Last October, we added the high-quality phishing report feed from the Anti-Phishing Working Group (APWG) to our standard iQ Abuse Manager service. It's been providing valuable phishing report data to our users with a low false-positive rate. The APWG is the world's largest international coalition fighting Internet crime with cooperation from industry, government and law-enforcement sectors, and NGO communities.
The APWG's Co-Founder and Secretary-General, Peter Cassidy, is one of the world's foremost experts in digital security and fighting cybercrime. Without a doubt one of the most illuminating and brilliant minds I've ever had the pleasure of connecting with in recent years.
Departing from our usual longer video interview format, I threw some written questions at Peter over the summer, and you can read his answers further below in this post.
I also spoke with Peter earlier this month, and in this 10-minute interview, he opines as to why fighting abuse is important, his involvement in creating STOP. THINK. CONNECT. ™, what job #1 should be for companies looking to improve their cybersecurity, and, if he could fix one thing on the Internet, what would it be?
How did the APWG get started?
Banks security operations people, ISP administrators, and anti-virus operations personnel met Chairman David Jevans at a conference in Fall 2003 at the Argonaut Hotel in SF and retired to dinner at a Vietnamese restaurant at Fisherman's Wharf to continue a conversation about phishing - which had just shortly before begun besieging banks in the Anglophone democracies. The conversation turned to how the AV vendors could programmatically receive new phishing URLs to use as block signatures on their products. Between Spring roll and dessert, the correspondents pulled together the outlines of a record for phishing URL reports and Mr. Jevans called the first meetings of the APWG, then underwritten by Tumbleweed Communications. Tumbleweed, having its own problems at the time after going through bursts of growth, some few months later placed the APWG in the hands of Dave and myself as directors (with a third, a former inside counsel to Tumbleweed) and incorporated the organization in Delaware on our behalf. I opened the bank account and submitted an application for non-profit status to the IRS under 501c6, which was accepted and Mr. Jevans scrounged two secure FTP servers and racked them to drive the APWG Phishing URL Block List for its growing membership.
What’s the history of your involvement with threat intelligence/eCrime research and how you got to be working with the APWG?
Since about 1984 or so, I have written on network security, auditing, and information policy, for business publications and trade magazines in the US, Australia, Japan, and Europe. Industry research firms like IDG, GIGA, CI-Infocorps, etc. eventually started hiring me as a contract analyst which provoked me to establish my own research and consulting practice and take on my own clients, including Tumbleweed Communications. Along the way, MIT's School of Architecture appointed me as a visiting fellow to study security principles for the construction of commerce systems and I took positions with start-ups in a range of security enterprises here and overseas, from watermarking digital assets to the development of systems for pricing cyber insurance premiums. All of that helped inform program development for APWG as well as the architectural road map for the eCrime eXchange and inspired, in part, the founding of the APWG Symposium on Electronic Crime Research in 2006.
How does the APWG collect phishing attack data?
APWG's eCrime eXchange operates as a classical clearinghouse with all data provided by APWG members, except for a couple of corpora that, for different reasons, are populated with third-party data (/phishing module for full-text of phishing emails forwarded to use by the general public and /crypto for wallet addresses related to criminal cash-outs or cash-out attempts). Brand holders and their security contractors provide a good deal of the data archived on the eCX, reporting them as an essential SOP to a) defend these brands; and b) to protect the customers who trust them. The reporting/notification principle is simple as it is essential. The sooner and the more broadly that phishing URLs, malicious domain names, maliciously employed IP addresses, and maliciously deployed cryptocurrency wallet addresses are reported to blocklists (e.g. browsers and AV software), the quicker blocking and deflection can secure people and processes.
How much of your feed is vetted by humans?
None, unless a member points out an exceptional report and/or asks for a record audit. That is, in part, the nature of a clearinghouse and in part by design in that APWG assumes that all response to common cybercrimes is converging toward an automated, programmatic engagement model of intervention. To guide our members' data usage decisions, however, most of the data records on eCX come with Confidence Factor levels assigned: 0 percent (for false positive); 50 percent (for submissions of unknown provenance and reliability); 90 percent (for records reported by automated systems curated by an APWG member organization) and 100 percent (for records reported by an APWG member after a manual vetting by member-managed personnel).
How can users obtain further evidence when they get a case?
They can go to other sources, cross-correlate against other data resources within the eCX itself, and query other resources external to the eCX. Around 2013, we reconfigured the old URL Block List as an API platform so that members would have maximal flexibility in drawing from data resources to weave the forensic routines and security protocols that were useful to their enterprises, products or services.
What is your false-positive rate, and how do you handle reports of false positives?
APWG eCX moves upwards of a billion+ data elements per month outbound to our members and our false positive rate compared to total flow is way out there to the right of the decimal point. This is largely the consequence of running eCX in a clearinghouse model that affords its curators audibility of the data source down to the individual reporter. FPs have a number of response tracks that are followed by APWG members and managers. First, records are, by design, editable by our own member users of the eCX, including changing the Confidence Factor from, say, 50 to 0, (the level indicative of a false positive). Those changes are automatically logged and logs are monitored by APWG Engineering and eCX Support. If eCX users complain to Support or if log reviews by Support or Engineering managers reveal repeat FPs from a user, the attending manager(s) may a) interrogate the reporter; and b) inquire about the systems they may be employing to submit their reports; and c) review the rules of engagement of the module endpoint in which the report(s) are archived; and d) review the terms of data sharing agreement.
What are the latest trends in phishing attacks and the use of domain names in those attacks?
Some of the latest research in this regard tells us about a quarter to a half of phishing attacks (depending on geographic focus) employ some kind of maliciously registered domain name with most of the remainder running on compromised hosts and free web services and thereby only incidentally abusing a domain name. PhishLabs found recently that more than 16 percent of Business Email Compromise (BEC) attacks (often employed as ransomware attempts) employ maliciously registered domain names.
How does the APWG ECX (Ecrime Exchange) work? Can it distinguish between malicious domains vs. compromised domains?
eCX is architected as a classical clearinghouse for the exchange of machine event data and Internet event data related to common cybercrimes by non-correspondent parties operating under a common Data Sharing Agreement and animated as a RESTful API platform. That may be a mouthful but discussion of the operating gear without citing the policy for risk and liability management is only half of the story. Corporate counsel is as vital a party to the operating profile of the eCX as security and forensic personnel. The users of the eCX are all APWG members and all have completed a Data User Agreement with us that, since 2018, includes a Code of Conduct Appendix that provides for compliance with the GDPR as established in May 2018 which is usually reviewed by counsel before signing. As a clearinghouse, distinguishing between malicious domains and compromised domains is well beyond the brief of the eCX and would place APWG in a competitive position relative to our members, something we as a trade association supporting stakeholding industries are keen to avoid.
Ransomware is certainly making headlines. What is APWG doing to investigate and make available ransomware and domain names threat data related to the same?
APWG members are reporting domain names related to ransomware attempts into APWG's /mal_domain and /phish endpoints to improve notification and APWG Applied Research has continued to build out its CryptoCurrency Working Group Wallet Address database in partnership with the University of Tulsa and the University of Ottawa and Austrian Institute of Technology and other partners from industry, such as OKLink and others TBA.