 |
|
Consumer Advice
Educating Your Customers on ID Theft, Phishing and eCrime
Technical Whitepapers and Briefings from APWG Sponsors
APWG Phishing Trends Report
APWG Whitepapers and Reports
Notable Articles and Government Briefings
Anti-Fraud Organizations and Links
Corporate Anti-Fraud Policies
Where Does the Word 'Phishing' Come From? |
| |
| Technical Whitepapers and Briefings
from APWG Sponsors |
|
Click Here for TrendMicros's paper on "Botnet Threats and Solutions: Phishing".
|
|
Click
here to view the GeoTrust white paper, "Vulnerability of First-Generation Digital Certificates and Potential for Phishing Attacks and Consumer Fraud". In this white paper, the author describes how traditional, paper-based manual vetting process, or organizational assurance vetting, still employed by some certificate authorities can be spoofed.
|
|
Click here to download a copy of McAfee's white paper "Anti-Phishing: Best Practices for Institutions and Consumers" in which the authors delineate phishing's many attack surfaces and assess different approaches and solutions to remediate them.
|
|
How Collaborative Filtering Can Stop Future Forms of Messaging Abuse
Zero-Hour, Real-Time Computer Virus Defense Through Collaborative Filtering
Why Conventional Anti-Virus Techniques Won't Stop New Threats
The Economy Of Phishing: A Survey of the Operations of the Phishing Market
A Reputation-Based Approach for Efficient Filtration of Spam
Cloudmark's Unique Approach To Phishing
|
|
Click here for RSA Security's white paper, “Phishing Special Report: What to Expect for 2007.” This paper examines several trends in online fraud and more interestingly, provides an overview of the emerging threats that we have recently encountered, as well as the threats we project to see in the coming year.
Click here to download RSA’s 4th Annual Consumer Online Fraud Survey
|
 |
Click here for the white paper TriCipher Consumer Online Banking Study that discuses how banks could increase profitability by offereing identity protection software.
Click here for the white paper The Perfect Storm: Man in the Middle Phishing Kits, Weak Authentication and Organized Online Criminals
|
|
Link out here to register for a copy of Entrust's white paper
"Countering On-Line Identity Theft: New Tools to help
Battle Identity Theft on the Internet."
|
|
Link
out to VASCO's Phising website, with information and documents
and a range of authentication solutions including EMV
smart cards.
|
|
Click
here to view the Symantec white paper, "Mitigating Online
Fraud: Customer Confidence, Brand Protection, and Loss
Minimization."
|
|
| |
| APWG Whitepapers and Other Reports
|
Global Phishing Survey: Domain Name Use and Trends in 1H2008
This study is a comprehensive analysis of the phishing that took place in the first half of 2008 (1H2008). Highlights include:
- attack and uptime statistics for all top-level domains
- examinations of how phishers target specific registrars and top-level domains, and change their preferences over time
- use of subdomains for phishing
- other trends pointing to anti-abuse strategies
Previous Phishing Survey Release: Trends in 2007
Making Waves in the Phisher’ Safest Harbors: Exposing the Dark Side of Subdomain Registries
This advisory discusses how phishers now use what we call subdomain registries to
provide safe harbors for malicious and criminal activities. The advisory also
discusses measures individuals and organizations can consider if they opt to make
these harbors less attractive and effective to phishers.
Anti-Phishing Best Practices Recommendations for Registrars
The purpose of this document is to provide a set of recommendations to the domain registrar community that can substantially reduce the risk and impact of phishing on consumers and business worldwide. The recommendations focus on 3 areas where registrars can be of assistance: Evidence Preservation for Investigative Purposes, Proactive Fraud Screening and Phishing Domain Takedown.
The Relationship of Phishing and Tasting
The Domain Name System Policy Working Group performed a study on the use of domain tasting by phishers. The study shows that while it does not appear that domain tasting is utilized by phishers, the increase in infrastructure anti-phishing companies must have to monitor for new phishing domain registrations has negatively impacted the anti-phishing community.
Memorandum on Domain Take-Downs and WhoIs Data
The APWG, as an observer to the ICANN Whois Privacy WG, prepared a memorandum on how anti-phishing fighters use the DNS Whois data to disable phishing sites. ICANN is contemplating removing most of the address data
from the gTLD (.com, .net, .org) DNS Whois servers and the APWG is concerned about retaining access to this data to support our phish fight.
Best Practices for ISPs and Mail Box Providers
Joint working document release from APWG and MAAWG. Consolidates a selection of "Best Practices" for companies providing ISP or Mail Box services.
Online
Identity Theft: Technology, Chokepoints and Countermeasures
DHS Counter-Phishing Strategies Whitepaper from the members of the Identity Theft Technology Council .
DOJ & PSEPC Joint Report on Phishing
The US Justice Department and the Ministry on Public Safety and Emergency Preparedness Canada jointly produced report on phishing.
Crimeware Landscape Report
The APWG in coordination with the US Department of Homeland Security produced this Crimeware Landscape Report. This document tries to help executives grasp just what crimeware is, how it works, and how prevalent it is.
Proposed Solutions
to Address the Threat of Email Spoofing Scams
Anti-Phishing Working Group - Released Dec 12, 2003
National and State
Trends in Fraud & Identity Theft, January - December 2003
Federal Trade Commission - Released Jan 22, 2004
|
| Consumer Advice |
How to Avoid Phishing Scams
What To Do If You've Given Out Your
Personal Financial Information
Bank Safe Online from our research partners APACS in the UK
Federal Trade Commission "Avoid ID Theft: Deter, Detect, Defend", a campaign to advise consumers on techniques to neutralize identity theft.
Our research partners at Carnegie Mellon's CyLab have developed this cute online game to help consumers recognize phishing emails. Play AntiPhishing Phil and see how knowledgeable you are.
Another effort to educate users is SecurityCartoon.com. SecurityCartoon.com, produced by our partners at the Stop-Phishing group, describes common threats and what to do to avoid them. This is done in a language that is accessible to typical Internet users.
|
| Educating Your Customers on ID Theft, Phishing and eCrime |
APWG Public Education Initiative (PEI): The PEI identifies and organizes the most broadly useful counter-ecrime educational programs and forges the essential logistics to deliver them to the largest victimized cohort possible, in every language in which phishing, directed at consumer and enterprise desktops and communications devices, has become a problem.
The Federal Trade Commission and the APWG have colaborated on these "Hot To Guides". We want to extend our thanks to the FTC for supporting this project.
Fighting Back Against Identity Theft: The easy to reproduce brochure outlines essential steps to deter, detect and defend against identity theft. The brochure is available online in print ready, PDF format.
Talking About Identity Theft: A How-To Guide: A comprehensive
guide with educational strategies and materials for professionals,
associations and community groups to effectively communicate and educate
about identity theft. Available online in print ready, PDF format.
|
| Notable Articles and Briefings |
|
The following citations are are for trade and academic journal articles
and government briefings on phishing.
May 2008 - SSAC Advisory on Registrar Impersonation Phishing Attacks (26 May 2008)
http://icann.org/committees/security/sac028.pdf
May 2008 - Behind Phishing: An Examination of Phisher Modi Operandi
D. Kevin McGrath, Minaxi Gupta
Computer Science Department, Indiana University, Bloomington, IN, U.S.A.
March 2006 - National Consumer League
A Call for Action: Report from the National Consumer League Anti-Phishing Retreat
November 2005 - DHS Report
DHS Counter-Phishing Strategies Whitepaper: Online Identity Theft: Technology, Chokepoints and Countermeasures
February 2005 - APWG Response to the FDIC
APWG FDIC Response
January 2005 - Tod Beardsley Whitepaper
Evolution
of Phishing Attacks
December 2004 - FDIC Report
Putting
an End to Account-Hijacking Identity Theft by the FDIC
|
| Anti-Fraud Organizations |
The following organizations are involved in identifying, tracking,
or stopping phishing attacks:
The Anti-Phishing Working Group
The Anti-Phishing Working Group (APWG)is an industry association
focused on eliminating the identity theft and fraud that result
from the growing problem of phishing and email spoofing. The organization
provides a forum to discuss phishing issues, define the scope of
the phishing problem in terms of hard and soft costs, and share
information and best practices for eliminating the problem.
FBI - Internet
Fraud Complaint Center
The Internet Fraud Complaint Center (IFCC) is a partnership between
the Federal Bureau of Investigation (FBI) and the National White
Collar Crime Center (NW3C). IFCC's mission is to address fraud committed
over the Internet.
The Coalition on
Online Identity Theft
Information Technology Association of America (ITAA)
Some of the biggest names in e-commerce, including Amazon.com,
eBay and Microsoft, have formed a coalition to curb online identity
theft.
SCAMwatch
SCAMwatch is a website run by the Australian Competition & Consumer Commission (ACCC). The aim of SCAMwatch is to provide information to consumers and small business about how to recognise, avoid and report scams. Scams that are reported to SCAMwatch will be analysed by the ACCC.
The United States
Federal Trade Commission
The FTC works for the consumer to prevent fraudulent, deceptive
and unfair business practices in the marketplace and to provide
information to help consumers spot, stop and avoid them.
Secure Florida's mission is to protect the citizens and economy of Florida by safeguarding information systems, reducing vulnerability to cyber attacks, and increasing responsiveness to any threat.
The Privacy Rights
Clearinghouse
The Privacy Rights Clearinghouse is a nonprofit consumer education,
research, and advocacy program. Our publications empower you to
take action to control your personal information by providing practical
tips on privacy protection.
Nigeria - The 419 Coalition Website
We Fight the Nigerian Scam with Education. Its a US$5 Billion
(as of 1996, much more now) worldwide Scam which has run since the
early 1980's under Successive Governments of Nigeria. It is also
referred to as "Advance Fee Fraud", "419 Fraud"
(Four-One-Nine) after the relevant section of the Criminal Code
of Nigeria.
|
| Corporate Anti-Fraud Policies |
Below is a sample of companies or other organizations that have published
policies relating to email fraud and phishing attacks:
US Bank
Wells Fargo
Bank
NatWest Bank
eBay and PayPal
Citibank
Lloyds
APACS UK
|
| Where Does the Word 'Phishing' Come From? |
The Word Spy
Where did the word "phishing" come from?
Origins of the Word "Phishing"
True history of where the phrase came from. |
|
