4 X Security Team

To share phishing URLs, or not to share? That’s the rhetorical question, since sharing ultimately serves the final customer and ensures a lower average time for a phishing site to remain online. In a recently published research (The consequence of non-cooperation in the fight against phishing) Tyler Moore and Richard Clayton analyze the current state of delayed data sharing, and argue that the impact of non-cooperation among vendors is resulting in an estimated $326 million annual loss :

“The paper contains all the details, and gives all the figures to show that website lifetimes are extended by about 5 days when the take-down company is completely unaware of the site. On other occasions the company learns about the site some time after it is first detected by someone else; and this extends the lifetimes by an average of 2 days. Since extended lifetimes equate to more unsuspecting visitors handing over their credentials and having their bank accounts cleaned out, these delays can also be expressed in monetary terms. Using the rough and ready model we developed last year, we estimate that an extra $326 million per annum is currently being put at risk by the lack of data sharing. This figure is from our analysis of just two companies’ feeds, and there are several more such companies in this business.

Not surprisingly, our paper suggests that the take-down companies should be sharing their data, so that when they learn about websites attacking banks they don’t have contracts with, they pass the details on to another company who can start to get the site removed.”

Why wouldn’t “take-down companies” be interested in sharing the data so that more customers get protected by visiting a phishing site that has already been shut down? Because the process of taking down phishing sites has been commercialized by vendors diversifying their fraud protection and brand reputation services a long time ago. Such competition is in fact supposed to provide more value to the end users, since on their way to achieve better results than the competing company, the vendor will inevitably start taking down phishing sites more efficiently. However, as long as data is not shared so that a particular company can claim that it’s taking down phishing sites faster than the other, the end users remain at risk.

In a related research published by Symantec in 2007, the company analyzed the average online time for phishing sites and argued that the take-down process is greatly affected based on the country the site is hosted in :

“Public phishing statistics often report the overall number of attacks hosted in a specific country, but this is not the only interesting detail: phishing attacks are more dangerous when they can “survive” online until the majority of potential victims open the phish email. Our analysis shows how ISPs in some countries are relatively slower than others to shut down attacks. For example, Taiwan’s average shutdown time has been only 19 hours on 92 attacks, while in Australia the average for 98 attacks has been almost one week for a single shutdown. Other countries slow to respond include the USA and India. Countries identified as responding quickly include Germany, Netherlands, Japan, Estonia, Poland and Russia.”

Non-profit community driven projects such as Phishtank and StopBadware.org are great examples of how this sharing mentality can protect most end users, so feeding these services with phishing/malware URLs in between ensuring that a phishing email never actually gets the chance to reach the inbox of an end user at the first place, is the way to go. Moreover, phishing emails are only part of the problem since banker malware has gotten so efficient and sophisticated, that I can easily argue that more money are at stake due to the increasing number of people infected with banker malware, compared to those interacting with phishing emails, since the banker malware remains active long after the phishing site has been shut down. Competitive practices must be balanced with social responsibility, which is where sharing of data comes into play.

[Source: zdnet]