FIGHTING CORRUPTION
Figure 2 . Representative Timeline for A Botnet-Enabled Criminal Attack
registration without a court order . These recourses are effective with operators who are vigilant about criminal activity or believe that managing abuse is a service differentiator . Some operators and private investigators facilitate such interventions through voluntary collaboration in ad hoc trust relationships at business or even individual levels . By contrast , some operators insist strictly on a court order . Yet other operators adopt business models that facilitate criminal hosting , and thus have no incentive to volunteer .
Role of Trusted Intervener Frameworks The Anti-Phishing Working Group ( APWG ) has developed a service that attempts to formalize voluntary intervention . APWG ’ s Accelerated Malicious Domain Suspension process ( AMDoS ) was launched in 2012 with 12 top-level domains . Through attestations , AMDoS 2.0 can direct requests for domain suspensions to registrars of record . AMDoS employs a trusted introducer model whereby accredited interveners submit suspected malicious domain names for investigation and suspension by sponsoring registrars . The process is characterized in the following scenario .
An authority has processed the registration for exxxample . com . The authority has voluntarily enrolled in the AMDoS program and agrees to review attestations from trusted interveners in an accelerated manner . Through their participation , authorities agree to trust the program , and hence have confidence in the reporting parties . An accredited intervener submits a phishing abuse complaint through a web submission form . This is a formal attestation that an Internet domain name is associated with a criminal activity ; specifically , the attestation would provide evidence that criminal actors have used an Internet domain name to steal identities and commit fraud . For example , an investigator might provide evidence demonstrating that victims have clicked on a hyperlink in an email , http :// www . exxxample . com / login . html , believing that they are visiting http :// www . example . com / login . html . This malicious hyperlink takes them to a fake login page run by the criminals . On this site , the victim unwittingly discloses account credentials to the criminal actors . Attestations , designed by subject matter experts and authority representatives , are the means to share sufficient evidence
for a domain registry operator or registrar to make a decision to suspend the domain to prevent further harm . This shutdown occurs within hours ( eventually , perhaps faster ) of the time an intervener discovers a phishing email that is abusing the Internet domain name . The AMDoS process improves on the collaboration between investigators and registry or registrar operators in several ways .
• The formal vetting process provides a level playing field for interveners . APWG governs the accreditation process for interveners . Candidate interveners must work for an enterprise relevant to the management and investigation of cybercrime . An expert committee prescreens each candidate ’ s technical qualifications , relevant intervener history and reputation to establish eligibility for enrollment .
• Attestations and responses by authorities are auditable , providing the accountability and review necessary to build confidence in the system .
• The AMDoS can be used only for cases involving financial fraud and where there is no dispute over the legitimacy of content .
110