Tyler Moore: "An Empirical Analysis of Phishing Attack and Defense"


Wednesday, October 1, 2008, 12:00pm to 1:30pm


Maxwell Dworkin 119

CRCS Privacy and Security Lunch Seminar

Date: Wednesday, October 1, 2008
Time: 12:00pm-1:30 pm
Place: Maxwell Dworkin 119

Speaker: Tyler Moore

Title:  An Empirical Analysis of Phishing Attack and Defense:

Abstract: A key way in which banks mitigate the effects of phishing attacks is to remove the fraudulent websites and abusive domain names hosting them. We have gathered and analyzed empirical data on phishing website removal times and the number of visitors that the websites attract. We find that website removal is part of the answer to phishing, but it is not fast enough to completely mitigate the problem. Phishing-website lifetimes follow a long-tailed lognormal distribution — while many sites are removed quickly, others remain much longer. We have found evidence that one group responsible for half of all phishing, the rock-phish gang, cooperates by pooling hosting resources and by targeting many banks simultaneously. The gang’s architectural innovations have significantly extended their websites’ average lifetime. Using response data obtained from the servers hosting
phishing websites, we also provide a ballpark estimate of the total losses due to phishing.

Phishing-website removal is often subcontracted to specialist companies. We analyze three months of ‘feeds’ of phishing website URLs from multiple sources, including two such companies. We demonstrate that in each case huge numbers of websites may be known to others, but the company with the take-down contract remains unaware, or learns of sites only belatedly. Upon calculating the resultant increase in lifetimes caused by the take-down company’s lack of action, the results categorically demonstrate that significant amounts of money are being put at risk by the failure to share proprietary feeds of URLs.

Bio: Moore’s research interests include the economics of information security, the study of electronic crime, and the development of policy for strengthening security. Moore completed his PhD in Computer Science at the University of Cambridge (UK), supervised by Ross Anderson. His PhD thesis investigated cooperative attack and defense in the design of decentralized wireless networks and through empirical analysis of phishing attacks on the Internet. Moore has co-authored a report for the European Union detailing policy recommendations for overcoming failures in the provision of information security. As an undergraduate, he studied at the University of Tulsa, identifying several vulnerabilities in the public telephone network’s underlying signaling protocols. Moore’s PhD studies were supported by a British Marshall Scholarship and US National Science Foundation Graduate Research Fellowship.