Study Suggestion Number 13
Submitted By: [Redacted for privacy reasons] Topic: We would like to see a study on the use of proxy and private registrations, whether or not the occurrence of these types of registrations is increasing, and how much the domains registered using proxy or private registrations are used for phishing. In addition, we would like to determine whether a proxy or private registration negatively impacts the time required to get a phishing site disabled. Hypothesis: Proxy and private WHOIS records make the investigation and take down of phishing sites difficult for a number of reasons. 1) If the phish site is hosted on a legitimate domain, for example because the domainâ??s webserver was hacked by the phisher, it can be difficult to contact the owner of the domain to help him or her rectify the problem. 2) The contact information in the WHOIS record is often beneficial for disabling domains that were registered specifically for phishing. This is because the person in the contact information often knows nothing about the domain. When that contact information is hidden behind proxy and private WHOIS records, proving that the â??ownerâ?? of the domain knows nothing about the domain is more difficult. Both of these scenarios lengthen the time it takes to disable phish sites once they have been discovered. The APWG hypothesizes that there has been an increase in proxy and private WHOIS records associated with newly registered domains. Our evidence is purely anecdotal. Organizations that perform phish site shutdowns are reporting that they run into these kinds of records â??more oftenâ??, but have not been recording the number of proxy and private WHOIS records, so we do not have historical statistics for comparison. How the hypothesis could be falsified: The hypothesis could be falsified by showing that there has not been an increase in WHOIS records that have proxy or private registrations. Similarly, it could be falsified by showing that there has not been an increase in domains used for phishing where the WHOIS records use a proxy or privacy service. Utility: The APWG understands that there is a need for privacy of the data in WHOIS records. We would like to find a balance between maintaining the privacy of individuals while maintaining the security of the internet from phishers. Therefore, our hope is that if there has been an increase of the use of proxy and privacy services in WHOIS registrations that there could be a policy adopted that allows certain organizations (like those affiliated with the APWG and others) to access the data behind records that use private and proxy registrations. We understand that there would need to be safeguards put in place to prevent the abuse of this data access, but our hope is that this study could help justify the formation of policy that gives immediate access to this information in certain circumstances. In addition, if the hypothesis is validated to be true, it would be beneficial if a more efficient ICANN domain registration dispute mechanism could be established for private and proxy domain names determined to be in use for phishing purposes. Type of Study Needed: The APWG would like to see a quantitative study of the general use of proxy and private registrations and, additionally, how they are used in phishing. Questions we would like to see answered include: - How popular are proxy and private registrations? Has the popularity of these registrations changed over the past year? - How many domains with proxy or private registrations are associated with phishing sites? - In the case that a proxy or private registration is in place, how quickly does the proxy or the registrant respond to an inquiry related to phishing? - In the case that a proxy or private registration is in place, when the proxy is contacted about a phishing event associated with that domain, how quickly is action taken and how does that compare to the case where there is not a proxy or private registration? One suggested timeframe would be Jan-Dec, 2007. Note that APWG would be happy to participate in a joint study or work with ICANN to make sure that they have the data necessary to answer the questions above. For example, we could provide a list of phishing domains and the timeframes in which they were active as well as shutdown times for the corresponding domains. Data that needs to be collected: The APWG would be happy to supply data about domains used for phishing and the shutdown times associated with those domains if that would be beneficial for use in this study. Population to be surveyed: The data needed for this study is two-fold. The first data requirement is a large control group of randomly selected domains that lived in the namespace in 2007 (we hope these could be provided by ICANN) with either the actual WHOIS data for each domain or a categorization of whether they were registered via a proxy or privacy service. The second data requirement is the list of domains used in phishing (to be supplied by the APWG), for which ICANN/SSAC can obtain the WHOIS data for and determine if a proxy was used. Domains that appear in both lists could be removed from the control group as we want to look at non-phishing vs. phishing domains. With enough domains from both sets, the prevalence of proxy usage amongst phishers vs. "regular" domain registrants could be determined. The other question that can be answered from this data is the apparent impact on phish site shut down times based on WHOIS record privacy. The APWG can supply shutdown times. Sample Size: The APWG would like to have at least a 90% statistical confidence level based on the sample size. There are two main areas to consider: 1) That there are enough domains from the APWG set to do a conclusive study. In this case, domains that were registered for phishing should be considered as well as domains for sites that were hacked to host a phishing site (but have a legitimate domain owner). It is unclear how many of these will have proxy or private registrations. Data collected over 24 consecutive months would be desirable, but 12 consecutive months would be reasonable. 2) Getting a truly random sample of both newly registered and pre-existing domains from 2007 with associated WHOIS records. Feedback is desired from ICANN to determine proper sample size of domain names known to be associated with phishing on a month-by-month basis, to assure statistical relevance. It is anticipated these domain names would be supplied by the APWG. Type of Analysis: The analysis that would be conducted is described in the response to question 5 above. In general, we would like a quantitative analysis on trends associated with establishment of private/proxy domains with a correlating study of how many of those domains were used in phishing. If possible, weâ??d also like to understand how shut down times of phishing sites are impacted by proxy or private WHOIS registrations.