Anti-Phishing and Hong Kong

By James Seng
James Seng

Planning for a short trip to Hong Kong tomorrow reminded me of Jonathan Shea, something I wanted to blog about but was waiting for the hype around the new generic Top-Level Domains (TLDs) to cool down. Jonathan Shea is an old friend who is in-charge of ".hk". I had the pleasure to catch up with him in Paris ICANN meeting.

Before Jonathan, let me talk about something related that happened in Paris. At the Cross Constituency Meeting, there was a presentation by the Anti-Phishing Working Group (APWG). In summary, they were proposing working with registries to take down domain names that are suspected to be involved in phishing.

Now, I am for anti-phishing as much as any other reasonable person, and for doing our best to combat Internet scams. But what they are proposing scared the hell out of me: Take down domain names suspected of phishing?

What happened to the legal maxim, "Innocent Until Proven Guilty".

Now, I could hear some objections; these phishers are sneaky bastards who adopted the "hit-and-run" tactics. The entire phishing attack could be done within 24 hours or less and thus we need to react before they get more innocent victims.

That's true but this is not an excuse to override the basic principles of legal enforcement. Just because a thief could commit their crime in less than 5 minutes, does not mean we don't treat the suspect as innocent until proven guilty. Neither do we lock down the house or the store while we investigate, which is in a way, what was proposed.

After Wendy Seltzer raised some concerns, I stood up and asked two questions:

(1) how does APWG determine if one is a phishing domain for take down?

All I got was a hand-waving answer that it is complicated and there is no time to go into details. I am not sure if they differentiate between intentional phishing vs. a site/domain which was hacked or hijacked. I am not even sure how they determine if the site is indeed phishing. If I put up a spoof making fun of the bank's bad service, would I be target of a take down?

(2) how effective is the domain name take down if the phishers could easily use IP address instead of domain names?

Once again, he dodged the question without giving any data but at least his answer was more plausible: One should make use of all mechanism available to fight the problem. Nevertheless, I remain unconvinced that taking down domain names would deter the phishers as they could easily use IP addresses instead. Do we then go to Regional Internet Registries (RIRs) and ISPs to blackhole the routing for an attack that might last merely hours?

I might be more open if the takedown is temporary, as an emergency one-off measure if it significantly threatens the general public or the normal operation of the Internet. And we can prove that the best way to stop that specific attack is in the DNS.

However, I am not convinced ICANN and the registries are the best places to deal with the problem in the long term on a continuous basis. I think this is a classic case of "if we have a hammer (i.e. ICANN), everything looks like a nail".

This is not to say registries don't play a part in anti-phishing. This is where I go back to Jonathan and HKIRC (.hk).

McAfee published a report on Mapping the Mal Web Revisited in May. This report said "Hong Kong (.HK) soared in 2008 to become the most risky country TLD".

Obviously, this report upset quite a few people, including Hong Kong Internet veterans like Charles Mok and Pindar Wong (see IT360). Jonathan contested that the report is unfair because the data point for the report is based on 2007 whereas the problem have being substantially improved in early 2008.

What has been done by HKIRC is a model of what I think the registries should adopt:

  1. 1. In March 2007, HKIRC worked with HKCERT and the HK Police Force on procedures to verify whether a .hk domain name has been used for phishing. They are also working with OFTA, the local regulatory body, that will provide a definite list of .hk domain names involved in spamvertising in Jul 2008.
  2. In July 2007, HKIRC tightened their online payment (HKIRC is also the registrar) so that stolen cards and lost credit cards cannot be used. In early 2008, they also developed an internal auditing system where they would flag suspicious registrations, which would then be processed manually for additional documentary proof from registrants.

An example which would trigger the flagging is when a domain name is known to be a phishing site from a definite list by OFTA, and the other domain names registered by the same registrant would be considered suspicious.

What was done by HKIRC is non-intrusive and does not disrupt registrants. Also it does not presume suspects are guilty and take down domain names on suspicious notes. They work with regulators and the police to make sure they get the right people. They let judges do their job and determine guilty or innocent.

Most importantly, these measures have been effective in curbing the problem.

By James Seng, Vice President. Visit the blog maintained by James Seng here.

Related topics: Cybersecurity, DNS, ICANN

Comments

... and how did you think OFTA got that list, James? Suresh Ramasubramanian  –  Jul 15, 2008 8:59 PM PDT

They got it from "industry sources" - like us for instance, and like the SURBL blocklist (www.surbl.org).  Just like the APWG does.  The list wasnt "definitive", trust me.

The advantage HKDNR had back then was that most - over 99% of the domains registered on the .hk ccTLD over several months - being reported were also clearly fraudulent (over 13,000 domains, bought using stolen credit cards with bogus whois data, most often the contact details of the holder of the credit card, and with random looking gmail and yahoo accounts as the domain whois contact).

So, credit to them for finally stepping up to the plate, deactivating the phish domains and putting in place due diligence measures to prevent future fraudulent signups.

Registrars who get such data arent expected to shut them all down blindly .. not by us, not by APWG. They just get a list of domains thats been found in spam reports, found by passive dns and other research methods etc. And they can apply other metrics to this, in order to deactivate them.

ps: Please read my previous circleid article on this Suresh Ramasubramanian  –  Jul 15, 2008 9:43 PM PDT

http://www.circleid.com/posts/hk_the_most_unsafe_domains/

I had lunch with Jonathan James Seng  –  Jul 16, 2008 4:36 AM PDT

I had lunch with Jonathan and Pindar today.

How OFTA obtain the list, be it SURBL or their own, is something internal to OFTA. The point is HKIRC did not take any list from anyone except their own government regulator, ie, OFTA, is the point of my article.

No domain names have being taken down without verification. HKIRC has a dispute procedure. Of all the takedowns, only 2 filed a dispute and upon further defense, the 2 of them did not pursue. Thats how targeted they are in their takedown, not 99% not 98%, but 100%. Thats the other point of my article - 99% is not good enough in this particular case.

In the zest in the pursue of spammers and phishers, sometimes people forgot there are innocent parties who might be get entangled unintentionally. No one, no domain, should be presumed of spamming or phishing, unless proven guilty.

As for your article in June, you are probably accurate altho Jonathan would probably repeat in a more positive light. The anger among the HK veterans is because they deny .HK had a problem, but that the McAfee report is based on data points that was a year old, where the problem is long resolved (6 months at least).

among the HK veterans is James Seng  –  Jul 16, 2008 4:37 AM PDT

among the HK veterans is *not* because they deny .HK had a problem

Yes I also pointed out that the McAfee report was based on stale data, as you can see Suresh Ramasubramanian  –  Jul 16, 2008 4:48 AM PDT

Hi James -

Any registrar must do their own due diligence before taking domains down, just that a huge percentage of the domains registered under the .hk ccTLD were by pill spammers, for a long period of time (you dont believe me then you might want to look at the several hundreds of new domains we were blocking, every week)

HKDNR did due diligence on this and took them down.

They are free to get information from OFTA, or the HK CERT, who can source them from external sources.  Or they can source them from external sources themselves, do their own due diligence and take action on those domains. They dont particularly need OFTA's commanding them to do it. 

A lot of HK policy is based on self regulation, and HKDNRs own terms and conditions allowed them to take down fraudulently registered domains.  They just had to apply those.  And it is best practice for registrars (and HKDNR is both a registry and a registrar if I'm not wrong)

I did say in my previous article and in my reply above that HKDNR had a problem for several months and then they fixed it.  I have heard some people argue that if HKDNR can wait for several months before fixing such a grave problem, they really shouldnt complain if McAfee reports on the problem several months after it is finally fixed. 

I have heard the above opinion expressed, though I dont necessarily share it, just am glad that HKDNR did take action to resolve this.

HKDNR agreement dated 2006 .. Suresh Ramasubramanian  –  Jul 16, 2008 4:52 AM PDT

https://www.hkdnr.hk/register/registraion_agreement.jsp

especially these. Now, a domain that sells fake stocks, fake pills etc, is used on botnets, and has patently fake whois information would violate at least some of these clauses, thus voiding the contract the registrant had with the HK registrar and registry.. who would just be following best practices adopted by a wide variety of registrars when they shut such domains off.

See below.

3.6 Representations and warranties by you

(a) to the best of your knowledge and belief, the Domain Name you are applying for will not infringe or otherwise violate the legal rights of any third party;

(c) your use of the Domain Name shall be bona fide for your own benefit and shall be for lawful purposes;

(d) you will not knowingly use the Domain Name in violation of any applicable laws and regulations;

(e) all information you or your Agent provides to us, including further additions or alterations to such information, is true and accurate; and