It is true, as Richard Clayton said:
"Security vendors are happy to accept inflated (and ever-increasing) statistics to make the problem seem more important and even PhishTank trumpets the increase in the number of reports rather than their true uniqueness."
http://www.lightbluetouchpaper.org/2007/05/16/how-quickly-are-phishing-websites-taken-down
However, it is equally dangerous, in my opinion, to play down the "Super User", the "uber attacker" threat. Those guys are more real and active than ever:
"We also identified a significant subset of websites (over half of all URLs being reported to the PhishTank database we used) which were clearly being operated by a single “rock-phish” gang." (from Richard's post linked above)
Now, this is real data that you can translate into probabilities... e.g. you have over 50% probability to be phished by the same "uber gang" and that a new innovation from "Super User" attackers increased the median of phishing web site availability by 300% (see the same post).
The author seems to be missing the basic understanding of the value chain in online threats: the role of "tool builders" (usually v. smart) vs "data collectors" etc. There is just a passing reference to a potential for "Super users" producing tools for "script kiddies" and then: "Superusers inhabit the Internet, but they are often so uncommon as safely to be ignored."
Even if it was the case that "some online crimes are committed by ordinary users much more often than by Superusers" - who did produce the tools used to commit those crimes? The ordinary users themselves? I doubt so.
I am also concerned by the dismissal of all computer experts as ignorant to risk assesment:
"Computer experts rarely assess a risk of online harm as anything but, “significant,” and they almost never compare different categories of harm for relative risk. "
If this was the case, selling security would've been a walk in the park :) Just claim that a new tool "significantly reduces the risk" and you'll have buyers fighting for it. What actually happens is that "computer experts" are spending a lot of time on trying to quantify the risk reduction and ultimately Return on Investment with different degrees of success.
Anyway, of course, there is no silver bullet and, of course, measuring anything, assessing the threats etc. is helpful. I am just not sure that the main claim of the article is true, the "Super user" is not a myth, they are live and kicking and now, more than ever, their time and effort could be easily monitized with a very low risk. More thought on the subject: http://blog.cronto.com/index.php?title=phishing_reloaded
Posted by Igor Drokov at May 17, 2007 03:04 PMHey Igor, thanks for your comment.
How did you make the jump from "rock-phish gang" ==> SuperUser?
I don't get it. The Phishing industry is widely known to be pretty simple stuff. Hell, we can buy the tools to do it, it is industrialised on a scale that we've never seen before, and it is totally well understood what they are doing.
Uber gang != Uber user. If anything it is the other way around, the industrialisation has shown that it is possible to commoditise every part, they don't need experts. Even the so-called tool producers are not doing anything but automating fairly unsophisticated parts, in a chain, bit by tiny bit.
There is no Uber-attacker here. Track back the sophistication of phishing attacks and we can see that they evolved only slightly each month.
His point is also that we all want to believe in the Uber-attacker, the superuser. That makes us feel better about being powerless, after all these years of hanging it out, claiming to be professionals. "We were beaten by a better enemy" is kind of OK, honourable. "We were beaten by idiots using our own hubris against us" isn't much fun.
Posted by Iang at May 17, 2007 03:34 PMIan,
Just to state my position, I do agree with that the phishing/spam etc. are a big problem because of the scale rather than because of the attacks are especially clever. I further agree that using the line that attackers outsmart the defenders is also weak.
However, my point is that if it is easy to make money for average attackers, imagine how much more money can a clever well-organised group make...
"The Phishing industry is widely known to be pretty simple stuff. Hell, we can buy the tools to do it, it is industrialised on a scale that we've never seen before, and it is totally well understood what they are doing."
I'd respectufully disagree... until the Security group guys (links above) actually monitored the phishing activity on a fairly low level, most anti-phishing suggestions didn't see the need go beyond collecting and validating phishing urls...
In particular, the "fast-flux" technique they discovered is a very clear indicator that those guys are not sitting back with their feet up, but looking for more efficient ways to make more money with less risk...
From the paper:
"While we were collecting data for this paper the gang introduced a new system dubbed `fast-flux', with trials in February and wider deployment from March onwards. They arranged for their domains to resolve to a set of five IP addresses for a short period, then switched to another five. This of course `eats up' many hundreds of IP addresses a week, but the agility makes it almost entirely impractical to `take down' the hosting machine".
http://www.cl.cam.ac.uk/~rnc1/weis07-phishing.pdf
So, my point being that those guys are clever and constantly innovating which makes them "SuperUser" in the terms of the article you refer to (unless I'm missing the point). Hence, it is dangerous, in my opinion, to overlook the increasing sophisitication of the most efficient attackers.
I would also like to re-iterate that I am not advocating some magic technology solution. If anything the research by the Security group suggests that a lot could be done by improving collaboration between ISP/registars and phish targets. At the same time, if one assume that "the Phishing industry is widely known to be pretty simple stuff" then we will keep fighting yesterday's war...
Posted by Igor Drokov at May 18, 2007 06:07 AM> I'd respectufully disagree... until the Security group guys (links above) actually monitored the phishing activity on a fairly low level, most anti-phishing suggestions didn't see the need go beyond collecting and validating phishing urls...
I don't follow who the "Security group guys" are ... I had a quick look at that paper. It's good stuff, and it is good that the broader academic community is now taking the activity seriously, perhaps in the face of lack of progress in the commercial world. But it suffers from the normal academic embarrassment of too much evaluation, too much reliance on academic peers, and too little broad thought.
If they said "most anti-phishing suggestions didn't see the need go beyond collecting and validating phishing urls..." then they are wrong, but this is typical in the academic world.
I'd say that they also fall into the trap of the Superuser / uber-attacker myth.
"a new and particularly pernicious category of phishing site called ‘rock-phish ’, which simultaneously impersonates many banks and regularly cycles through domain names and IP addresses."
Pernicious ==> devilishly evil ==> Uber-attacker, Superuser.
What is pernicious about impersonating many banks at the same time? Fast-flux? ... So what? Are they saying the phishers are stoopid? Should be stupid? Are they saying that the phishing response to the take-down technique is "oh, bummer, that's torn it, let's go home now?"
The situation is that we are facing a competent enemy, and because they keep winning, the enemy shows us up as incompetent. But if we can make them out to be the uber-attacker, that might make us feel better about it!
Phishing is an evolution stretching back to 1996 or 1997. They have a decade of experience in small steps. They are not superusers in any heroic extraordinary sense, they are just competent guys doing competent work, albeit criminal.
Posted by Iang at May 18, 2007 07:12 AMI should point out that the academic literature is also in a trap of its own making: they tend to want to make out the attacker as devilishly clever, so as to increase the excitement level, and show their work in a better light.
It simply looks bad, unexciting, to go to a peer-review committee and say that the "enemy is competent, nothing special, he's like the average programmer down the hall."
Far better to say "I talk today of an enemy not seen since the days of Moriarty..."
This is a widely known (and indeed researched) problem in the academic world. There are studies that show that the number of papers confirming hypotheses with results far outweighs those that deny or do not confirm hypotheses. Yet anecdotally speaking, there is much more balance. The difference is due to many factors, mostly academically unsound ones such as the above.
Posted by Iang at May 18, 2007 07:20 AM"If they said "most anti-phishing suggestions didn't see the need go beyond collecting and validating phishing urls..." then they are wrong, but this is typical in the academic world."
Just to make it clear, these my words, not theirs...
Also, no one is claiming to have found "an enemy not seen since the days of Moriarty...", yet they did shed some lights on the new techniques employed, by what appears to be, the most successful phishing group. They also follow up with good recommendations. What's wrong with that?
If understand correctly it is yours not their position - "the phishers are stoopid" doing "pretty simple stuff".
Again, no one is claiming to that the treats are coming from Nobel prize candidates :) but to say that everyone on the other side is just average would be a mistake as well.
Posted by Igor Drokov at May 18, 2007 10:23 AMOne needs to look at our figures and analysis carefully before doing calculations or drawing conclusions. First, about 50% of all phishing URLs in the collections we looked at are rock-phish, but once one canonicalises and removes the dross they're only 419 out of 1707. However, phishing victims are driven to the sites by spam email -- and here the rock-phish mail is around half. So it's this latter figure -- which we only have the broadest of estimates for -- which leads to the 50% chance of phished by a particular gang.
Second, The innovation (of fast-flux) isn't new to them (so no uber-behaviour here), but it was a change in behaviour during the measurement period. Our observations showed that it worked to extend phishing site lifetimes, though we don't speculate why this was -- there's no obvious reason for a ".com" domain name to stay up longer by exploiting fast-flux, and the associated IP address lifetime was essentially unchanged. We commented that it is hard to take down the hosting machine (the abuse@ person who checks out the report can't see the sites in an off-the-shelf web-browser once the DNS changes), but that's not an issue for the registrar.
Third : "But it suffers from the normal academic embarrassment of too much evaluation, too much reliance on academic peers, and too little broad thought." hmmm..... it's necessary to evaluate results, not just provide a table of website lifetimes, and there's also an obligation in all academic work to discuss the work by your peers, so as to set your work into context and distinguish what your contribution is. In fact, we don't cite much other work because no-ones done similar measurements before (though there has been some work looking at clusters of phishing sites).
As to broad thought, we're not writing a book on the whole phishing phenomenon -- we're just looking to see whether take-down does any good (we think it does, but it can't be the only strategy).
Fourth: what's "particularly pernicious" about rock-phish? Quite clearly they're better at their jobs when compared to everyone else (we may be able to pick out some other gangs in the future, and they may well be better than the mass as well, since the mass isn't necessarily any good at all!) Anway, we show that phishing visitors turn up at a site over several days -- and the rock-phish site URLs are working for twice as long as normal URLs, 8 times as long when using the fast-flux scheme. So "exceedingly harmful" or "highly injurious or destructive" seems an OK word for phishing, and "particularly" is, I think, justified by the data.
Fifth: are all phishers stoopid? Well some are! they leave their toolkits lying around, and some also leave their collected data in full view. Others leave records of who they are, where they think no-one can see. Do they go home after a take-down... well I doubt it. But we've other data (in papers to come) showing that Yahoo! removes sites 7 times faster than a comparable .ru site --- so it's pretty stupid to keep on using Yahoo! yet some of them do.
Finally, I don't think we can say whether the rock-phish gang are inherently clever, or whether they've just experimented a great deal and have stuck with the methods that work. Darwin was right about many things! Also, since we're measuring website lifetime (only one part of the way that you'd measure success for a phishing operation) then you need to keep the humble wood-louse in mind. If you look under a log in the forest you'll find lots of wood-lice. Is that because they like it there? or merely that it's cooler, and so they don't move as fast as they do out in the sunlight?