eCrime Evil Twins: Phishing and Malware

Blake Hayward, VP Product Marketing, MarkMonitor®

Malware is quickly evolving into a brand problem. Earlier generations of malware, such as viruses, worms, and Trojan horses were sent anonymously and often appeared in users’ email boxes as easily avoided junk mail. Early malware writers had more in common with vandals than with international crime syndicates – the bad guys appeared as either nameless or fictitious to the recipient, so when damage was done, there was no one to blame but themselves for clicking on a sketchy attachment.

Phishing changed everything and brought with it the danger of targeted brand attacks. By soliciting confidential identity information under the guise of a well-crafted, but counterfeit, communication and/or website bearing the name, logo, style, and even a credible URL of a financial institution or other organization, ecriminals were suddenly far more effective. At the same time – through the use of naming a brand in the attack – users now had someone to blame. How could the bank let this happen? How could its brand be stolen and misused in this way? How could it ever be trusted again?

It’s not only financial institutions who are at risk. Brand-based phishing and malware attacks are pervasive – targeting social networking sites, payment services, online auction sites, retailers and more. Indeed, any company with a strong, recognizable brand and online customer base is at risk.

Phishing remains a growing problem. In 2008, 945 companies were targeted by phishing, and of these, 444 were new targets. In the April 2009 report, “The War on Phishing Is Far From Over”, by Avivah Litan, Gartner shows the scope of the phishing problem – the report notes that in a 2008 survey, 80% of the online US adult population “had received an email that was definitely or appeared to be a phish attack”.

Due to the success of phish attacks, the malware distributors are stealing a page from the phisher’s playbook, by using trusted brands as a vehicle to distribute malware and steal user’s information. Brand-based malware attacks can come in a number of flavors: 1) malware that comes in the form of a Trojan/keylogger attempting to steal the user name and password associated to the brand’s online property; 2) spoofed sites, similar to phish sites, that attempt to trick users into visiting a site that is distributing malicious code; 3) blended phishing and malware attacks. All of these types of attacks hurt brand reputation and trust in online services.

According to a recent study by Panda Security, over three million of the audited users in the U.S. and more than 10 million users worldwide were infected with active identity theft-based malware in 2008. More alarming is Panda’s prediction that the infection rate will increase by an additional 336 percent per month throughout 2009, based on the trend of the previous 14 months.

Best Practices
Given that likely fraudsters have so many tools and so many ways to attack, it is obvious that a holistic approach is required to protect a brand—an approach that doesn’t depend solely on users and client-side technologies to take care of themselves. Blended brand abuse requires a blended response. Traditional antivirus and security software coupled with thorough user education is a start, but ultimately it is up to the owners of a brand to take responsibility for protecting users online in a proactive way. What can you do to fight back against potential revenue loss, reputational risk, and diminished customer trust and confidence that impact the bottom line of your online business transactions? It is vital to employ a holistic approach aimed at preventing, detecting and responding to phishing and malware attacks.

For more details about these three steps, and the evolving eCrime problem, please view the recently published white paper “The New World of eCrime: Targeted Brand Attacks and How to Combat Them.”

Kind Regards,

Blake Hayward,
VP Product Marketing, MarkMonitor

ICANN UPDATE

New gTLD Update

ICANN is currently concluding their 35th Meeting in Sydney, Australia. The Sydney meeting was focused on developing solutions to the overarching issues of Trademark Protection, Demand and Economic Analysis, Impact on Security and Stability of Root Zone Scaling, and Malicious Conduct as they relate to the proposed expansion of gTLDs.

According to ICANN, the third version of the new generic Top-level Domain (gTLD) Guidebook will be published after the Sydney meeting, when solutions to the overarching issues can be included. It is anticipated that applications for new gTLDs will be accepted starting in the first quarter of 2010.

In support of the Sydney meeting, ICANN released a number of important documents including the following:

1) Final Report on Trademark Protections in New gTLDs

The Implementation Recommendation Team (IRT) posted its final report which identified the following proposed solutions: IP Clearinghouse, Globally Protected Marks List and associated Rights Protection Mechanisms, and standardized pre-launch rights protection mechanisms; Uniform Rapid Suspension System; post delegation dispute resolution mechanisms; Whois requirements for new TLDs; and use of an algorithm in string confusion review during initial evaluation.

Although the report is thorough for the time allotted and the resources applied, MarkMonitor believes that the IRT’s final submission still calls for further analysis, policy development and implementation. Given ICANN’s commitment to launching gTLDs in the first quarter of 2010, there is little time for implementation of the proposed solutions. MarkMonitor has requested that ICANN refrain from announcing future gTLD launch dates until a detailed schedule for the implementation of critical rights protection mechanisms is finalized and resourced. The dates for gTLD implementation should coincide with the implementation of the required rights protection mechanism. MarkMonitor also supports the view that strict analysis and approval of rights protections mechanisms should be required, and that any slip in schedule will also push the launch of gTLDs.

A public comment period covering the final report will last from May 29, 2009 to July 6th, 2009.

2) Amended Guidebook Sections and Explanatory Memoranda

According to ICANN, many changes to the Draft Applicant Guidebook have been made as a result of comments received to date. While revisions include amendments to the handling of geographical names, evaluation questions, comparative evaluation scoring, dispute resolution procedures and other registry agreement provisions, the requirement for Thick Whois appears to be the most notable. The public comment period for the guidebook excerpts will last from May 31, 2009 – July 20, 2009. The comments received, together with the outcomes of the discussions relating to the overarching issues, will constitute the basis for the third version of the guidebook. The third version will be published at the end of the third quarter 2009.

3) Analysis of Public Comment to Applicant Guidebook version 2

In response to the more than 200 comments received on the second version of the new gTLD Applicant Guidebook, ICANN has published a comprehensive report.

The report provides an analysis of the comments received and is broken into the following sections: General Concerns, Trademark Protections, TLD Demand and Economic Analysis, Potential for Malicious Conduct, Root Zone Scaling, Evaluation, Financial Considerations, Objection Process, Registry Agreement, String Contention, IDN and Respondents.

Also, in an effort to facilitate future discussions around issues of trademark protection, malicious behavior and other program details within the new gTLDs, ICANN will be hosting a series of events. The events are scheduled to occur:

• Monday, July 13th in New York
• Wednesday, July 15th in London
• Friday, July 24th in Hong Kong
• TBD in Abu Dhabi

Additional locations are under consideration, as well as a series of topic-specific webinars. All events are free of charge, but space is limited and preference will be given to first-time attendees to any of the consultation sessions. Remote participation will be available and ICANN will be providing additional details.

Detailed information about these events is available at http://www.icann.org/en/topics/new-gtlds/consultation-outreach-en.htm.

Pre-registrations can be submitted at http://www.registration123.com/ICANN/GTLD/.

© 2009 MarkMonitor Inc. All rights reserved. MarkMonitor is a registered trademark of MarkMonitor Inc. All other trademarks included herein are the property of their respective owners.

MarkMonitor solutions are protected by US patent rights, including US 7,346,605.  Other patents pending.