October 29, 2008
Registrars Make Strides to Protect Internet From Phishing
The Anti-Phishing Working Group (APWG), in consultation with the ICANN Registrar Constituency and several domain name registrars, has published a "best practices" advisory for registrars to help them implement mechanisms to make it more difficult to register and use domains for illicit uses such as phishing, a confidence scheme used to dupe consumers out of personal financial information.
Several globally active registrars, including APWG members Go Daddy, the world's largest registrar and Network Solutions, the world's oldest commercial registrar, have already implemented or are planning to implement many of the best practices prescribed by the APWG's Anti-Phishing Best Practices Recommendations for Registrars, released this month.
The APWG's best practices advisory distills the counter-ecrime techniques of APWG membership, forged from their experiences as well as keystone policies of registrars who have already implemented them as safety measures to protect against the registration and use of domain names for phishing. The APWG worked closely with several registrars through ICANN's Registrar Constituency to ensure that the best practices were practical and applicable.
Anti-Phishing Best Practices Recommendations for Registrars advisory focuses on three principal areas in which house policy at registrars can help neutralize abusive domain registrations. Those include:
-- Proactive fraud screening: low user-burden processes that registrars can adopt to limit phishers' ability to complete fraudulent domain registrations on a large scale
-- Phishing domain takedown: best practices registrars can use to process the takedown requests in the most optimized fashion and suspend fraudulent domain registrations used in a phishing campaign
-- Evidence Preservation for Investigative Purposes: Data retention practices to save key evidence that can be later used by law enforcement to identify and prosecute the phishers.
Registrars, like Go Daddy, the world's largest, and Network Solutions, an Internet pioneer that was the first authorized to register domain names, are welcoming these guidelines to help domain name registrars make the Internet a safer place.
"Based on Network Solutions' experience, the APWG's best practices are effective tools in the fight against phishing, and we hope that more registrars will implement them as well," said Jon Nevett, Vice President of Policy for Network Solutions.
The APWG and its members were moved to develop and publish the advisory to staunch abuse of the Domain Name System (DNS) in phishing attacks and other electronic crimes by means of increasingly sophisticated schemes. Several of the most potent phishing techniques that have recently grown more prevalent require fraudulent domain registrations as their cornerstones.
Examples included so-called "fast-flux" attacks and the infamous "Rock" group's phishing sites, a technique used to hide counterfeit phishing websites by rapidly shifting the Internet Protocol (IP) address hosting the website, vastly complicating their removal as security professionals are forced to chase the sites from one IP address to the next.
"Go Daddy always has and always will work to combat online phishing and identity theft," said GoDaddy.com CEO and Founder Bob Parsons. "Our goal is to make the Internet a safer place for everyone. Not only does Go Daddy follow Best Practice guidelines, we employ a 24/7 Abuse Department to help identify and shutdown offenders. We challenge other registrars to put some teeth into fighting this epidemic, as well."
In addition to duping thousands of people out of their personal financial data and money, these attacks harm domain registrars with excessive credit card charge-backs and floods of complaints to their support desks, and paints registrars with a poor reputation. Protecting their reputation is becoming increasingly important to registrars as ISPs and others look to filter e-mail and web traffic for their customers to effectively combat fraud.
A domain registrar with a poor reputation, for example, is increasingly likely to see their domains blocked from access to large segments of the Internet. Thus there is a bottom-line impact to go along with helping to fight against e-crime, and the APWG is dedicated to helping registrars gain those benefits by implementing best practices.
Going forward, the APWG plans to continue to work with registrars to evolve the Anti-Phishing Best Practices Recommendations for Registrars advisory, keeping it up to date with contemporary phishing attack techniques that coopt the DNS - and to identify ways to implement correlative security measures in the most cost-effective and effective manner.
"We look forward to continuing to develop new and innovative ways to combat Phishing at the most basic level - at the time of domain registration," said Mr. Rasmussen.
The report is available in PDF format at: http://www.antiphishing.org/reports/APWG_RegistrarBestPractices.pdf
About the APWG: The APWG, founded as the Anti-Phishing Working Group in 2003, is an industry, law enforcement and government coalition focused on eliminating the identity theft and fraud that result from the growing problem of phishing, email spoofing, and crimeware. Membership is open to qualified financial institutions, online retailers, ISPs, the law enforcement community and solutions providers. There are more than 1,800 companies and government agencies worldwide participating in the APWG and more than 3,200 members. The APWG's Web site (www.antiphishing.org) offers the public and industry information about phishing and email fraud, including identification and promotion of pragmatic technical solutions that provide immediate protection. APWG's corporate sponsors include: 8e6 Technologies, AT&T (T), Able NV, Afilias Ltd., AhnLab, BillMeLater, BBN Technologies, BlueStreak, BrandMail, BrandProtect, Bsecure Technologies, Cisco (CSCO), Clear Search, Cloudmark, Cydelity, Cyveillance, DigiCert, DigitalEnvoy, DigitalResolve, Digital River, Earthlink (ELNK), eBay/PayPal (EBAY), Entrust (ENTU), Experian, eEye, Fortinet, FraudWatch International, FrontPorch, F-Secure, Goodmail Systems, Grisoft, GeoTrust, GlobalSign, GoDaddy, Goodmail Systems, GuardID Systems, HomeAway, IronPort, HitachiJoHo, ING Bank, Iconix, Internet Identity, Internet Security Systems, IOvation, IS3, IT Matrix, Kaspersky Labs, Lenos Software, LightSpeed Systems, MailFrontier, MailShell, MarkMonitor, McAfee (MFE), MasterCard, MessageLevel, Microsoft (MSFT), MicroWorld, Mirapoint, MySpace (NWS), MyPW, MX Logic, NameProtect, National Australia Bank (ASX: NAB) Netcraft, NetStar, Network Solutions, Panda Software, Phoenix Technologies Inc. (PTEC), Phorm, The Planet, SalesForce, Radialpoint, RSA Security (EMC), SecureBrain, Secure Computing (SCUR), S21sec, Sigaba, SoftForum, SOPHOS, SquareTrade, SurfControl, Symantec (SYMC), TDS Telecom, Telefonica (TEF), Trend Micro (TMIC), Tricerion, TriCipher, TrustedID, Tumbleweed Communications (TMWD), SurfControl (SRF.L), Vasco (VDSI), VeriSign (VRSN), Visa, Websense Inc. (WBSN) and Yahoo! (YHOO).