > Australia
> >         
> > 173
> > Sao Tome Principe
> >         
> > 149
> > Afghanistan
> >         
> > 148
> > Israel
> >         
> > 139
> > France
> >         
> > 128
> > Canada
> >         
> > 114
> > Netherlands
> >         
> > 83
> > Ukraine
> >         
> > 63
> > Spain
> >         
> > 56
> > Belize
> >         
> > 41
> > Kyrgyzstan
> >         
> > 39
> > Turkey
> >         
> > 36
> > Switzerland
> >         
> > 25
> > Taiwan
> >         
> > 22
> > Belgium
> >         
> > 19
> > Sweden
> >         
> > 17
> > Estonia
> >         
> > 16
> >
> >  
> > I hope this helps,
> >  
> > *Yinon Glasner* | Fraud Intelligence Business Analyst, OTMS 
> > | Identity and Access Assurance Group | **RSA, The Security Division 
> > of EMC** | Phone: +972.9.9728158 | Please note that my email address 
> > has changed to _yinon.glasner@xxxxxxx <mailto:yinon.glasner@xxxxxxx>_