© 2014 APWG

Global Internet Threats and Global Internet Threats and APWG Initiatives

To Fight Cyber-Crime and Fraud

F ShiFoy ShiverDeputy Secretary-General

APWG

© 2014 APWG

APWG In A NutshellAPWG In A Nutshell• Founded in 2003 to focus on the new “Phishing” problemFounded in 2003 to focus on the new Phishing problem• Over the past 11 years we have grown to cover all types of

Cybercrime and fraud• Currently more than 2000 companies, NGOs, government, law

enforcement, research and treaty organizations globally• Membership restricted to cybercrime stakeholdersMembership restricted to cybercrime stakeholders• Efforts bring together experts in diverse fields to focus on:

– Data Sharing– User Awareness– Public Policy

Research– Research

© 2014 APWG

APWG: 11 years of StatisticsAPWG: 11 years of StatisticsAPWG Phishing Activity Trends Reportg y p

• Published since February 2004• Initially monthly, now quarterly or semi-annually• An in depth review of the ongoing state of Phishing• An in-depth review of the ongoing state of Phishing

Global Phishing Survey: Trends and Domain Name Use• Published since 2H 2007• Semi-annual attempt to understand trends and their

significances by quantifying the scope of attacks with a focus on DNS

Mobile Threats and the Underground Marketplace• New for 2013• Attempt to defines the malware markets and demonstrates • Attempt to defines the malware markets and demonstrates

the modus operandi of an industry that is self-funding, prosperous, vertically stratified and agile.

© 2014 APWG

Phishing Trends ReportQ3 2014

Th b f i hi hi t b itt d t APWG • The number of unique phishing reports submitted to APWG decrease 5%

• A total of 549 brands were targeted by phishers in Q4, up from g y p Q , pthe 531 targeted in the second quarter

• In July, phishers set their sights on Polish servers, this resulted in Poland jumped to 2nd in global ranking hosting phishing sitesPoland jumped to 2nd in global ranking hosting phishing sites

• The United States continued to be the top country hosting phishing sites

• Over 20 million new malware samples were discovered in Q3, at an average of 227,747 new malicious items every day

• The United States remained the top country hosting phishing• The United States remained the top country hosting phishing-based Trojans and downloaders

© 2014 APWG

Looking at Future ThreatsLooking at Future Threats• Internet was never designed to be secureInternet was never designed to be secure• Many challenges dealing with a malicious,

adaptive and well funded opponentadaptive and well funded opponent• Features vs Security

– Internet of Things– High connectivity/complexity/data volume = high

vulnerabilityvulnerability

• Targeted attacksSt t d• State sponsored

• Ransomware

© 2014 APWG

Mobile Device/App RiskMobile Device/App Risk

• Data Leakage– Individual Appsd dua pps– Between Apps

P i• Privacy• Account Takeover• Device Takeover

M l• Malware

© 2014 APWG

Current Mobile Threat VectorsThreat iOS Android

Phishing

Spear-Phishing

SMS-Phishing

App-Phishing App Phishing

App-Mining (including corporate directories)

Jailbreak, Rooting, Jammers

SSL Vulnerabilities

Hostile Configuration Profiles

Unencrypted Email Attachments yp

Ransomware

Backup Hijacking

OS F t ti OS Fragmentation

Sideloading Apps

Harvest Phone Call Logs & SMS Logs

© 2014 APWG

Android FragmentationAndroid Fragmentation

© 2014 APWG

APWG’ Q tiAPWG’s Question:How Does a World of How Does a World of

Localities Engage a Problem Localities Engage a Problem of Global Dimensions Like

Cybercrime and Respond as U ifi d A th it ?a Unified Authority?

© 2014 APWG

Data Logistics as Cybercrime g yResponse Instrument

The design and optimization of processes to manage the movement and presentation of data to enable pcrybercrime responders and forensic analsysts to take action – or receive analsysts to take action or receive data – at a time and place for a specific counter cybercrime applicationcounter-cybercrime application

© 2014 APWG

Examples of APWG f i iCybersafety Data Logistics

• Phishing Repository & URL Block List• eCrime Exchange• Malicious Domain Suspension System• Bot-Infected System Alerting and Notification

S tSystem• The Stop. Think. Connect. Messaging Convention

• The IODEF Extensions for Electronic Crime Reporting (IETF RFC 5901)

• eCrime Classification System• Phishing Education Landing Pages

© 2014 APWG

APWG C i E hAPWG eCrime Exchange:A Member Network

For Collaborative eForensics

© 2014 APWG

Organizational Objective of eCX

Ganging Up on the Bad GuysGanging Up on the Bad Guys

• Exchanging Data Programmatically Exchanging Data Programmatically Consolidating data across industries and geographies for more effective security routinesgeographies for more effective security routinesExample: URL Block List

• Teaming Around eCrime Events• Teaming Around eCrime EventsEnterprises and groups recognizing they face common adversaries can combine data and common adversaries can combine data and insights needed to neutralize the attackers

© 2014 APWG

Phishing Repository and URL Block List

• APWG Phishing Attack Data Repository– 8+ million historical entries

Informs research and development of counter eCrime – Informs research and development of counter-eCrime technology

• Phishing URL Block List (UBL)g ( )– Updated constantly– Informs browser warning systems and anti-phishing tool bars– Signaling systems for security teams – CERTs, brand-holders, telecom companies, security

companies software developers and the publiccompanies, software developers and the public

© 2014 APWG

APWG Malicious Domain Suspension Process (AMDoS)

World’s First and Only Auditable, Scalable Malicious Domain Name Suspension Request System for p q y

Professional Interveners and the Registrys

© 2014 APWG

What are we trying to li h?accomplish?

C l t ( t i t) t d • Complement (not circumvent) court orders or legal instruments to allow

ibl ( d ) i i – Responsible (and transparent) action in – A timeframe measured by hours rather than

d k th d t days, weeks, or months and to – Hold reporting parties to a standard of practice

and accountabilityand accountability• Replace historical ad hoc processes used to

suspend domains with a uniform auditable suspend domains with a uniform, auditable process based

© 2014 APWG

Trusted Introducer SystemTrusted Introducer System

Accredited IntervenerAccredited Intervener [AMDoS][AMDoS] Registry

AuthorityRegistry AuthorityIntervenerIntervener AuthorityAuthority

formal, auditable communications channel

© 2014 APWG

APWG Malicious Domain Suspension Process

• AMDoS mediates formal correspondence between an Accredited Intervener and a Registry Authority

d i d / d h l – trusted-introducer/trusted-channel system – a medium for transmission of suspension requests

f b i d i for abusive domains • Objectives

E h d d l bilit f i t ti – Enhance speed and scalability of interventions – Provide formal tracking

P id t bilit t– Provide accuracy, accountability. transparency

© 2014 APWG

Registry Authority owns process

• Registry Authorities participate voluntarily– Under no obligation to participate or act– Registry can assess request against explicit

criteria before making a decision to suspend• Expectation is that

– A signed attestation from – A vetted reporting party with– Documentation that demonstrates criminal use

will be persuasive

© 2014 APWG

Other AMDoS GoalsOther AMDoS Goals

• Metrics• Shame bad registries/registrars into Shame bad registries/registrars into

being good registries/registrars

© 2014 APWG

� Bot-Infected System Alerting and Notification System (BISANS)

• Biggest threat to users is falling victim to social engineering and their systems becoming infected

• Once infected, most users do not technology aware enough to know something is wrongC i i l th t t t l d t d h t • Criminals use these systems to steal data and host robust Botnets for other criminal purposes

• BISANS is an attempt to identify infected systems • BISANS is an attempt to identify infected systems and notify the owner or responsible parties

© 2014 APWG

The Bot-Infected Systems Alerting d N tifi ti S tand Notification System

BISANS routes bot node reports to

owner/operatoowner/operators, enabling

programmatic interventionsinterventions

Beta code working and

recently integrated into eg a ed o

eCX

© 2014 APWG

Online Cybersafety Awareness Messaging

• Problem: How do you raise awareness in • Problem: How do you raise awareness in the largest number of people without heroic effort or costheroic effort or cost

• Logistics imperative: Reach customers and citizen where they are – and through channels they already trust

• Solution: Unify messaging across trusted-parties with shared, and therefore parties with shared, and therefore unified, messaging instruments

© 2014 APWG

STOP. THINK. CONNECT.STOP. THINK. CONNECT.• Re-animates the oldest logistical schema: standardizationg

• Over 20 international companies founded the project

• Rigorously informed, crafted and tested messaging g y g ginstrumentation offered at no cost

• Repurpose communications avenues and networks of all the M i C ti ti i tMessaging Convention participants

• Leverage every web page, ATM receipt, account statement and communications instrument communications instrument to deliver awareness messaging

© 2014 APWG

Step Up and Help EveryoneStep Up and Help Everyone• The Messaging Convention Empowers Three Primary RolesThe Messaging Convention Empowers Three Primary Roles

– Commercial Licensee• No-cost license for commercial enterprises who want to integrate

Stop Think Connect Messaging Convention messaging instruments Stop. Think. Connect. Messaging Convention messaging instruments into their own online safety education programs

– Non-commercial STC Messaging Convention Content User• Pre-packaged Stop Think Connect online safety education materials • Pre-packaged Stop. Think. Connect. online safety education materials

for educational agencies and ministries and NGOs to instruct their constituencies

– International Program PartnersInternational Program Partners• National and regional governments, multilateral treaty organizations,

NGOs who recruit licensees and users within an industrial sector or polity

© 2014 APWG

Hemispheric UnificationHemispheric Unification• USA and Canada using content in French and English• Recently Japan Panama Paraguay and Uruguay have • Recently Japan, Panama, Paraguay and Uruguay have

adopted the campaign as their national cybersecurity awareness messaging program– Other nations in South America and Africa in the works

News coming soon.• Other languages being added constantlyOther languages being added constantly

– English, Spanish, French, Portuguese, Russian, Japanese• Organization of American States entered into an agreement

in 2012 to propagate STC among OAS member nations• In discussions now with Organisation internationale de la

Francophonie (OIF)Francophonie (OIF)

© 2014 APWG

Upcoming Events 2015p g

eCrime Researchers eCrime Researchers Symposium

Hosted by CaixaForumHosted by CaixaForumBarcelona, Spain

May 26 – 29

© 2014 APWG

Thank You

Foy Shiverfoy@apwg.org