Tyler Moore and I are in the final throes of creating a heavily revised version of our WEIS paper on phishing site take-down for the APWG eCrime Researchers Summit in early October in Pittsburgh.
One of the new results that we’ve generated, is that we’ve looked at take-down times for phishing sites hosted at alice.it, a provider of free webspace. Anyone who signs up (some Italian required) gets a 150MB web presence for free, and some of the phishing attackers are using the site to host fraudulent websites (mainly eBay (various languages), but a smattering of PayPal and Posteitaliane). When we generate a scatter plot of the take-down times we see the following effect:
The sloping line from mid April to early May indicates that for several weeks almost no sites were removed at all, and then they were pretty much all removed at once. Thereafter, with occasional blips, sites were removed within a day or so.
We ascribe this pattern to a learning process — initially alice.it either wasn’t receiving complaints (because eBay didn’t know where to send them, or spam filters rejected them) or alice.it weren’t acting upon them (they weren’t in Italian, or the seriousness of the complaint wasn’t appreciated, or there wasn’t a proper policy in place for dealing with phishing). One can only speculate (and there’s many more possible reasons than the ones I’ve just guessed at) as to why the sites weren’t removed… but at some point “clue” was gained by all concerned, and thereafter things have worked just fine (albeit the take-down is not as quick as at some other free-hosting sites, but that’s another story for another day).
We went looking for similar patterns elsewhere, and turned up two more — the removal rate of “rock-phish” domains in the .hk (Hong Kong) and .cn (China) top level domains. The same pattern is present — and in each case you can pick out the date when clue was obtained:
The important thing to note about the data presented in this article is that the world is chock-a-block with free webspace providers, registrys, registrars and for that matter ISP abuse teams who will be asked to remove phishing sites from other types of webspace. Although some will have had experience of take-down procedures (they have gained “clue”), many will not. What that means is that phishers who are mobile, continually changing providers, will benefit from slower take-down times as clue is slowly disseminated across the whole industry, one place at a time.
The only way to avoid this continual drip-feed of “clue” into the industry will be for far wider awareness of what is going on, and the techniques the phishers are using. We hope that, in our own little way, we are contributing to that.