Q & A on Anti-Phishing Group's E-Crime Tool
Compiling and sharing accurate and complete information on cyber crimes is one of the top challenges for investigators and law enforcement, who often work with many different parties, across varying parts of the world, to follow leads and track criminals. To help with this information exchange, the Anti-Phishing Working Group (APWG), a global, pan-industrial and law enforcement association that is dedicated to fighting phishing and other online scams, has developed a new way for police and other organizations to report electronic crimes (e-crimes) by using a common data format.
Read our interview with Patrick Cain, APWG resident research fellow and principal author of the XML-based data model for e-crime reporting, to get an inside look at the reporting tool – and what it ultimately means for online crime.
First of all, tell us about the Anti-Phishing Working Group and its work in fighting Internet fraud and scams.
The APWG has over 2,000 members–corporations, law enforcement agencies, individuals, government agencies, and research partners–working on four primary missions. First, the APWG acts as a clearinghouse for interested parties to exchange data on bad web sites, active attacks, trends, and mitigation techniques. Next, the APWG also provides a forum to exchange attack mitigation techniques, best practices, and e-crime response ideas. Third, the APWG allows for interested parties to come together and solve common problems. And finally, the APWG provides unbiased e-crime statistics and trending data to support realistic risk mitigation.
The APWG achieves its mission using mail lists, electronic work groups, and twice-yearly member meetings. The member meetings are particularly valuable as a mechanism to exchange ideas, countermeasures, and e-crime data information across sectors around the globe.
In real general terms, the AWPG works to unify the attack detection, responder, and e-crime fighting communities that need to manage electronic crime events and protect consumers and enterprise users. The APWG provides both the data and a community to those counter e-crime professionals; people from every sector (not just a single vertical) and from across the globe. In this way, the APWG can help impact the network efficiencies of the bad guys. Further, the APWG is forging a common language and global agenda for the e-crime fighting community, organizing such projects as the IODEF extensions for e-crime reporting in order to establish a universal file format for e-crime reports.
From your viewpoint at APWG, what recent trends have been seen in the prevalence of online crime?
If we rated online crime on a broad scale, I don't think the rating has changed in the past five years. Although consumers and institutions have become much more aware of online risks, the criminals have become much more sophisticated in their attacks. For example, phishing used to mostly consist of widespread, poorly-worded email messages purportedly from a bank that drove a victim to a collection website. Now we see all forms of communication being used–IM, SMS, email, traditional phone calls–with highly sophisticated methods to not only get your account credentials but also infect your computer or phone for later criminal use. And the targeted institutions are not only banks, but any institution or organization that has something of value; for example, large stores and social networking sites. We've also seen criminals developing very specific software to target specific institutions or even specific individuals.
In terms of battling cyber crime as a unified front, what types of limitations and challenges do police and organizations around the world face?
There are two significant and perhaps unique challenges in the fight against e-crime. First, since most initial e-crime investigation is performed not by police but by private parties, a number of exclusions in national laws and regulations are not available to the non-police crime fighter. For example, many fraudulent web sites use privacy-protection on their Internet domain registration data. Although there are mechanisms for police to retrieve this data, that avenue is not available for private investigators. This gives a significant time advantage to the criminal, as the investigator must find a law enforcement agent for assistance or the investigator must perform a significant additional amount of work to verify that the possibly fake web site is indeed fraudulent. In e-crime, time is everything–the longer a site is up, the more victims it attracts.
Secondly, the global nature and speed of e-crime requires that private investigators and police exchange investigative data quickly. There is currently no generally accepted means to share electronic data among parties, particularly if the parties do not have a common written language. Again, significant time is lost as information is translated and the receiving party tries to figure out how to decode and read the electronic data.
Tell us about the recent development of the e-crime reporting tool.
A number of years ago, the APWG started an activity to define a common format for the description of phishing events. The goal was really three-fold; first, when exchanging e-crime data some data elements are extremely critical to an investigation (e.g., timestamps with a time zone marker, or the IP address of the website at the time of detection). Often we received e-crime data missing critical elements and the infected computer had already been re-imaged or cleaned, so we could not get the necessary data from the sender. Second, there are e-crime fighters around the globe. One in South America may find some very interesting data, but may not speak the same language as the person in Eastern Europe with whom they want to share the data. So the ability to support multilingual markings became important. Marking text sections with a language marker allows the investigator – in his or her own words – to describe the event. The receiving party could then use translation tools, possibly automatically based upon the language tag, to read the data in their own language. Third, the speed of e-crime requires that manual, human-driven processes be eliminated as much as possible. Using a common data format allows the sender and receiver to both use computers to significantly shorten the timeframe from e-crime detection to distribution to multiple parties. Instead of starting from scratch, we decided to develop a set of extensions to the Internet Engineering Task Force IODEF standard (RFC5070), which is an XML-based format for reporting network events. Our extensions are also defined in an IETF document that is progressing through the IETF standardization process.
To verify that we had adequately designed the common format and to induce adoption of it, we asked a number of parties like various National CERTS, e-crime fighters, and researchers if they would use the new formats for data reporting and sharing. Many said “But we need a tool.” So we developed a java-based GUI tool to collect the information about phishing events and deliver that data to a data collection system. The tool originally allowed for the reporting of the basic phishing event data, such as the received lure, the collector URL, and some timestamp and date information. As more e-crime fighters use the tool and provided feedback, we have enhanced it to include more specific data that is useful to researchers and investigators, such as DNS data and the ability to include any malware originally part of the lure. The tool is still being revised as we add more of the defined set of data types. Since there exists over 1,000 data element possibilities in the IODEF (plus phishing extensions) data model, we add more of the less-used data elements in every revision of the tool.
What specific types of data and e-crime reports does the tool track?
The e-crime reporting tool was designed to allow e-crime fighters, investigators, corporations, and researchers to supply data from their IDS, IPS, or email filtering systems to the APWG and to each other. We don't think that non-technical consumers will find the tool useful since it asks for very specific data that a normal Internet user may not recognize. Or uninformed users may provide inaccurate data.
The tool originally collected phishing event data but was quickly expanded to include other types of Internet fraud events since they are very similar. As we become more confident in the fraud aspects of the tool, we are looking to add more types of e-crime to the tool and also looking at making a 'consumer-friendly' version so that we can collect data from more endpoints. Some other e-crimes, like cyber-bullying for example, involve the same technical things as phishing–an email or SMS message–and should be easy to include in the reporting tool. One of our challenges in expanding the tool has been to try and define 'e-crime.' There is no good taxonomy of e-crime such that we could identify specific types of crime data to report, so we have been figuring this out as we release new versions of the tool.
Ultimately, who will be able to report, share and interpret electronic crime events using the tool? What's the next step that the APWG will be taking in order to enable the tool to be widely used around the globe?
The tool is designed to let high-technology e-crime fighters send data to the APWG. The APWG collects data to share with investigating parties and researchers, and we generate trending reports and statistics from that data. I expect that the current tool will go through a number of generations until we come up with something that satisfies many people's needs. We have been listening to the users of the tool and incorporating their ideas for enhancements such as supporting multiple languages and including more types of e-crime. Eventually, we expect that we will provide a number of common development libraries (e.g., perl, java) so groups can implement their own tool to share data using the common formats.
Now, although it would be fantastic if everyone everywhere was using our tool to report e-crime, the tool is really a mechanism to advance the data sharing adventures. So, although it is nice to see people talk about and use the tools, it is much more rewarding to see investigators exchanging accurate data in near-real time using the common format and then apprehending those responsible for e-crime.
In terms of fighting online crime, what types of positive changes do you feel the tool may help to bring about?
The three areas to successfully fight on-line crime are trust, speed, and comprehension. Although we cannot solve the trust issues – although we're working on that, too, using a common reporting format and some well-implemented tools allows us to enhance the ability to quickly identify, understand, and mitigate the problems brought on by e-criminals.
For additional information on the APWG and its e-crime reporting tool, please visit the APWG website.