PIRT (Phishing Incident Reporting and Termination) is making headlines around the web, but take their plans with a grain’s worth of salt for now. For those of you that haven’t heard or can’t be troubled to follow the links, PIRT is a non-profit organization comprised of volunteers, dedicated to tracking links in spam to phishing websites and concentrating their efforts on "shutting those sites down." It may sound like a valiant and praise-worthy effort, but our researchers are unearthing more details that may cast a shadow of doubt on this organizations methods and goals.
PIRT’s methods for "shutting down" sites aren’t too clearly defined, their homepage mentions contacting hosts and ISPs and requesting their cooperation, but as Netcraft reports, most phishing schemes launch from the same netblocks repeatedly:
Fraudsters will often host their sites in developing countries with limited law enforcement resources and incentivize the hosting company to keep the site running as long as it possibly can. Indeed, some unscrupulous hosting companies actually promote fraud hosting as a service. Some hosting companies offer fraud hosting as a service whereby they are incentivized to keep the site up as long as possible, and this necessitates more extensive action.
Which leads us to question what the most common response in this vast majority of the situation will be, if we accept that these hosts will not help PIRT in its endeavor. Will PIRT ignore ~87+% of the phishing schemes? But their site and ZDNet report a minimum 50% success rate… Is DDOS the answer?
The first and most obvious question is that of responsibility. Alex Eckelberry of the spyware-removal company "Sunbelt Software" together with Paul Laudanski of CastleCops, an online security community, and his wife, Robin Laudanski, established PIRT a couple of months ago. Both are men of good standing and trustworthy history, but they are normal citizens, not affiliated with the government or ICANN, and as such, are liable to make the same mistakes anyone else would. The biggest cause for concern comes in the lack of a bullet-proof method with which PIRT can verify that a site is indeed engaged in knowing phishing techniques. Quite often the most "professional" of phishers will take control over a block on the net and host their sites there for as long as they can keep control over it. In such a case it may very well be that the best course of action is to attack the said netblock with any means necessary, no one will complain if a developing nation’s only server is DDOS’d off the net and the costs incurred and the effect(s) on the citizens and governments of these countries…. or is it?
Let’s assume they play its not a developing nation then. By doing that we lower the probability of an entire netblock being controlled as well as the number of occurrences that fall under this category. In such a case, it is more likely that a phisher will use exploits and vulnerabilities on servers to compromise the systems, sometimes as surreptitiously as adding a single page and leaving the rest intact. In such a case, an attack or an email to the host will hurt the real owner of the server.. Maybe not fair but definitely not an unworthy sacrifice, and the host will hopefully heed the signs and upgrade/patch all machines under their control. Check!
The last category is that of an amateur, a script kiddy if you will. 10 dollars with a stolen/borrowed credit card will get him/her shared hosting with PHP, 10 minutes later the emails start going out, and sooner or later they will hit PIRT. In such an occasion can shutting down a "first-timer" justify DDOSing an entire shared server with thousands of users? Is it legal? Morally/ethically tolerable?
In the end it boils down to this: as a non-privileged, third-party, ‘volunteer corp’ the choice is limited to either effect-less words or resorting to "suspicious" (but effective) means. Now once/if PIRT makes it big what stops fake ‘volunteers’ from faking messages from a domain, pointing the emails to a legit competing online business’ sales page and pretending its a phishing scheme, and getting PIRT to do their dirty work for them?
All in all, we are not bashing the idea of a 3rd party phishing control committee, but it is something that takes more organization and control than a mediawiki site, a couple of well-meaning volunteers, and mass media attention. It has many variables and possibilities that need to be finalized and polished, for the safety of the web and for the organization to remain; after all, of what use is a task-force wherein one false positive can trigger a lawsuit that quickly brings its untimely demise?
Update: Our concerns have been reassured & addressed by CastleCops, please see the comments below for more details.