A new report by the Interisle consulting group confirms, and it will come as no great surprise to anyone, that with the combined effect of COVID idling so many hands and more of us relying on the internet, bad actors are taking advantage of the situation - especially with respect to the growth of phishing.
In fact, IC3, the FBI’s Internet Crime Complaint Center, reported in congressional testimony that as of June 11, 2020, daily cybersecurity complaints had spiked from 1,000 to 4,000 and that cyber attacks on financial institutions had increased by 238%. Phishing remains the most common complaint to the organization, as it has been for the past decade. In IC3’s 2019 Crime Report phishing was cited as the cause of complaint by nearly one-third of all those who reported to IC3.
So it is particularly timely that the Interisle Consulting Group has just published its most recent study of the phishing landscape during ICANN’s virtual meeting, ICANN69. The Interisle study includes some striking data and observations. Importantly, Interisle’s study shows phishing incidents continue to increase and that registries and registrars could help the situation by being proactive and suspending more phishing and malware-related domains.
Unfortunately, it’s long been known that ICANN’s last-minute implementation of their temporary policy for storing and revealing registrant contact data and its implementation by ICANN contracted parties (registries and registrars) has consistently thwarted security investigators who are trying to stop phishing and malware attacks. This point has been documented by a joint survey conducted by the Anti Phishing Working Group and Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG).
Slow and Unwieldy Mitigation
Our own Appdetex mitigation efforts show that a scant 6.2% of over 1,100 requests to Registries, Registrars, and Privacy & Proxy services for registrant contact data for domains that were involved in phishing and malware attacks resulted in the provision of registrant contact data. This information is essential for cybersecurity professionals in their investigation and mitigation of these threats, including helping registrants who are unwittingly enabling attacks because their site has been hacked. And, though the average life of a phishing attack is approximately five days, it takes an average of over seven days for registrars, registries, and proxy services who do cooperate with these important requests to supply that data.
In addition, in some cases where registries and registrars are trying to cooperate with security investigations, their data arrives long after the phishing attack is over and the culprit has moved on to their next target. As a result, as indicated by the IC3 report, millions of Internet users are left to suffer the pain and effort of repairing their financial situation and credit rating.
The often-cited DNS Abuse Framework which defines abuse as phishing, malware and other egregious issues was an attempt by the contracted parties and their allies to address DNS abuse mitigation and is a good start. However, the work currently is not codified in internet policy nor is it captured in ICANN contracts. As a result the DNS Abuse Framework is largely unhelpful as indicated by the results of Appdetex queries for registrant data related specifically to phishing and malware attacks mentioned earlier. Shouldn’t we rethink domain naming system security policy as it relates to phishing and malware attacks and how it pertains to the responsibility of domain name registries and registrars to act quickly to mitigate abuse?