It’s easy enough to report phish sites. But it’s a bitch finding where they’re hosted and getting them shut down. From a topological standpoint, a phish node could appear to be based in the U.S. when it’s really just a relay to Bejing. Or it could look like an isolated node in a hosting service when the service itself is riddled with phish sites. “What investigators need is a visualization of the topology leading to phishing nodes,” says John Quarterman, founding CEO of network performance mapping company, Internet Perils, during a recent phone interview. Enter a new program dubbed Internet Radar, which relies on several components to work. Quarterman’s company provides the visualization part. Fraud detection vendor, Corillian, provides tracking and forensics. And Web content filtering vendor, WebSense handles the reporting. In a recent test run, investigators mapped several phishing nodes going into the same hosting center and, at the time of this interview, they were trying to determine if they were looking at a major hack or at hosting provider collusion. It’s too early to tell whether programs like this will have any impact on getting phishing sites shut down faster. For starters, they’ll need advance cooperation with every major and not so major ISP around the globe so they can run their probes real-time. For the most part, ISPs will want to cooperate and get the bad doers off their networks as fast as possible, so that might not be so much of a problem. But when investigators need to call in the guns and badges, there’s no guarantees they’ll get any help. “First, we need big, aggregated cases to even catch the interest of law enforcement,” Quarterman says. “And criminals are deliberately obscuring their trails through Moscow and Korea and other legally-difficult jurisdictions.” Over the past two years, I’ve written about a number of ways the technical community has tried to combat phishing (see here and here)
Giving phishers the boot
Opinion
Jun 9, 20052 mins




