PhishScope: Tracking Phish Server Clusters

Abstract

Phishing often seems an intractable problem, because phishers go to such lengths to hide their tracks by staging attacks through multiple countries and legal regimes. Targets of phishing and law enforcement thus have few levers to use against phishing. This article demonstrates one such lever: a method (PhishScope) for pinpointing a cluster of active phishing servers that are all connected to the same part of the same Internet service provider (ISP) and are thus located in the same legal regime. Targets of phishing can use information about phishing server clusters to encourage ISPs to take appropriate action such as taking down rogue servers. An ISP infested by a phishing cluster may be unaware of its presence, so the receipt of such information may be all it takes to persuade an ISP to take action. Law enforcement agencies (LEAs) may not want to expend any effort on a single phishing report, but a cluster of phishing servers, especially one that involves multiple targets of phishing, may be worth the expenditure of resources. Information about such phishing clusters is thus leverageable for proactive intervention by targets of phishing, by ISPs infested by phishing servers, and by LEAs. An individual target of phishing usually cannot detect a cluster of compromised servers, since clusters are set up to attack multiple targets, rather than a single target. By combining forces, collective action can reveal the existence of hostile clusters. Specifically, members of the Anti-Phishing Working Group (APWG) send reports of phishing to APWG, which collects them in a repository. InternetPerils receives frequent (three times a week) dumps from the APWG repository to which it adds Internet topological and performance information. The objective of the PhishScope technology, a service developed by InternetPerils, is to collect supplementary data, combine it with the incoming APWG data, and then to simultaneously analyze both sources of data. This ensures the timely availability of information while the phishing clusters and many of their constituent phishing servers are still in use. Graphical presentation makes the nature of the problem visible to the intended users of the data. Comparing data sets over time demonstrates the persistence of the phenomenon, and animating the graphical contours makes the extent of the infection readily comprehensible to the intended users. Finally, demonstrating the persistence of the clusters supports the main purpose of the PhishScope: to provide leverageable information to the affected parties while the phishing clusters are still attacking.