[news release] The Anti-Phishing Working Group (APWG), in consultation
with the ICANN Registrar Constituency and several domain name
registrars, has published a "best practices" advisory for registrars to
help them implement mechanisms to make it more difficult to register
and use domains for illicit uses such as phishing, a confidence scheme
used to dupe consumers out of personal financial information.
Several globally active registrars, including APWG members Go Daddy,
the world's largest registrar and Network Solutions, the world's oldest
commercial registrar, have already implemented or are planning to
implement many of the best practices prescribed by the APWG's
Anti-Phishing Best Practices Recommendations for Registrars, released
this month.
"It has been great to see registrars take phishing prevention
seriously," said Rod Rasmussen, co-chair of the APWG's Internet Policy
Committee and President of InternetIdentity of Tacoma, WA. "Since
phishing campaigns often start with a domain registration, the domain
name registrars are in the perfect position to make phishing more
difficult."
The APWG's best practices advisory distills the counter-ecrime
techniques of APWG membership, forged from their experiences as well as
keystone policies of registrars who have already implemented them as
safety measures to protect against the registration and use of domain
names for phishing. The APWG worked closely with several registrars
through ICANN's Registrar Constituency to ensure that the best
practices were practical and applicable.
Anti-Phishing Best Practices Recommendations for Registrars advisory
focuses on three principal areas in which house policy at registrars
can help neutralize abusive domain registrations. Those include:
proactive fraud screening: low user-burden processes that registrars
can adopt to limit phishers' ability to complete fraudulent domain
registrations on a large scale
phishing domain takedown: best practices registrars can use to process
the takedown requests in the most optimized fashion and suspend
fraudulent domain registrations used in a phishing campaign
evidence Preservation for Investigative Purposes: Data retention
practices to save key evidence that can be later used by law
enforcement to identify and prosecute the phishers.
Registrars, like Go Daddy, the world's largest, and Network Solutions,
an Internet pioneer that was the first authorized to register domain
names, are welcoming these guidelines to help domain name registrars
make the Internet a safer place.
"Based on Network Solutions' experience, the APWG's best practices are
effective tools in the fight against phishing, and we hope that more
registrars will implement them as well," said Jon Nevett, Vice
President of Policy for Network Solutions.
The APWG and its members were moved to develop and publish the advisory
to staunch abuse of the Domain Name System (DNS) in phishing attacks
and other electronic crimes by means of increasingly sophisticated
schemes. Several of the most potent phishing techniques that have
recently grown more prevalent require fraudulent domain registrations
as their cornerstones.
Examples included so-called "fast-flux" attacks and the infamous "Rock"
group's phishing sites, a technique used to hide counterfeit phishing
websites by rapidly shifting the Internet Protocol (IP) address hosting
the website, vastly complicating their removal as security
professionals are forced to chase the sites from one IP address to the
next.
"Go Daddy always has and always will work to combat online phishing and
identity theft," said GoDaddy.com CEO and Founder Bob Parsons. "Our
goal is to make the Internet a safer place for everyone. Not only does
Go Daddy follow Best Practice guidelines, we employ a 24/7 Abuse
Department to help identify and shutdown offenders. We challenge other
registrars to put some teeth into fighting this epidemic, as well."
In addition to duping thousands of people out of their personal
financial data and money, these attacks harm domain registrars with
excessive credit card charge-backs and floods of complaints to their
support desks, and paints registrars with a poor reputation. Protecting
their reputation is becoming increasingly important to registrars as
ISPs and others look to filter e-mail and web traffic for their
customers to effectively combat fraud.
A domain registrar with a poor reputation, for example, is increasingly
likely to see their domains blocked from access to large segments of
the Internet. Thus there is a bottom-line impact to go along with
helping to fight against e-crime, and the APWG is dedicated to helping
registrars gain those benefits by implementing best practices.
Going forward, the APWG plans to continue to work with registrars to
evolve the Anti-Phishing Best Practices Recommendations for Registrars
advisory, keeping it up to date with contemporary phishing attack
techniques that coopt the DNS - and to identify ways to implement
correlative security measures in the most cost-effective and effective
manner.
"We look forward to continuing to develop new and innovative ways to
combat Phishing at the most basic level - at the time of domain
registration," said Mr. Rasmussen.
The report is available in PDF format at: www.antiphishing.org/reports/APWG_RegistrarBestPractices.pdf.
About the APWG: The APWG, founded as the Anti-Phishing Working Group in
2003, is an industry, law enforcement and government coalition focused
on eliminating the identity theft and fraud that result from the
growing problem of phishing, email spoofing, and crimeware. Membership
is open to qualified financial institutions, online retailers, ISPs,
the law enforcement community and solutions providers. There are more
than 1,800 companies and government agencies worldwide participating in
the APWG and more than 3,200 members. The APWG's Web site (www.antiphishing.org)
offers the public and industry information about phishing and email
fraud, including identification and promotion of pragmatic technical
solutions that provide immediate protection. APWG's corporate sponsors
include: 8e6 Technologies, AT&T (T), Able NV, Afilias Ltd., AhnLab,
BillMeLater, BBN Technologies, BlueStreak, BrandMail, BrandProtect,
Bsecure Technologies, Cisco, Clear Search, Cloudmark, Cydelity,
Cyveillance, DigiCert, DigitalEnvoy, DigitalResolve, Digital River,
Earthlink, eBay/PayPal, Entrust, Experian, eEye, Fortinet, FraudWatch
International, FrontPorch, F-Secure, Goodmail Systems, Grisoft,
GeoTrust, GlobalSign, GoDaddy, Goodmail Systems, GuardID Systems,
HomeAway, IronPort, HitachiJoHo, ING Bank, Iconix, Internet Identity,
Internet Security Systems, IOvation, IS3, IT Matrix, Kaspersky Labs,
Lenos Software, LightSpeed Systems, MailFrontier, MailShell,
MarkMonitor, McAfee, MasterCard, MessageLevel, Microsoft, MicroWorld,
Mirapoint, MySpace, MyPW, MX Logic, NameProtect, National Australia
Bank, Netcraft, NetStar, Network Solutions, Panda Software, Phoenix
Technologies Inc., Phorm, The Planet, SalesForce, Radialpoint, RSA
Security, SecureBrain, Secure Computing, S21sec, Sigaba, SoftForum,
SOPHOS, SquareTrade, SurfControl, Symantec, TDS Telecom, Telefonica,
Trend Micro, Tricerion, TriCipher, TrustedID, Tumbleweed
Communications, SurfControl, Vasco, VeriSign, Visa, Websense Inc. and
Yahoo!.
David Goldstein
Lasted posts on our Forum
- 05/07/2009 16:15 For Sell Apple iPhone 3GS 32GB..$180 (KULLAK)
- 05/07/2009 05:06 I need short sport names (jtay51)
- 04/07/2009 07:24 Excellent list of domains for sale !!!! (cagdaswoo)
- 03/07/2009 22:15 Needed godaddy coupon (Jasper.Block)
- 01/07/2009 19:54 Unlimited Hosting (xenia)