Tyler Moore and I are presenting another one of our academic phishing papers today at the Anti-Phishing Working Group’s Third eCrime Researchers Summit here in Atlanta, Georgia. The paper “The consequence of non-cooperation in the fight against phishing” (pre-proceedings version here) goes some way to explaining anomalies we found in our previous analysis of phishing website lifetimes. The “take-down” companies reckon to get phishing websites removed within a few hours, whereas our measurements show that the average lifetimes are a few days.
When we examined our data […] we found that we were receiving “feeds” of phishing website URLs from several different sources — and the “take-down” companies that were passing the data to us were not passing the data to each other.
So it often occurs that take-down company A knows about a phishing website targeting a particular bank, but take-down company B is ignorant of its existence. If it is company B that has the contract for removing sites for that bank then, since they don’t know the website exists, they take no action and the site stays up.
Since we were receiving data feeds from both company A and company B, we knew the site existed and we measured its lifetime — which is much extended. In fact, it’s somewhat of a mystery why it is removed at all! Our best guess is that reports made directly to ISPs trigger removal.
They go on to estimate that ‘an extra $326 million per annum is currently being put at risk by the lack of data sharing.’
This is a classic example of how the proprietary mindset fails where it comes to dealing with abuse and criminal activity online. It would be obviously more useful for the public at large if the data were shared between organisations, and published publicly, but if you view your data feed as a key ingredient of your company’s proprietary “secret sauce” IP, you are not likely to publish and share it :(
The anti-phishing world appears to be full of this kind of stuff, disappointingly — probably because of the money-making opportunities available when providing services to big banks — but anti-spam isn’t free of it either.
Mark another one up for open source and open data…
(thanks to ryanr for the pic)