PIRT (Phishing Incident Reporting and Termination) is making headlines around the web, but take their plans with a grain’s worth of salt for now. For those of you that haven’t heard or can’t be troubled to follow the links, PIRT is a non-profit organization comprised of volunteers, dedicated to tracking links in spam to phishing websites and concentrating their efforts on "shutting those sites down." It may sound like a valiant and praise-worthy effort, but our researchers are unearthing more details that may cast a shadow of doubt on this organizations methods and goals.
PIRT’s methods for "shutting down" sites aren’t too clearly defined, their homepage mentions contacting hosts and ISPs and requesting their cooperation, but as Netcraft reports, most phishing schemes launch from the same netblocks repeatedly:
Fraudsters will often host their sites in developing countries with limited law enforcement resources and incentivize the hosting company to keep the site running as long as it possibly can. Indeed, some unscrupulous hosting companies actually promote fraud hosting as a service. Some hosting companies offer fraud hosting as a service whereby they are incentivized to keep the site up as long as possible, and this necessitates more extensive action.
Which leads us to question what the most common response in this vast majority of the situation will be, if we accept that these hosts will not help PIRT in its endeavor. Will PIRT ignore ~87+% of the phishing schemes? But their site and ZDNet report a minimum 50% success rate… Is DDOS the answer?
The first and most obvious question is that of responsibility. Alex Eckelberry of the spyware-removal company "Sunbelt Software" together with Paul Laudanski of CastleCops, an online security community, and his wife, Robin Laudanski, established PIRT a couple of months ago. Both are men of good standing and trustworthy history, but they are normal citizens, not affiliated with the government or ICANN, and as such, are liable to make the same mistakes anyone else would. The biggest cause for concern comes in the lack of a bullet-proof method with which PIRT can verify that a site is indeed engaged in knowing phishing techniques. Quite often the most "professional" of phishers will take control over a block on the net and host their sites there for as long as they can keep control over it. In such a case it may very well be that the best course of action is to attack the said netblock with any means necessary, no one will complain if a developing nation’s only server is DDOS’d off the net and the costs incurred and the effect(s) on the citizens and governments of these countries…. or is it?
Let’s assume they play its not a developing nation then. By doing that we lower the probability of an entire netblock being controlled as well as the number of occurrences that fall under this category. In such a case, it is more likely that a phisher will use exploits and vulnerabilities on servers to compromise the systems, sometimes as surreptitiously as adding a single page and leaving the rest intact. In such a case, an attack or an email to the host will hurt the real owner of the server.. Maybe not fair but definitely not an unworthy sacrifice, and the host will hopefully heed the signs and upgrade/patch all machines under their control. Check!
The last category is that of an amateur, a script kiddy if you will. 10 dollars with a stolen/borrowed credit card will get him/her shared hosting with PHP, 10 minutes later the emails start going out, and sooner or later they will hit PIRT. In such an occasion can shutting down a "first-timer" justify DDOSing an entire shared server with thousands of users? Is it legal? Morally/ethically tolerable?
In the end it boils down to this: as a non-privileged, third-party, ‘volunteer corp’ the choice is limited to either effect-less words or resorting to "suspicious" (but effective) means. Now once/if PIRT makes it big what stops fake ‘volunteers’ from faking messages from a domain, pointing the emails to a legit competing online business’ sales page and pretending its a phishing scheme, and getting PIRT to do their dirty work for them?
All in all, we are not bashing the idea of a 3rd party phishing control committee, but it is something that takes more organization and control than a mediawiki site, a couple of well-meaning volunteers, and mass media attention. It has many variables and possibilities that need to be finalized and polished, for the safety of the web and for the organization to remain; after all, of what use is a task-force wherein one false positive can trigger a lawsuit that quickly brings its untimely demise?
Update: Our concerns have been reassured & addressed by CastleCops, please see the comments below for more details.
Eh? Come again? Where did you get the idea that DDoS is practiced or even condoned by Castlecops/Sunbelt? How were you able to conclude that the host of the phish site is emailed? Where do you get this stuff? Have you even taken the time to read any of the reports?
In fact the reports go to the ISP and the institution being compromised by the phish as well as other phishing and law enforcement authorities, as well as remaining publically available at the CastleCops http://castlecops.com/f122-Phishing_Fraud_and_Dastardly_Deeds.html forum. In time a databank of ISP performance WRT phish take-down response will be built and that will represent public evidence of any complicit ISPs.
BTW, you forgot to mention one rather significant person in this effort, the one who came up with the concept of Fried Phish, Paul’s wife, Robin Laudanski.
Thank you for your reply Ikester. As I said, I am not against PIRT, and I like the idea.
I am glad to hear that you will not be using DDOS in your efforts, but I still have to ask: how do you deal with the international sites? You say you contact law-enforcement agencies, but as Netcraft notes, these developing nations have no laws that protect their citizens or others from such scams.
I apologize for coming off harshly, and that was a mistake. I realize that you bear no responsibility for what others not affiliated with PIRT will do with that database, and I guess we can think of it as poetic justice where no one carries the blame. I appreciate your prompt response, and stand corrected, though I do look forward to clarifications on the remaining issues.
PS: I have added Robin to the list, much appreciated.