ICANN, the governing body for the policy setting and management of Internet domains recently adopted a new policy to allow virtually unlimited generic gTLDs. For example, in place of “.com” “.org” or “.net, you could register domains that end in your own company name or brand. For example, Cyveillance could register “.cyveillance” as its gTLD.  ICANN has promoted this new policy in the name of innovation, choice and change on the Internet. However, after close review and consultation with our own subject matter, fraud and legal experts, Cyveillance believes these new options pose no real benefits to our clients or their customers and, in reality, would expose them to significant online risks, serious loss of brand equity and will undermine online consumer confidence worldwide.

As ICANN moves forward toward implementation and outlining their processes and procedures, it is readily apparent to Cyveillance that there are serious and dangerous flaws in their approach. Close scrutiny of the proposed procedures reveal:

1)    little to no protection for global trademark holders;
2)    excessive administrative costs for applicants;
3)    virtual total control by ICANN with no accountability;
4)    exposure to increased fraud and legal liabilities for brand owner; and,
5)    easy access and control for unscrupulous entities to core Internet infrastructure components and ultimately threatens Internet commerce around the globe.

The following are some major concerns Cyveillance has with the proposed implementation of the ICANN policy:

• The gTLD application fee will be $185,000.00 for a single gTLD and it must be acknowledged that it is only “to obtain consideration” of an application and offers no guarantee that the application would be granted (the cost of registering a “dot com” domain is approximately $20). Given that there are currently over 180 million .com domains the total potential revenue to ICANN could be in the trillions of dollars. If only the Global 2000 applied, the administration cost alone (using ICANN’s own estimates) would be $370 Billion. Note that this estimate would only cover their corporate name and not their individual brand names and no other variation of the brand in order to protect them from cybersquatting or typopiracy.
• The proposed gTLD guidebook provides that any community-based applications will take priority in the proposed application process. Enterprises and companies would have little recourse in acquiring gTLDs containing their own company or brand names.  For example, if the International Brotherhood of Magicians (http://www.magician.org) wanted to register “.IBM” according to the proposed procedures, they would potentially have priority over “.IBM”, not IBM Corporation. This outcome would not only cause market confusion but would lay the foundation for potential fraud targeting consumers worldwide.
• If no community-based applications are presented other enterprises competing for a gTLD could be determined either between the competing parties or through an auction process (the one with the most money offered wins). There is no guarantee that the most appropriate trademark owner would retain a gTLD containing their brand name.
• When objections arise, ICANN has devised a process whereby any dispute will be decided by a single arbitrator appointed by WIPO (World Intellectual Property Organization) with preference given to the community-based applicant.  There is a very serious potential legal problem by giving ultimate decision making authority to a single arbitration panelist appointed by an outside body. A process called “DRSP” (Dispute Resolution Service Provider) - a new form of a UDRP (Uniform Domain-Name Dispute-Resolution Policy, formed by ICANN) - can be filed and ICANN will appoint a single arbitration panelist to make the final determination.
• However, the arbitration panelist decision will be final and will require all applicants to waive all legal rights including the right to bring suit to overturn arbitrary or groundless decisions by a panelist. These arbitration decisions have the force of law and cannot be appealed.  ICANN would have complete authority and brand owners would have little or nor ability to object. It also puts ICANN in the position of being an international governmental body - executive, legislative and judicial, all wrapped up in one.
• Also, very importantly, ICANN is considering registry-registrar cross ownership.  For instance a large corporation like IBM could select a company to manage their .IBM gTLD and they would act as manager of the domain (both registrar and registry).  This could be easily exploited by fraudsters and criminal syndicates that could control the Registry/Registrar/ISP chain thereby making it nearly impossible to take a fraudulent site down or provide little recourse to the affected company.
• There are no mechanisms in place to ensure that a company awarded the registry/registrar application will have the resources (knowledge, technology and capital) to ensure the reliability and availability of the gTLD. For example Registry standards require six 9’s. i.e. 99.9999% reliability, availability etc. This could easily degrade performance and accessibility of all sites falling under certain new gTLD. The result could affect both the performance and security of not only a web site but email, applications and all infrastructures related to the new gTLD.
• The potential for fraud is unlimited - organized criminal entities would have an equal opportunity to apply for these domains throughout this process. It will be even more difficult for companies to protect their customers from fraud through the use of their brand or become the victims of extortion by those who would hold the gTLD (with their legal trademark) for ransom. It will create an unprecedented confusion in the consumer market where a consumer will be unable to distinguish which is the VALID Domain: IBM.com/Sales or Sales.IBM.
• Many large companies spend millions of dollars to manage their other domains. As a defensive tactic, these companies have purchased hundreds and possibly thousands of domains, mostly to simply protect their trademarks and brands.  This new ICANN policy will not eliminate the need for defensive registrations as some have claimed, but will actually increase the need, adding significant management time and expense to fully protect their brand and their customers.

Cyveillance is not a registry or registrar and we do not receive any direct benefit regardless of the success or failure of this new policy. At Cyveillance our highest priority is to protect our clients and their brands from online threats.

Corporations and their brands will always need protection from unauthorized use, and therefore we will continue to work on our clients’ behalf to patrol the open source Internet as it continues to evolve. We believe that this new ICANN policy, once implemented, would have the potential to be extremely damaging and ultimately irreversible.

We highly recommend that you read through these issues and learn more about them. You can go to http://www.icann.org/en/topics/new-gtld-program.htm to learn the full details of the program and strongly encourage you to share this with the appropriate affected groups in your company.

For greater impact, we also strongly encourage you to submit your comments directly to ICANN. You can find the instructions on how to submit comments here:  http://www.icann.org/en/topics/new-gtlds/comments-en.htm

The following post is in response to a presentation recently given at the APWG General Members Meeting and eCrime Researchers Summit by Tyler Moore and Richard Clayton:

http://www.apwg.org/events/2008_generalMeeting.html
http://www.ecrimeresearch.org/
http://www.lightbluetouchpaper.org/2008/10/16/non-cooperation-in-the-fight-against-phishing/

Executive Summary
A.    Moore and Clayton are partly right – Every hour a phishing site is up equates to phished consumers and significant, real-dollar losses. Thus speed of both detection and takedown are critical.
B.    Superior speed and capability takes massive investment in people, technology and systems, and that must produce an ROI or companies will stop making the investment.
C.    Sharing the results of that investment would reward those who can’t perform on the dime of those who can
D.    This disincentive will push the competent to exit the market and spend their capital and expertise on other products
E.    This will rapidly result in poorer detection, few choices and longer takedown times when the banks have only the least competent vendors remaining to choose from
F.    There are other less critical flaws in the proposal which are noted as well

Full Brief
I read with interest the presentation entitled “The consequence of non-cooperation in the fight against phishing” by Tyler Moore and Richard Clayton.  The basic premise of their argument is that all “phishing takedown vendors” should be forced by the banks who are their clients to share phishing URLs immediately upon detection, ensuring the earliest possible initiation of takedown by a given bank’s vendor. I commend Messrs. Moore and Clayton for elucidating with their model that time is the critical matter in the detection and takedown of phishing sites.  This is illustrated in a conceptually-similar model we ourselves have developed here at Cyveillance (see graphic below). It too shows that every hour a phishing site is live equates to real customers phished and real-dollar impact.

phish_life_cycle

However, if this model is true, then the market should reward superior performance and encourage investment in it, not mandate a process that would quickly lead to a decrease in available service and the voluntary exit from the industry by all but the least competent players.  Consider the following argument:

1.  Lifespan time, not just takedown time, is the driver of dollars lost
First, it should be noted that the critical metric is the total lifespan of a phish from launch to takedown, not just from detection to takedown. As shown in the curve above, the financial impact is minimized by reducing both the time-to-detect and the time from detection to takedown.

2.  Timely detection requires investment
While Cyveillance was not one of the two vendors profiled in Moore and Clayton’s analysis, I am sure our peers face the same challenges we do in solving this problem.  In order to detect phishing attacks in the shortest possible time, Cyveillance has systems that identify thousands of unique phish each day by examining content from billions of multilingual spam messages, a global array of honeypots, hundreds of thousands of new domain registrations, and all our customers “abuse” messages on a minute-by-minute basis.  In the ever more critical quest for detection speed, Cyveillance has even developed a patented system that offers pre-attack intelligence before the phishing email is ever sent, allowing takedown to begin literally the minute the fake page is created.

According to hard data from customers who have objectively tested multiple vendors in “bake off” competitions, these investments have led to detection that often runs four to eight hours faster than other methods, and this is before takedown is even initiated.  Thus, if all takedowns were of equal length and equal cost, superior detection performance can still provide significant hard-dollar savings. This performance gap came only at the cost of many millions of dollars in investment, and Phishing evolves so fast that only constant, continued investment will enable vendors to keep pace with the criminals.

3.  Faster takedown requires investment too
In reality, all takedowns are not created equal, nor are takedown vendors.  Streamlined, 24×7 response and effective takedown processes require the hiring and training of expert, multi-lingual staff, development and continuous refinement of operating procedures, refined processes and building relationships with ISPs, CERTs, registrars, registries, hosting providers, search engine providers and law enforcement all over the world.  This too takes huge amounts of capital.  Here again, criminal innovations such as fast-flux and rockphish (or soon Pharming) attacks demand the constant evolution of processes and systems, as well as ever more skilled, experienced and talented (read as “higher-cost”) staff.

4.  Disincenting Performance
The model that Moore and Clayton propose essentially suggests that those vendors who have invested millions of dollars and years of effort into the most innovative, competitive, effective and successful products should take the results of those efforts (and therefore the business value and pricing power earned by those investments) and give them, free of charge, to their feebler competitors.  Under such a model, what possible motive would our company have to continue investing in providing superior performance?

As an Executive Team, our responsibility is to allocate scarce resources, and we have a fiduciary responsibility to our investors to maximize the return on the capital with which they have entrusted us. What Moore and Clayton’s model would do, if implemented, is drive the capable, the flexible and the competent out of the market.  In very short order, by trying to “force cooperation” this proposal will actually eliminate the healthy competition that pushes performance ever upward, and leave banks with only the worst performers to choose from.  Certainly our systems, people, domain expertise and capital can easily be applied to other services instead, ones where we can compete fairly, charge a fair price and generate profits.

Though the word is sometimes maligned, it is only profit that allows us to continue to exist, to serve our customers, and even to “give back” to the industry and the community.  We are not opposed to sharing data where it is beneficial, or even to giving it away for free where we choose to do so.  Cyveillance does leverage its multi-million dollar platform for shared benefit in many areas, e.g. in providing data and analysis services pro bono to the National Center for Missing and Exploited Children.  We do this voluntarily because it is a cause we believe in, but any proposal that mandates giving away value robs every vendor of the profits necessary for them to continue to both provide valuable services and support philanthropic or charitable endeavors.

5.  A final note –  Other flaws in the argument
While less critical, I find other flaws in the proposal as well.  First, no matter how automated, vendors have to invest some level of time and resources in detecting and delivering phish against a specific target or range of targets.  For example, if I am vendor A and I have been contracted by XYZ bank but not ABC bank, why would I devote resources to isolating phish against ABC bank? Who will bear each vendor’s costs of detecting phish for banks that are not paying them? Surely Messrs. Moore and Clayton do not suggest the industry should mandate that all vendors find and deliver phish against all banks as a charity initiative?

Second, on a related note, it should be evident that as a group, “the banks” have neither reason nor leverage to make the proposed demand for cooperation.  With very rare exceptions, each bank has decided on a single vendor.  What incentive would XYZ bank (my client) have to demand that I share my data with another vendor they don’t use? Similarly, what leverage does ABC bank (not my client) have to demand I share my data with the vendor they do use?  I don’t work for them.

Finally, Moore and Clayton hold up the anti-virus industry as a model where sharing among all the vendors works to everyone’s benefit.  There are two flaws with this argument.  First, A/V companies do have a mutual benefit from sharing. They know that every competitor collects and analyzes lots and lots of virus before they do. Everyone has huge holes in coverage and analysis bandwidth, so they all could, in theory, benefit from pooling their knowledge.  The phishing space is much more narrowly and clearly defined, and the weaker vendors have essentially nothing to offer the stronger ones.  Thus, there is no incentive (barring Moore and Clayton’s proposed external demand) for any competent vendor to participate in the data sharing.  Only the weak players could love this idea.

Second and just as important, the hard data is that the A/V industry model, which they hold up as an example, isn’t actually working worth a hoot.  Despite the supposed pooling of information about viruses and malicious binaries across the industry, you can run any 100 pieces of malware through virustotal.com and you will see wildly different detection capabilities across dozens of “brand name” A/V engines.  (We’ve already done a much larger study on this point, and the results are appalling.  You can learn more on the subject here:  http://www.cyveillanceblog.com/malware/how-protected-are-we-really-against-malware )

Conclusion
In closing, it seems that, although their notion of time-is-critical is absolutely correct, the solution is NOT forced exposure of valuable data developed at enormous cost, skill and investment.  It is to let the banks demand ever faster and more successful solutions of their vendors, with performance rewarded by patronage and profits, and non-performance rewarded with extinction.

Cyveillance offers SLAs on detection timeliness, accuracy and takedown times, by which we are rewarded for performance and penalized for non-performance.  This is the right approach.  Forced sharing of data would reward those who can’t make those guarantees with a free ride on the coattails of those who have spent millions so that they can.

]]> http://www.cyveillanceblog.com/phishing/a-contrary-perspective-%e2%80%93-forced-data-sharing-will-decrease-performance-and-reduce-protection/feed http://www.cyveillanceblog.com/malware/nearly-seventy-percent-of-all-malware-is-delivered-via-drive-by-downloads http://www.cyveillanceblog.com/malware/nearly-seventy-percent-of-all-malware-is-delivered-via-drive-by-downloads#comments Tue, 23 Sep 2008 19:56:07 +0000 admin http://www.cyveillanceblog.com/?p=30 There has been no shortage of press regarding malware on the Internet over the past several months. Malware continues to grow in volume and evolve in complexity. As security companies continue to address the problem, the number of Web sites that distribute the unwanted downloads is growing out of control.

What classifies a malware download as a drive-by download? While there is no one standard definition, the problem can be described simply as a file downloaded to a user’s computer without permission or user action when visiting a Web site. This feat is typically accomplished by exploiting a vulnerability in the web browser or operating system.

So, with the exploding growth of malware on the Internet, how many malicious web sites distribute malware via drive-by downloads? Based on a sample of hundreds of thousands of malware distribution web sites discovered in the past 60 days, sixty-eight percent of malware distribution sites deliver malware via drive-by downloads.

Think about it, there are millions of malicious web sites on the Internet. Not only do you have the fear of your AV software not detecting malware on your computer as described in an earlier Cyveillance report (http://www.cyveillance.com/web/forms/request.asp?getFile=111), but simply visiting a web site could infect your computer.

Users can minimize the risk of being infected by a drive by download through several ways. One of the most effective protective measures is to use the more secure settings on your web browser. This action may cause some inconvenience by requiring users to respond to security prompts when visiting feature rich web sites, but it will reduce potential malware infections. Another common sense protective measure is simply to avoid going to unfamiliar or disreputable Websites.

Additionally, security companies that provide user protection through desktop clients can significantly improve protection against drive-by downloads through the use of Cyveillance Malware Protection™. The service evaluates web sites by both signature-based and behavioral-based technologies. This multi-pronged approach to detecting online threats allows Cyveillance to collect the most comprehensive and up-to-date intelligence regarding new malware and attack methods

Studies have shown that the majority of online consumers, over 90%, do not recognize the difference between a paid search result and a natural search result. While most online advertising using another company’s trademark is fairly innocuous and may eventually lead a consumer to a corporate website, many divert traffic away from the intended location.

Some online ads even go beyond simple brand misuse to blatantly deceptive ad language and positioning. In some cases, the purpose of the scad is to commit identity theft. By positioning bogus, or easily compromised, reservation or purchase pages criminals can easily capture personal credentials for illegal use. Even more alarming is the presence of malware. It has begun to appear in the underlying URLs of some advertisers; the exact rate of malware presence is unknown.

Recently, Cyveillance gave official support to an organization focused on combating this form of bait-and-switch and educating consumers. The Alliance Against Bait and Click (AABC), www.stopscads.org, launched in late July 2008 with the purpose of educating the average consumer about scads and ways to combat them.
The AABC is comprised of a diverse group of leading experts, organizations, and companies working together to stop bait and click and to make deceptive sponsored search results a thing of the past. Currently, many of the member organizations come from the hospitality industry but is quickly expanding to others that are sensitive to this issue. If your company is interested in joining, watch for upcoming meetings on the subject.

Cyveillance has long been aware of these scams and continually educate our clients about this form of brand dilution and traffic diversion.  For several years now Cyveillance has offered a Paid Placement Monitoring Solution to assist clients in identifying individuals or companies who bid on their trademarks and/or are using their brand without authorization.

For more information on Cyveillance or the AABC, please contact your Cyveillance Analyst or visit the AABC website at www.stopscads.org.

•    net.cn
•    org.cn
•    hk
•    tw
•    com.tw
•    asia

The scammers portray themselves to be good corporate citizens by informing companies of the registration inquiry. However, we know better. Their agenda is to try to entice the target company to register the Asian domains quickly at a superficially high rate.

Cyveillance recommends the following actions if/when someone in your organization receives one of these emails.

1.    Follow your company’s Domain Registration Policy. If you would like to own any of the domain names listed in the scam email, contact a reputable registry to purchase these domains though your normal channels.
2.    Delete and ignore the messages as you do with conventional spam. You are not required to take any action, so do not respond or engage in negotiations with the scammers at all.
3.    It is still your trademark/brand and you have a right to defend it. You should not be extorted into buying domains prematurely. If any of the domains listed in the emails are ever registered by companies that do not have a relationship with you, you have the right to send Cease & Desist letters or to engage in the UDRP process to recapture that domain.

Shown below is just one example of the emails received.

From: xxxxxxxxxxxxxxxxxxxxxxxxxx
Sent: Wednesday, August 20, 2008 5:18 AM
To: xxxxxxxxxxxxxxxxxxxxxxx
Cc: Platinum Card Mailbox
Subject: xxxxxxxxxxxxxxxxx Domain Names

Dear CEO,

We are SK Net Service Company Ltd, which is the domain name register center in China.I have something need to confirm with you.
we have received an application formally,one company named “MAIRHK Holdings Limited” applies for the domain names
xxxxxxxxxxxxxxxx.net.cn
xxxxxxxxxxxxxxxx.org.cn
xxxxxxxxxxxxxxxx.hk
xxxxxxxxxxxxxxxx.tw
xxxxxxxxxxxxxxxx.com.tw
xxxxxxxxxxxxxxxx.asia
and the internet Brand Name(xxxxxxxxxxxxxxxx)on the internet  Aug 19, 2008. We need to know the opinion of your company, because the domain names and keywords may relate to the usufruct of brand name on internet.
we would like to get the affirmation of your company, please contact us by telephone or email as soon as possible. Please let someone in your company who is responsible for trademark or intellectual right contact me freely.

Best Regards,

Rock.Tian
Sponsoring Registrar:
SK Net Service Company Ltd
Add: 3A, Units 20/F, Far East Consortium Bldg,
121 Des Voeux Road, Central, Hong Kong
Tel: +852-3075 9838
Fax:+852-3177 1510  +852-3177 1520
website:www.sknetservice.hk

So the question remains, how safe is it to surf the Internet? The answer is not one people want to hear.

The reality – the majority of active malware attacks go undetected, with leading anti-virus (AV) solutions detecting only 50% of instances or less. These results came to light when we recently test-sampled malware that we routinely uncover against several of the top AV products. The findings were released in our “1H 2008 Online Fraud Report” and can be seen in the table below.

The fact that these results are based on a 30-day period, only further emphasizes the dynamic nature and scalability of today’s malware attacks. Given the reactive nature of today’s malware and AV detection technology, traditional AV solutions are inherently at a disadvantage when it comes to keeping up with these constantly changing and emerging threats. Now granted, no solution will ever be 100% effective against all real-time and zero-day threats, but by adding proactive intelligence gathering techniques to reactive AV solutions, the gap between infection and protection can be greatly reduced.

Online criminals are using any and every means available to maliciously infect computers and evade detection. Online security solutions should take heed and implement a truly comprehensive approach to security that includes both defensive and offensive elements, or online criminals will remain one step ahead.

Like many other spear phishing attacks, the phisher performed research before launching his or her attack. Specifically, the individual was able to locate use our CEO’s email address and the Cyveillance phone number in the email. This information was used to enable and build additional credibility for the attack. 

The email instructed Mr. Anastassiadis to appear in the US Courthouse on May 7, 2008 and provided a link to download the subpoena for specific information. Clicking on link takes you to the following page:

As you can see, the Web page claims that the case has been closed and no further action is required from the visitor. However, clicking on the link will not only load this page, but will also download a Trojan-Downloader onto the computer that would not be detected by the majority of Anti-Virus companies. Specific information about the malware used in the attack can be found at: http://www.virustotal.com/analisis/13bfb6913f9c328c7b657fce4ba4c731.

The size of this attack is not yet known, but security managers should ensure that personnel, especially executives, are aware of this latest phishing attack vector.

At best, the policy change will increase bid prices requiring advertisers to pay more for ads triggered by their own marks.  At worst, the policy may result in more widespread customer diversion as well as increase fraud-related activity that uses pay-per-click as the attack vector.

While it’s critical that we explore new solutions, the idea of holding consumers responsible for becoming infected with malware is hard to imagine.   For starters, given that between 20 to 40 percent of malware is not detected by endpoint security software, is it reasonable to expect every day Internet users to protect themselves from a continual barrage of malware-based attacks?  Our best and brightest security experts have been unable to address the malware threat.  Will a largely non technical Internet audience significant reduce malware problems because of the threat of penalties?

Clearly, consumers have a responsibility to take reasonable precautions in order to protect themselves from online attacks. But it’ll take new approaches by businesses, security providers and government to really make a dent in the problem. Consumers are the weak link in the security chain. Social engineering combined with increasingly sophisticated technical attacks are too much for the average Internet user to overcome. A big part of the malware solution has to be hardening the consumer against human-based vulnerabilities. Otherwise, we’ll create an Internet that is not practical for use by the average Joe.

Hopefully, Google will take steps to protect its customers from these attacks. Web site operators can do their part, too. You can help protect your Web site from cross site scripting attacks by ensuring that your application performs validation of all headers, cookies, query strings, form fields and hidden fields.