.Asia registry to crack down on phishy domains
- 12 October, 2007 09:39
The registry for the new .asia TLD (top-level domain) plans to ban domain names that are consistently used for phishing sites.
DotAsia Organization has agreed to implement a policy to ban domain names associated with phishing, said Laura Mather, of the Anti-Phishing Working Group (APWG), a consortium of companies and government groups that studies phishing. She is also a senior scientist at MarkMonitor.
It's the first time that a registry has undertaken such a drastic action to stop the proliferation of fake Web sites designed to dupe people into divulging sensitive personal data. Registries are organizations that oversee technical implementation of TLDs.
Phishing remains a huge problem despite improvements in security technology. Phishers attract people to their sites by sending links through spam e-mails. The sites, which spoof well-known brands with similar-looking domain names, are usually kicked off the Internet by Internet service providers after they receive reports that a site is fraudulent.
Often, the phisher switches hosting providers using the same domain name and the game repeats.
Phishers are also increasingly using a technique called "fast flux," which is designed to ensure a Web site is always available. Fast flux allows a Web site to resolve to numerous different IP (Internet Protocol) addresses. If one server fails, a person browsing for the site is automatically redirected to another server hosting it.
Phishers are using fast flux with their sites, meaning the site's IP address changes every few minutes, redirecting to countless servers, all of which would have to be taken down. Fast flux makes it very difficult to keep a site off the Internet, turning antiphishing efforts into an endless game of chase.
"This is the weakest link online today in Internet security," wrote Gadi Evron, a security evangelist with Beyond Security. "We need to be able to get rid of domain names."
But if the TLD registry takes the domain name out of its system, the site will go down permanently, although there are some technical exceptions. One problem is a feature of the Internet's architecture designed to reduced the burden on nameservers, which match a domain name with its corresponding IP address and enable a Web site to be delivered in a browser.
When a person visits a particular Web site, a local nameserver caches the IP address of the domain name. How long the local nameserver refers to its cached record for a Web site is a feature called "time-to-live," which is set by the owner of the Web site and remains in the official DNS (Domain Name System) record for the site.
The problem would come if a registry bans a domain name, but that DNS record is still cached in local nameservers, which would still direct a person browsing to the address, Mather said.
"That's something we are still trying to deal with the technical implementations around," Mather said. "We've got really smart people thinking about it, so there may be something we can do."
Overall, the plan isn't the silver bullet against phishing, Mather said. Phishers could, of course, continue to register new domain names spoofing brands and use fast flux. But they wouldn't be able to use the same domain name over and over again, depriving them of what could be very convincing-looking domain names tricking Internet users.
"This is actually going to be extremely powerful if we can make this work," Mather said.
The exact protocol for how and when a domain name would be removed is still being discussed. But the general plan is to have a few trusted companies that will be certified to report phishy domains to DotAsia. That will relieve DotAsia of the burden of having to investigate each domain name before shutting one down permanently, Mather said.
Companies would pay a fee to become certified to be a trusted source, but the costs and exactly how that will work are still being discussed, Mather said.
The Internet Corporation for Assigned Names and Numbers (ICANN) is also working with APWG on the plan. Eventually, ICANN could make registries adopt the policy as part of their contracts to run TLDs. If the plan is successful with DotAsia, it's hoped that other registries will just go ahead and adopt, Mather said.
Phishing is an ever-growing problem. In June, close to 29,000 phishing sites were reported, spoofing some 146 brands, mostly in financial services, according to statistics published by the APWG.