An article in Network World this month focuses on the importance of domain-name abuse and details the current efforts to stop it. While this problem isn’t exactly new, it is now becoming an increasingly appealing method for fraudsters to carry out attacks. In phishing attacks, for example, the use of hard-coded IP addresses has steadily declined as fraudsters are beginning to favor the use of domain names instead. According to a study done by the Anti-Phishing Working Group, in one six-month period, there were 56,959 phishing attacks occurring on 30,454 unique domain names.

Domain names play an equally important part in botnet attacks, like the highly discussed Conficker worm. Unfortunately, as the article details, disrupting Conficker’s use of domain names isn’t proving to be an easy task:

Attempts by industry to cut off criminal access to domain names is proving difficult. The first globally organized effort to attempt that — Conficker Working Group — sought to disable domains targeted by the Conficker worm for use in its command-and-control system. But after six months of trying, there’s not much to show for it.

Even with the help of many key players in the realm of domain names and internet security—including Neustar, VeriSign, Afilias, Public Internet Registry, Global Domains International, ICANN, Symantec—the Conficker worm is still at large, inhabiting millions of computers around the globe. So what makes it such a complex problem?

One of the most glaring problems is in the domain-name registration process and the lack of sufficient oversight. First, there’s the ease with which an attacker can simply use false information to register the domain—this is the same basic authentication problem that all other online businesses face. Then there’s the fact that the registration and use of domain names happens all over the world, under different rules and regulations depending on the country. Especially with the use of country-code Top Level Domains (ccTLDs such as .fr, or .uk), each individual country controls its own, meaning that in order to combat domain-name abuse, cooperation on a global scale would need to take place.

“There are many language and jurisdictional legal issues that make tackling domain-name abuse problems extremely hard,” says Ram Mohan, CTO at Dublin-based registry services provider Afilias and a liaison for the ICANN Security and Stability Advisory Committee (SSAC) on the ICANN Board of Directors… “Some rules in ICANN are just broken,” Mohan says. The overall domain-name registration system “was created at a time of a benign Internet. Today we have no burden of validation and that can be fixed.” He also says it might be a wise move to require some sort of security audit of the registrars and registries.

In the article, GoDaddy was used as an example of a domain-name registrar with one of the better anti-fraud practices. But not without effort: in order to responsibly oversee the 36 million domain names that GoDaddy manages, its fraud team is constantly at work. Once a domain name is identified as being used maliciously, it is shut down. Unfortunately, like many businesses, shutting down bad accounts is an inherently cyclical process when the underlying problem often consists of one criminal opening endless accounts using false information.

It will undoubtedly take a global effort to develop a sufficient system of regulation and oversight, but individual registrars can bear a certain amount of the burden by implementing more thorough security measures. Techniques that complement their existing efforts, like device reputation and stronger authentication, would allow them to put a large dent in this illegal activity and set a standard for their peers in the industry.

Phishing attacks are usually at the forefront of identity collection in today’s Fraud as a Service process. Phishing utilizes social engineering, which is both one of the oldest forms of security attack and is one of the hardest to fix. Social engineering tricks users into giving up sensitive data that online criminals would normally have a very difficult time obtaining in any other way. Today, the users personal information is the target of choice, but this is also very effective for obtaining account information and passwords.

Combating phishing isn’t difficult, it just requires the user to keep in mind that online businesses simply will not ask for sensitive information in an e-mail or link to a page that collects that data from an e-mail.

1. ROI for security vendors is more important than ever. The time when businesses make investments on loose Fear, Uncertainty and Doubt (FUD) is coming to a close. Companies are looking to solve real, existing problems and more than ever are being held accountable to the impact of their investments on the bottom line of their company.
2. Fraud as a Service resonates. I blogged a couple of weeks ago about a podcast from RSA where they referred to Fraud as a Service to describe the way online criminals are specializing and working together to commit online fraud.  I am officially changing to this term in preference to the Fraud Value Chain.  I spoke to reporters, analysts and security professionals about this concept and it really resonated.  I had an interview with Bank Info Security that included this topic and here is the podcast.
3. Application Whitelisting vs Blacklisting. I spent some time with the folks at CoreTrace and I think that Application Whitelisting may finally be hitting the market at the right time. Eric Ogren, from the Ogren Group, and I spoke about this and we both agreed that blacklisting systems, in other words anti-virus, provide little to no value in preventing attacks and more than ever are relegated to clean up tools that identify infection after the fact and remove it.  Whitelisting has a way to go before it completely replaces anti-virus, but it has a good future.

That’s it from RSA, now it’s time to head back and fight the bad guys.