The consequence of non-cooperation in the fight against phishing

A key way in which banks mitigate the effects of phishing is to have fraudulent websites removed or abusive domain names suspended. This dasiatake-downpsila is often subcontracted to specialist companies. We analyse six months of dasiafeedspsila of phishing Website URLs from multiple sources, including two such companies. We demonstrate that in each case huge numbers of Websites may be known to others, but the company with the take-down contract remains unaware of them, or only belatedly learns that they exist. We monitored all of the Websites to determine when they were removed and calculate the resultant increase in lifetimes from the take-down company not knowing that they should act. The results categorically demonstrate that significant amounts of money are being put at risk by the failure to share proprietary feeds of URLs. We analyse the incentives that prevent data sharing by take-down companies, contrasting this with the anti-virus industry - where sharing prevails - and with schemes for purchasing vulnerability information, where information about attacks is kept proprietary. We conclude by recommending that the defenders of phishing attacks start cooperatively sharing all of their data about phishing URLs with each other.

[1]  Tyler Moore,et al.  Evil Searching: Compromise and Recompromise of Internet Hosts for Phishing , 2009, Financial Cryptography.

[2]  Hal R. Varian,et al.  System Reliability and Free Riding , 2004, Economics of Information Security.

[3]  Rahul Telang,et al.  Market for Software Vulnerabilities? Think Again , 2005, Manag. Sci..

[4]  Cormac Herley,et al.  Evaluating a trial deployment of password re-use for phishing prevention , 2007, eCrime '07.

[5]  Anindya Ghose,et al.  The Economic Incentives for Sharing Security Information , 2004, Inf. Syst. Res..

[6]  Tyler Moore,et al.  Examining the impact of website take-down on phishing , 2007, eCrime '07.

[7]  Ramayya Krishnan,et al.  An Empirical Analysis of Vendor Response to Disclosure Policy , 2005, WEIS.

[8]  M. Patrick Collins,et al.  Fishing for phishes: applying capture-recapture methods to estimate phishing populations , 2007, eCrime '07.

[9]  J. Hirshleifer From weakest-link to best-shot: The voluntary provision of public goods , 1983 .

[10]  Tyler Moore,et al.  Evaluating the Wisdom of Crowds in Assessing Phishing Websites , 2008, Financial Cryptography.

[11]  Lawrence A. Gordon,et al.  Sharing Information on Computer Systems Security: An Economic Analysis , 2003 .

[12]  Sarah Gordon,et al.  When Worlds Collide: Information Sharing for the Security and Anti-virus Communities , 1999 .

[13]  Lorrie Faith Cranor,et al.  Phinding Phish: Evaluating Anti-Phishing Tools , 2006 .

[14]  Markus Jakobsson,et al.  Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft , 2006 .