FIGHTING CORRUPTION
Figure 2. Representative Timeline for A Botnet-Enabled Criminal Attack
registration without a court order. These recourses are effective with operators who are vigilant about criminal activity or believe that managing abuse is a service differentiator. Some operators and private investigators facilitate such interventions through voluntary collaboration in ad hoc trust relationships at business or even individual levels. By contrast, some operators insist strictly on a court order. Yet other operators adopt business models that facilitate criminal hosting, and thus have no incentive to volunteer.
Role of Trusted Intervener Frameworks The Anti-Phishing Working Group( APWG) has developed a service that attempts to formalize voluntary intervention. APWG’ s Accelerated Malicious Domain Suspension process( AMDoS) was launched in 2012 with 12 top-level domains. Through attestations, AMDoS 2.0 can direct requests for domain suspensions to registrars of record. AMDoS employs a trusted introducer model whereby accredited interveners submit suspected malicious domain names for investigation and suspension by sponsoring registrars. The process is characterized in the following scenario.
An authority has processed the registration for exxxample. com. The authority has voluntarily enrolled in the AMDoS program and agrees to review attestations from trusted interveners in an accelerated manner. Through their participation, authorities agree to trust the program, and hence have confidence in the reporting parties. An accredited intervener submits a phishing abuse complaint through a web submission form. This is a formal attestation that an Internet domain name is associated with a criminal activity; specifically, the attestation would provide evidence that criminal actors have used an Internet domain name to steal identities and commit fraud. For example, an investigator might provide evidence demonstrating that victims have clicked on a hyperlink in an email, http:// www. exxxample. com / login. html, believing that they are visiting http:// www. example. com / login. html. This malicious hyperlink takes them to a fake login page run by the criminals. On this site, the victim unwittingly discloses account credentials to the criminal actors. Attestations, designed by subject matter experts and authority representatives, are the means to share sufficient evidence
for a domain registry operator or registrar to make a decision to suspend the domain to prevent further harm. This shutdown occurs within hours( eventually, perhaps faster) of the time an intervener discovers a phishing email that is abusing the Internet domain name. The AMDoS process improves on the collaboration between investigators and registry or registrar operators in several ways.
• The formal vetting process provides a level playing field for interveners. APWG governs the accreditation process for interveners. Candidate interveners must work for an enterprise relevant to the management and investigation of cybercrime. An expert committee prescreens each candidate’ s technical qualifications, relevant intervener history and reputation to establish eligibility for enrollment.
• Attestations and responses by authorities are auditable, providing the accountability and review necessary to build confidence in the system.
• The AMDoS can be used only for cases involving financial fraud and where there is no dispute over the legitimacy of content.
110