Study Suggestion Number 13

[study-suggestion-response@xxxxxxxxx]

Submitted By:
[Redacted for privacy reasons]

Topic:
We would like to see a study on the use of proxy and private registrations, 
whether or not the occurrence of these types of registrations is increasing, 
and how much the domains registered using proxy or private registrations are 
used for phishing. In addition, we would like to determine whether a proxy or 
private registration negatively impacts the time required to get a phishing 
site disabled.

Hypothesis:
Proxy and private WHOIS records make the investigation and take down of 
phishing sites difficult for a number of reasons. 1) If the phish site is 
hosted on a legitimate domain, for example because the domainâ??s webserver was 
hacked by the phisher, it can be difficult to contact the owner of the domain 
to help him or her rectify the problem.  2) The contact information in the 
WHOIS record is often beneficial for disabling domains that were registered 
specifically for phishing.  This is because the person in the contact 
information often knows nothing about the domain.  When that contact 
information is hidden behind proxy and private WHOIS records, proving that the 
â??ownerâ?? of the domain knows nothing about the domain is more difficult. 
Both of these scenarios lengthen the time it takes to disable phish sites once 
they have been discovered.

The APWG hypothesizes that there has been an increase in proxy and private 
WHOIS records associated with newly registered domains.  Our evidence is purely 
anecdotal.  Organizations that perform phish site shutdowns are reporting that 
they run into these kinds of records â??more oftenâ??, but have not been 
recording the number of proxy and private WHOIS records, so we do not have 
historical statistics for comparison.

How the hypothesis could be falsified:
The hypothesis could be falsified by showing that there has not been an 
increase in WHOIS records that have proxy or private registrations.  Similarly, 
it could be falsified by showing that there has not been an increase in domains 
used for phishing where the WHOIS records use a proxy or privacy service.  

Utility:
The APWG understands that there is a need for privacy of the data in WHOIS 
records.  We would like to find a balance between maintaining the privacy of 
individuals while maintaining the security of the internet from phishers.  
Therefore, our hope is that if there has been an increase of the use of proxy 
and privacy services in WHOIS registrations that there could be a policy 
adopted that allows certain organizations (like those affiliated with the APWG 
and others) to access the data behind records that use private and proxy 
registrations.  We understand that there would need to be safeguards put in 
place to prevent the abuse of this data access, but our hope is that this study 
could help justify the formation of policy that gives immediate access to this 
information in certain circumstances.

In addition, if the hypothesis is validated to be true, it would be beneficial 
if a more efficient ICANN domain registration dispute mechanism could be 
established for private and proxy domain names determined to be in use for 
phishing purposes.

Type of Study Needed:
The APWG would like to see a quantitative study of the general use of proxy and 
private registrations and, additionally, how they are used in phishing.  
Questions we would like to see answered include:
-       How popular are proxy and private registrations?  Has the popularity of 
these registrations changed over the past year?   
-       How many domains with proxy or private registrations are associated 
with phishing sites?
-       In the case that a proxy or private registration is in place, how 
quickly does the proxy or the registrant respond to an inquiry related to 
phishing?
-       In the case that a proxy or private registration is in place, when the 
proxy is contacted about a phishing event associated with that domain, how 
quickly is action taken and how does that compare to the case where there is 
not a proxy or private registration?

One suggested timeframe would be Jan-Dec, 2007.  Note that APWG would be happy 
to participate in a joint study or work with ICANN to make sure that they have 
the data necessary to answer the questions above. For example, we could provide 
a list of phishing domains and the timeframes in which they were active as well 
as shutdown times for the corresponding domains.

Data that needs to be collected:
The APWG would be happy to supply data about domains used for phishing and the 
shutdown times associated with those domains if that would be beneficial for 
use in this study.

Population to be surveyed:
The data needed for this study is two-fold.  The first data requirement is a 
large control group of randomly selected domains that lived in the namespace in 
2007 (we hope these could be provided by ICANN) with either the actual WHOIS 
data for each domain or a categorization of whether they were registered via a 
proxy or privacy service.  

The second data requirement is the list of domains used in phishing (to be 
supplied by the APWG), for which ICANN/SSAC can obtain the WHOIS data for and 
determine if a proxy was used.  Domains that appear in both lists could be 
removed from the control group as we want to look at non-phishing vs. phishing 
domains.  With enough domains from both sets, the prevalence of proxy usage 
amongst phishers vs. "regular" domain registrants could be determined.  The 
other question that can be answered from this data is the apparent impact on 
phish site shut down times based on WHOIS record privacy.  The APWG can supply 
shutdown times.


Sample Size:
The APWG would like to have at least a 90% statistical confidence level based 
on the sample size.  There are two main areas to consider:

1) That there are enough domains from the APWG set to do a conclusive study.  
In this case, domains that were registered for phishing should be considered as 
well as domains for sites that were hacked to host a phishing site (but have a 
legitimate domain owner).  It is unclear how many of these will have proxy or 
private registrations. Data collected over 24 consecutive months would be 
desirable, but 12 consecutive months would be reasonable.

2) Getting a truly random sample of both newly registered and pre-existing 
domains from 2007 with associated WHOIS records. 

Feedback is desired from ICANN to determine proper sample size of domain names 
known to be associated with phishing on a month-by-month basis, to assure 
statistical relevance. It is anticipated these domain names would be supplied 
by the APWG.


Type of Analysis:
The analysis that would be conducted is described in the response to question 5 
above.   In general, we would like a quantitative analysis on trends associated 
with establishment of private/proxy domains with a correlating study of how 
many of those domains were used in phishing.  If possible, weâ??d also like to 
understand how shut down times of phishing sites are impacted by proxy or 
private WHOIS registrations.