Castlecops, a volunteer-run organization that has made tremendous waves in fighting phishing, announced a sweepstakes to celebrate their five-year anniversary. A number of security vendors, including Symantec, have contributed prizes to the contest. In addition, Castlecops receives a list of verified phishing sites from Symantec through the Phish Report Network.
For those who don’t know, Castlecops runs the Phish Incident Reporting and Termination (PIRT) task force. If you find a legitimate phishing site and report it to them, Castlecops does the leg work to help take the site down before it does additional damage. In addition, they collect information to work with law enforcement. If the phisher has stored stolen credentials (e.g., passwords, credit card numbers, bank account numbers, social security numbers, etc.) directly on the Web server that he or she compromised, then there is a chance that a swift takedown can keep those credentials from causing the victim financial harm.
Site takedown can be a fairly elaborate process. First, you may be dealing with sites that are hosted in different parts of the world, so you have to overcome language and communication issues. Second, in order to talk to the right people, you have to have good relationships with Internet service providers and Web hosting companies. Third, it’s important to keep in mind that phish sites sometimes host malicious software, so you have to be careful that the machine you are using also does not get infected with a virus. If it does get infected, you should have an environment that can contain the damage.
Also, in conjunction with a single site take down, it’s important to look through the directories to see if multiple phishing sites are hosted on the same server. This situation happens surprisingly often. Sometimes, you can find the actual phishing kit used in the attack, and this information can prove valuable in preventing phishers from retrieving the information they have stolen. (For example, some phishers use an email address as a “drop” where stolen credentials are sent – if the email is from a free provider, that provider can potentially be contacted.) On top of that, one has to keep track of any information that might be helpful to law enforcement.
As you can see, doing takedowns can be hard work, and there are a number of subtleties. It’s very laudable that Castlecops has sustained its ability to provide volunteer services. They have probably saved individual victims (and potential victims) literally millions of dollars. Their acts shift the economic balance of phishing attacks – if we can shift the balance even more and make it unprofitable for phishers to carry out their actions, then we’ll help eliminate the phishing problem. Please join me in congratulating Castlecops on their five-year anniversary and in wishing them good luck in the future! If you'd like more information, please visit the Castlecops Web site.