[CPWG] CIrcleID: New Data Reveals Phishing Attacks Are Bigger Than Reported, Exact Size of Problem Unknown

Theo Geurts atlarge at dcx.nl
Wed Oct 14 12:14:58 UTC 2020 

The report looks pretty accurate to me. 

I can't entirely agree with the researchers regarding the WHOIS statements.

>From my extensive research in BEC and Bank Phishing, an obvious pattern has emerged in the last few years.
Of course, I have access to the registrant data of the ICANN and ccTLD registrars on our platform (Registrar As A Service), and the researchers do not of the report do not.

What I observe is the following in 95% of all the cases I investigate.

 * Address data is 100% accurate but does not belong to the criminals.
 * Address data like street, city, zip code, country code can be cross-validated on every level.
 * Email addresses used can be obtained by anyone and are always free. However, the smarter criminals use encrypted, zero-knowledge email providers.
 * IP addresses used by criminals usually belong to zero knowledge VPN providers. 
 * Or these criminals use TOR.

Zero-knowledge providers are usually providers, who do not have information about their users, or it is all encrypted. Even if a law enforcement officer has a court order, there is not any useful information.

FakeID generators are available to everyone. And there some perfect ones out there.
During our investigation into BEC fraud with assistance from the security firm https://telsy.com, I noticed that each domain name had a unique registrant.
We suspect this is done to obstruct investigations and make detection harder. We still see this practice repeatedly with other forms of DNS Abuse, not just limited to BEC. But it was our 2018 investigation into BEC that made it clear that these criminals have become ghosts.
The arrest rate of these criminals is dramatically low. In general, arrest rates are low when it comes to cybercrime.
Botnet operators like Emotet are untouched since 2014, we have no idea who they are.
Ransomware operators like Maze, CLoP, CryLock, DoppelPaymer, Nemty, Nephilim, Netwalker, ProLock, Pysa, Ragnar, REvil/Sodinokibi, Sekhmet, Snake, Snatch continue to hijack entire networks.
LG, Garmin, Canon, Xerox, Jack Daniels, and so many more have become victims. We do not know who they are even though years of research into these groups.


The time that you could reverse search a telephone number through the WHOIS and detect more registrations by a criminal is long gone.

Is WHOIS useless? No, depending on what you are investigating, WHOIS can still be useful even if the registrant data is bogus.  We are currently examining Bahamut, a group of cyber mercenaries wreaking havoc in the Middle East, and we could still obtain some leads. Very thin leads, but Bahamut is a formidable adversary employed by hostile governments to attack other countries.

For investigations into Phishing, more clues can be found in the infrastructure used by criminals. Usually, we connect the dots much easier by investigating the technical infrastructure as we would with WHOIS.

Again, I still have access to WHOIS data, so I was able to witness the transition. Criminals have become very smart; something financial banks experience day in day out.

My advice to the ICANN community, set accountable goals/results for contracted parties rather than resurrecting the WHOIS.
Explore incentives for CP's. The RrSG abuse group will be releasing a whitepaper on that (hopefully soon). It would be great if we can get input on that from everyone.

You made it to the end of my email. Thanks for reading. 

Theo

On Wed, Oct 14, 2020, at 12:33 AM, Olivier MJ Crépin-Leblond wrote:
> A CircleID article published today can feed concerns about Domain Name abuse:
> 
> http://www.circleid.com/posts/20201013-new-data-reveals-phishing-attacks-are-bigger-than-reported/
> 
> The article quotes a report from Interisle Consulting Group that highlights phishing activity in both legacy and new gTLDs.
> 
> Kindest regards,
> 
> Olivier
> 
> 
> 
> _______________________________________________
> CPWG mailing list
> CPWG at icann.org
> https://mm.icann.org/mailman/listinfo/cpwg
> 
> _______________________________________________
> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/cpwg/attachments/20201014/c50e1ed1/attachment.html>

More information about the CPWG mailing list