Messaging

Cambridge, Mass. and San Francisco, Oct. 24, 2018 – A joint APWG-M3AAWG survey of cybercrime responders and anti-abuse personnel indicates ICANN’s Temporary Specification for domain name WHOIS data has eliminated interventions that previously allowed investigators to stop new cybercrimes while still in the preparatory stages -- and has markedly impeded routine mitigations for many kinds of cybercrimes. The survey was submitted to ICANN on Oct. 18 by the Anti-Phishing Working Group and the Messaging, Malware and Mobile Anti-Abuse Working Group.

With responses from 327 professionals, the survey revealed that losing the ability to attribute domain names to criminals or victims of abuse has irreparably eliminated their capacity to issue warnings about new abuses that known bad actors are perpetrating, even when the WHOIS registrant data is pseudonymous, according to Peter Cassidy, APWG Secretary General.

ICANN’s Temporary Specification for gTLD Registration Data, established in May in response to the European Union’s General Data Protection Regulation (GDPR), impedes investigations of cybercrime – from ransomware attacks to distribution of state-sponsored strategic disinformation. Analyses of responses from the survey reveal that:

• Cyber-investigations and mitigations are impeded because investigators are unable to access complete domain name registration data.
• Requests to access non-public WHOIS by legitimate investigators for legitimate purposes under the provisions of the Temp Spec are routinely refused.

“The biggest impact has been to determine who has registered a criminal/fraudulent domain, and the ability to use that information to find other domains registered by the same actor. That devastates our ability to find all of the fraudulent domains registered by the same entity,” one typical respondent wrote in the APWG-M3AAWG GDPR and WHOIS User Survey report.

APWG and M3AAWG concluded their analysis with recommendations for ICANN to:

• Establish a mechanism for WHOIS data access by accredited, vetted qualified security actors.
• Restore redacted WHOIS data of legal entities.
• Adopt a contact data access request specification for consistency across registrars and gTLD registries.
• Establish a WHOIS data access scheme that does not introduce delays in collecting or processing and is not burdened by per-request authorizations.
• Reassess the current redaction policy and consider replacing restricted personal data with secure hashes that can be used as a proxy for tracing criminal actors across data resources.
• Publish point of contact email addresses to provide investigators with an effective means of identifying domains associated with a victim or person of interest in an investigation.

The full survey can be found at /WhoisSurvey2018-10.  

About the APWG

The APWG (www.apwg.org), founded in 2003 as the Anti-Phishing Working Group, is the global industry, law enforcement, and government coalition focused on unifying the global response to electronic crime. Membership is open to qualified financial institutions, online retailers, ISPs and Telcos, the law enforcement community, solutions providers, multi-lateral treaty organizations, research centers, trade associations and government agencies. There are more than 2,200 companies, government agencies and NGOs participating in the APWG worldwide.

APWG advises hemispheric and global trade groups and multilateral treaty organizations such as the European Commission, the G8 High Technology Crime Subgroup, Council of Europe's Convention on Cybercrime, United Nations Office of Drugs and Crime, Organization for Security and Cooperation in Europe, Europol EC3 and the Organization of American States. APWG is a member of the steering group of the Commonwealth Cybercrime Initiative at the Commonwealth of Nations.

About M3AAWG

The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) is where the industry comes together to work against bots, malware, spam, viruses, denial-of-service attacks and other online exploitation. M3AAWG (www.m3aawg.org) members represent more than one billion mailboxes from some of the largest network operators worldwide. It leverages the depth and experience of its global membership to tackle abuse on existing networks and new emerging services through technology, collaboration and public policy. It also works to educate global policy makers on the technical and operational issues related to online abuse and messaging. Headquartered in San Francisco, Calif., M3AAWG is driven by market needs and supported by major network operators and messaging providers.

Media Contacts

Anti-Phishing Working Group
Peter Cassidy, 617-669-1123
pcassidy@apwg.org

M3AAWG (Messaging, Malware and Mobile Anti-Abuse Working Group)
pr@m3aawg.org

The 2018 M3AAWG JD Falk Award was presented October 9 during the M3AAWG 44^th General Meeting in Brooklyn, NY, USA, to:

Ronnie Tokazowski, BEC List Founder and Administrator,
Reverse Engineer, Flashpoint, @iHeartMalware

and the BEC List Members

A partial listing of companies participating in the Business Email Compromise List as of October 2018:

• Agari
• AlienVault
• Apura Cybersecurity Intelligence
• Area 1 Security
• Booz Allen Managed Threat Services
• CrowdStrike
• Cofense, previously PhishMe
• Comp.romiser
• CyberNotify.org
• Dell SecureWorks
• Duke University
• FBI, with special thanks to Los Angeles,
• New York, NCFTA, HQ
• & several field offices
• Fishtech
• Flashpoint
• Gigamon
• Google
• Internal Revenue Service/Online Fraud Detection & Prevention
• Iridium Satellite
• Itochu Corp
• Oath
• One Medical
• Orange Cyberdefense
• Palo Alto Networks, Unit 42
• Proofpoint
• Salesforce
• Scam Haters United
• ShadowDragon
• Sophos Plc.
• SpyCloud, Inc.
• Sucuri/GoDaddy
• Symantec
• ThreatStop, Inc.
• Trend Micro, Inc.
• Trustwave
• United States Secret Service Global Investigative Operations Center
• Walmart

and many other individual researchers and organizations who wished to remain anonymous

New York, October 9, 2018 – A private, sequestered email group that you probably have never heard of – but that has helped prevent millions of dollars in fraud and assisted in taking down thousands of Nigerian scheme email accounts – was honored today with the 2018 JD Falk Award from the Messaging, Malware and Mobile Anti-Abuse Working Group.  The BEC List founder and administrator, Ronnie Tokazowski, and the private email group of more than 530 members received the annual award, which recognizes an innovative project that protects online users, at the M3AAWG 44th General Meeting in Brooklyn.

The Business Email Compromise List deals with a broad assortment of criminal activity and deceptive emails, often described as “Nigerian” schemes, that use phishing and fake social media activities to attract victims. By sharing information and expertise, they have blocked spoofed emails and malware; tracked real estate, romance, IRS, W2 and lottery schemes; and identified the money “mules” used to transfer illicit funds. BEC fraud accounts for more than $12 billion in losses globally and threatens users in 150 countries, according to the FBI’s IC3 (Internet Crime Complaint Center).

The private list is managed by Tokazowski, senior malware analyst at Flashpoint, and includes cybersecurity professionals from Fortune 500 companies, leading threat research organizations, anti-virus firms, and internet infrastructure companies, many of them competitors. Law enforcement participants include the U.S. Federal Bureau of Investigation, the U.S. Internal Revenue Service Online Fraud Detection and Prevention group, the U.S. Secret Service, and other entities. While many members chose to remain anonymous, a partial list of participating organizations is available at www.m3aawg.org/FalkAwardOrgs2018 . A video describing what the group has learned about compromised email and the list’s accomplishments is at https://youtu.be/Ues_oRsTBNc.

The award also recognizes the impact a single individual can have on fighting abuse. The private group was Tokazowski’s idea and he has served as the list administrator since its inception three years ago.  Since then, dozens of organizations have cooperated on the list to protect end-users and fight fraud.

“From the start, Ronnie has diligently managed the BEC List as a trusted environment, always emphasizing the need for confidentiality and respect for members’ opinions. As a result, it has become an important anti-abuse channel where actionable information is shared throughout the day between hundreds of people. This cooperative sharing has greatly benefited end-users, even though they are not aware of its existence, as the list’s behind-the-scenes involvement has contributed to over a hundred fraud-related arrests,” said Severin Walker, M3AAWG Chairman of the Board.

In 2015, Tokazowski initially reached out to a few cybersecurity researchers and law enforcement agents to discuss the compromised emails he was seeing in his work and the list was created that December with about a hundred participants. They originally focused on conventional BEC phishing emails that impersonate a targeted CEO requesting that the company’s financial staff wire funds to a fraudulent account. But as the group studied the problem, they realized it was much more extensive and often involved malware and various online and social media ruses.

Nigerian Rappers Praise Scams

Tokazowski said, “It takes a diverse set of perspectives and expertise to address business compromise email and it’s not something researchers, law enforcement, and especially the targeted users can tackle on their own. I like to describe it as, ‘it’s not my problem, it’s not your problem, it’s a problem for everyone in the industry.’  We have to come together to fix it and understand how it works.”

This effort includes learning how the perpetuators think, according to Tokazowski. “We’re also looking to identify the criminals’ motivation and how this affects the schemes. There is a different culture in many of the countries where these crimes originate, and the deception is often justified in these regions because it’s one of the few ways to earn money. You have popular rappers in Nigeria praising the scammers efforts and their methods to ‘wire wire’ stolen money from a BEC target, but without ever acknowledging the victim’s pain,” he said.

The M3AAWG JD Falk Award is presented annually to recognize a project that helps protect the internet and embodies a spirit of volunteerism and community building. The 2018 award was presented during the M3AAWG 44th General Meeting that opened October 8 in Brooklyn, New York. Over 500 security experts, ISPs, researchers, public policy representatives and vendors are participating in the four-day meeting that features more than 50 cybersecurity and information sharing sessions. M3AAWG holds three meetings each year, including one in Europe, to develop best practices and other work that will protect online users. The next M3AAWG meeting will be February 18-21, 2019 in San Francisco. 

About the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG)

The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) is where the industry comes together to work against bots, malware, spam, viruses, denial-of-service attacks and other online exploitation. M3AAWG (www.m3aawg.org) members represent more than one billion mailboxes from some of the largest network operators worldwide. It leverages the depth and experience of its global membership to tackle abuse on existing networks and new emerging services through technology, collaboration and public policy. It also works to educate global policy makers on the technical and operational issues related to online abuse and messaging. Headquartered in San Francisco, Calif., M3AAWG is driven by market needs and supported by major network operators and messaging providers.

#  #  #

Media Contact: pr@m3aawg.org

M3AAWG Board of Directors and Sponsors: Adobe Systems Inc.; AT&T; Comcast; Endurance International Group; Facebook; Google, Inc.; LinkedIn; Mailchimp; Marketo, Inc.; Microsoft Corp.; Oath (Yahoo/AOL); Orange; Proofpoint; Rackspace; Return Path, Inc.; SendGrid, Inc.; Vade Secure; and VeriSign, Inc.

M3AAWG Full Members: 1&1 Internet SE; Agora, Inc.; Akamai Technologies; Campaign Monitor; Cisco Systems, Inc.; CloudFlare, Inc.; Cyren; dotmailer; eDataSource Inc; ExactTarget, Inc.; IBM, iContact; Internet Initiative Japan (IIJ); Liberty Global; Listrak; Litmus; McAfee; Mimecast; Oracle Marketing Cloud; OVH; PayPal; Spamhaus; SparkPost; Splio; Symantec; USAA; and Valimail.

A complete member list is available at /about/roster.