![[up]](/small/arrow.up.gif){kind=icon}
![[prev]](/small/arrow.left.gif){kind=icon}
![[next]](/small/arrow.right.gif){kind=icon}
NCFS 16-17 November 2006
PhishScope: Tracking Phish Server Clusters
John S. Quarterman, InternetPerils, Inc.Anti-Phishing Working Group (APWG) 2006 eCrime Researchers Summit
National Center for Forensic Science (NCFS)
Orlando, FL, Orlando University Hotel, 16-17 November 2006
Abstract
Phishing often seems an intractable problem, because phishers go to such lengths to hide their tracks by staging their attacks through multiple countries and legal regimes. Targets of phishing and law enforcement thus have few levers to use with phishing.This paper demonstrates such a lever: a method (PhishScope) of identification ofcurrent clusters of active phishing servers that are all connected to the same part of the same ISP, and thus are in the same legal regime. Targets of phishing can use information about such phishing server clusters to urge ISPs to do something about them. An ISP infested by a phishing cluster may not know that, so such information may be all it takes to persuade an ISP to do something. Law enforcement agencies (LEAs) may not want to expend effort on a single phishing report, but a cluster of phishing servers, especially one that involves multiple targets of phishing, is worth expenditure of resources. Information about such phishing clusters is thus leverageable for proactive intervention by targets of phishing, by ISPs infested by phishing servers, and by LEAs.
| Another persistent phishing cluster. |
Last changed: $Date: 2006/10/11 19:17:06 $
