Phishing Kits: Made In Hong Kong?

According to IBM's X-Force Blog, 92% of the phishing web sites studied during the final week of May 2007 were associated with "phishing kits" - software toolkits designed by hackers to enable fast creation of multiple domains, and quick deployment of phishing scams.

The problem with the use of phishing kits is that criminals can automatically create multiple Internet domains faster than they can be taken down. For an indication of what this means, check out this graph from one of Authentium's antiphishing partners, the Anti-Phishing Working Group (APWG):


The trending line is pretty easy to imagine. The number of sites listed in April of 2007 is roughly 5x, or 400% larger, than the same month in 2006.

Which leads me to the subject of Hong Kong.

According to IBM, Hong Kong, with a total population of just one tenth of one percent of the world's population (6,900,000), was the listed jurisdiction for 44% of the domains associated with the 3,256 phishing toolkits their researchers analyzed over a one-week period at the end of May.

To put it another way, 1,433 of 3,256 phishing web sites were found to be associated with "ccTLD’s (country code Top Level Domains) of .HK (Hong Kong)".

The problems with this go beyond the scope of one blog post, but IT professionals will recognize one of the most salient issues: dealing with foreign jurisdiction-based hosting companies, such as those located in Hong Kong, places a lot of demands on policing organizations such as the APWG, when it comes to trying to "take down" one of these sites.

Here's an excerpt from the APWG May report:

"More problematic has been the recent widespread adoption and marketing of domain “privacy” services, which has created a method for scammers to hide illicit registrations. It’s nearly impossible to track criminal registrations through such services, as they are created explicitly to make it difficult to contact a domain name’s true owner."

And it's not just criminal sites - even legit/zombie sites present logistical issues when a "take down" is attempted. Here's what happened when APWG staffers tried to "take down" a legit site identified as an originating point for a phishing scam:

"The site was located on a server that had apparently been hacked through a vulnerability in a commonly used blogging software package. Unfortunately, the hosting company did not have staff in-place to handle the incident at the time of the report, and did not respond to requests for action. This is an all too common issue, as many hosts – especially on weekends – can take 12-24 hours to read their abuse queues and may not answer their phones."

A hosting company that doesn't answer the phone on the weekends? Sounds to me like that "24 to 48 hour lag" in taking down a phishing site is going to persist for a little while yet - unless we start mandating either that a) employees should not check email over the weekend, or b) that hosting companies should know their customers.

Note: Gunter Ollmann suggests using caution when interpreting this data and so do I: the Hong Kong domains listed in any analyzed kit may not correspond to any of the domains utilized in a scam by a criminal. In these days of increasingly-sophisticated spear-phishing attacks, it's best to plan your defense based strictly on your analysis of each individual attack.