phishing sites report - March/2005
Gadi Evron
ge at linuxbox.org
Mon Mar 28 20:55:23 UTC 2005
Daniel Golding wrote:
> Gadi,
>
> This report isn't terribly useful without the IP addresses (or URLs) in
> question. How could an ISP start investigating and/or null routing these
> addresses without having the list?
>
> I suppose I'm skeptical because some of those ASNs are not big content
> hosters. Some are transit-only ASN's.
>
> Also, if you are using WHOIS to check the IP addresses for their owner, how
> are you correlating to ASN? Through an IRR? Or is there a route lookup
> somewhere in the mix?
>
> Even if you won't release full data (although I can't imagine why not), you
> need to fully disclose the methodology. "Digested" is insufficient when ISPs
> and hosters are being called out by name.
To answer all your above welcomed questions...
We will release the data we can, sorry.
That said -
We are looking for ways to release the actual IP's (phishing web pages)
information in a sort of a blacklisting service. Currently the data is
mixed with suspected CP sites and that's a no-no for release.
There are steps to take, and you are right - that's one of them, and
perhaps even more important than we currently believe.
As to the usefulness of this particular report, it is about showing the
problem, not killing sites.
As to "proving" to the ISP's -
Each of the respected service providers can contact us and get the
information directly, and then make up their own minds.
As to the exact methodology used, I'll have to refuse to divulge that
information publicly at this time. You don't have to believe the data.
You can believe in some of the public names associated with this work.
Statistics may be a "blown out of proportions" word here, as all we do
in this particular case is count.
And sorry, we'll keep calling these service providers by name, and "put
our money where our mouth is" when they ping us back, like we did with
The Planet, PNAP, KrCERT and others on our botnets C&C report. Also, we
give credit where credit is due to service providers who show they are
serious.
Keep in mind, although we won't go for "amateur" work, this is volunteer
work.
:)
Gadi.
More information about the NANOG
mailing list