phishing sites report - March/2005
Below is a periodic public report from the Malicious Websites and Phishing research and mitigation mailing list (a sub-group of the drone armies / botnets research and mitigation mailing list). For this report it should be noted that we base our analysis on the data we have accumulated from various sources. According to our incomplete analysis of information we have thus far, we now publish the following report. Notes on the report: * The report is in descending order. * In the listing are also included suspected child pornography sites, however, their numbers are not large enough to effect the statistics. Number of phishing sites found: 276. The ISP's that are most often plagued with phishing sites: ---------------------------------------------------------- ASN Responsible Party 14780 INKTOMI-LAWSON - Inktomi Corpo 14779 13768 PEER1 - Peer 1 Network Inc. 21844 THEPLANET-AS - THE PLANET 1668 AOL-ATDN - AOL Transit Data Ne 4134 CHINANET-BACKBONE No.31 Jin-ro 29761 OC3-NETWORKS-AS-NUMBER - OC3 N 27699 TELECOMUNICACOES DE SAO PAULO 15201 Universo Online Ltda. * We would gladly like to establish a trusted relationship with these and any organizations to help them in the future (especially the attacked eCommerce sites and the hosting service providers). * By previous requests here is an explanation of what "ASN" is, by Joe St Sauver: http://darkwing.uoregon.edu/~joe/one-pager-asn.pdf -- Gadi Evron, Information Security Manager, Project Tehila - Israeli Government Internet Security. Ministry of Finance, Israel. gadi@tehila.gov.il gadi@CERT.gov.il Office: +972-2-5317890 Fax: +972-2-5317801 http://www.tehila.gov.il The opinions, views, facts or anything else expressed in this email message are not necessarily those of the Israeli Government.
Forgive me for being skeptical, but... How do you come up with these? Are these the direct upstream ISPs of the phishing sites or the next hop AS's from your test site? Is there a link to the original data? - Dan On 3/28/05 12:25 PM, "Gadi Evron" <gadi@tehila.gov.il> wrote:
Below is a periodic public report from the Malicious Websites and Phishing research and mitigation mailing list (a sub-group of the drone armies / botnets research and mitigation mailing list). For this report it should be noted that we base our analysis on the data we have accumulated from various sources.
According to our incomplete analysis of information we have thus far, we now publish the following report.
Notes on the report: * The report is in descending order. * In the listing are also included suspected child pornography sites, however, their numbers are not large enough to effect the statistics.
Number of phishing sites found: 276.
The ISP's that are most often plagued with phishing sites: ---------------------------------------------------------- ASN Responsible Party 14780 INKTOMI-LAWSON - Inktomi Corpo 14779 13768 PEER1 - Peer 1 Network Inc. 21844 THEPLANET-AS - THE PLANET 1668 AOL-ATDN - AOL Transit Data Ne 4134 CHINANET-BACKBONE No.31 Jin-ro 29761 OC3-NETWORKS-AS-NUMBER - OC3 N 27699 TELECOMUNICACOES DE SAO PAULO 15201 Universo Online Ltda.
* We would gladly like to establish a trusted relationship with these and any organizations to help them in the future (especially the attacked eCommerce sites and the hosting service providers).
* By previous requests here is an explanation of what "ASN" is, by Joe St Sauver: http://darkwing.uoregon.edu/~joe/one-pager-asn.pdf
-- Daniel Golding Network and Telecommunications Strategies Burton Group
Daniel Golding wrote:
Forgive me for being skeptical, but...
I would prefer you being skeptical. Please don't take my word on any of this.
How do you come up with these? Are these the direct upstream ISPs of the
These are the digested results from the reports sent to the malicious websites and phishing research and mitigation list.
phishing sites or the next hop AS's from your test site?
Plainly put, these are the results you get when you feed the IP's of the hosting web sites to the Cymru whois.
Is there a link to the original data?
Nope. We hope to release more data in our next reports. Please let us know what kind of data you'd like available. We'll do our best to provide it. One of our main goals is public awareness, so we are very interested in feedback. If you have further questions on the process itself, I'd gladly direct you to the guy who actually does the data mining and statistics - but the list data itself is not open to the public. Gadi.
Gadi, This report isn't terribly useful without the IP addresses (or URLs) in question. How could an ISP start investigating and/or null routing these addresses without having the list? I suppose I'm skeptical because some of those ASNs are not big content hosters. Some are transit-only ASN's. Also, if you are using WHOIS to check the IP addresses for their owner, how are you correlating to ASN? Through an IRR? Or is there a route lookup somewhere in the mix? Even if you won't release full data (although I can't imagine why not), you need to fully disclose the methodology. "Digested" is insufficient when ISPs and hosters are being called out by name. - Dan On 3/28/05 2:19 PM, "Gadi Evron" <gadi@tehila.gov.il> wrote:
Daniel Golding wrote:
Forgive me for being skeptical, but...
I would prefer you being skeptical. Please don't take my word on any of this.
How do you come up with these? Are these the direct upstream ISPs of the
These are the digested results from the reports sent to the malicious websites and phishing research and mitigation list.
phishing sites or the next hop AS's from your test site?
Plainly put, these are the results you get when you feed the IP's of the hosting web sites to the Cymru whois.
Is there a link to the original data?
Nope. We hope to release more data in our next reports. Please let us know what kind of data you'd like available. We'll do our best to provide it.
One of our main goals is public awareness, so we are very interested in feedback. If you have further questions on the process itself, I'd gladly direct you to the guy who actually does the data mining and statistics - but the list data itself is not open to the public.
Gadi.
Daniel Golding wrote:
Gadi,
This report isn't terribly useful without the IP addresses (or URLs) in question. How could an ISP start investigating and/or null routing these addresses without having the list?
I suppose I'm skeptical because some of those ASNs are not big content hosters. Some are transit-only ASN's.
Also, if you are using WHOIS to check the IP addresses for their owner, how are you correlating to ASN? Through an IRR? Or is there a route lookup somewhere in the mix?
Even if you won't release full data (although I can't imagine why not), you need to fully disclose the methodology. "Digested" is insufficient when ISPs and hosters are being called out by name.
To answer all your above welcomed questions... We will release the data we can, sorry. That said - We are looking for ways to release the actual IP's (phishing web pages) information in a sort of a blacklisting service. Currently the data is mixed with suspected CP sites and that's a no-no for release. There are steps to take, and you are right - that's one of them, and perhaps even more important than we currently believe. As to the usefulness of this particular report, it is about showing the problem, not killing sites. As to "proving" to the ISP's - Each of the respected service providers can contact us and get the information directly, and then make up their own minds. As to the exact methodology used, I'll have to refuse to divulge that information publicly at this time. You don't have to believe the data. You can believe in some of the public names associated with this work. Statistics may be a "blown out of proportions" word here, as all we do in this particular case is count. And sorry, we'll keep calling these service providers by name, and "put our money where our mouth is" when they ping us back, like we did with The Planet, PNAP, KrCERT and others on our botnets C&C report. Also, we give credit where credit is due to service providers who show they are serious. Keep in mind, although we won't go for "amateur" work, this is volunteer work. :) Gadi.
We provided Daniel with all the information he requested in private, and even learned a thing or two. Others are always welcome to contact us. Gadi.
And I appreciate Gadi's efforts. I hope they will soon be willing to make this methodology public, as their work continues. And to take down some phishing sites of course :) - Dan On 3/29/05 8:12 AM, "Gadi Evron" <gadi@tehila.gov.il> wrote:
We provided Daniel with all the information he requested in private, and even learned a thing or two. Others are always welcome to contact us.
Gadi.
participants (3)
-
Daniel Golding
-
Gadi Evron
-
Gadi Evron