Full Disclosure: Re: phish war game

["lsi" <stuart () cyberdelix net>]

Hi all!

Greets from the deep dark recesses of the internet.  Now, back to 
this incredibly difficult and intractable problem of phishing.

X-Force have apparently put out some kind of press release announcing 
a large drop in phishing volumes.  http://www.independent.co.uk/life-
style/gadgets-and-tech/news/phishing-dries-up--are-scammers-changing-
their-game-1777899.html

If I may just repeat what I said a year ago...

> In reality, RED will terminate the game voluntarily when phish revenue per
> hour falls below revenues per hour available from other sources. 
Of course, I can't claim that wide-scale filtering, which is what I 
was advocating last year, did the trick, as there was none.  Instead, 
I'll claim that RED discovered for themselves that Average Revenue 
Per Mail was too low to be attractive, relative to other sources.

Continuing in this line of reasoning, what will happen next, is that 
RED will concentrate resources on more profitable revenue streams, 
and consequently, de-skill and de-tool on the less profitable streams 
such as phishing.  Later, if they try to go back to phishing, they 
will find they need new techniques and also, a new version of their 
generator software, neither of which will be easy to come by.

So I'm going to call it and say this ship is leaving, and it's not 
comin' back.  There was only ever going to be a small window of 
opportunity for RED to attack, before BLUE and GREEN wised up, and it 
seems that window is now closing.

Thank you for playing, insert 20p to continue.

Stu

On 5 Aug 2008 at 2:03, stuart () cyberdelix net wrote:

From:                   lsi <stuart () cyberdelix net>
To:                     full-disclosure () lists grok org uk
Subject:                phish war game
Send reply to:          stuart () cyberdelix net
Date sent:              Tue, 05 Aug 2008 02:03:18 +0100

> BLUE TEAM: anti-phishing blacklist
> RED TEAM: phish
> GREEN TEAM: end-users
>
> starting degree of obfuscation: 0% (none)
> starting number of blocked domains: 0
>
> ----------
>
> round 1:
>
> action: RED sends billions of phish
> consequence: 5% of GREEN members are suckered and lose some cash
>
> action: BLUE blocks the top 20 phished domains using the FROM field
> consequence: 80% of RED members are forced to make new sites and find 
> new victims
>
> current degree of obfuscation: 0%
> current number of blocked domains: 20
>
> round 2:
>
> action: RED obfuscates their FROM fields by 20% and resends billions 
> of phish
> consequence: 4% of GREEN members are suckered and lose some cash
>
> action: BLUE blocks the next top 20 phished domains using the FROM 
> field
> consequence: 80% of RED members are forced to make new sites and find 
> new victims
>
> current degree of obfuscation: 20%
> current number of blocked domains: 40
>
> round 3:
>
> action: RED obfuscates their FROM fields by 20% and resends billions 
> of phish
> consequence: 3% of GREEN members are suckered and lose some cash
>
> action: BLUE blocks the next top 20 phished domains using the FROM 
> field
> consequence: 80% of RED members are forced to make new sites and find 
> new victims
>
> current degree of obfuscation: 24%
> current number of blocked domains: 60
>
> round 4:
>
> action: RED obfuscates their FROM fields by 20% and resends billions 
> of phish
> consequence: 2% of GREEN members are suckered and lose some cash
>
> action: BLUE blocks the next top 20 phished domains using the FROM 
> field
> consequence: 80% of RED members are forced to make new sites and find 
> new victims
>
> current degree of obfuscation: 28.8%
> current number of blocked domains: 80
>
> round 5:
>
> action: RED obfuscates their FROM fields by 20% and resends billions 
> of phish
> consequence: 1% of GREEN members are suckered and lose some cash
>
> action: BLUE blocks the next top 20 phished domains using the FROM 
> field
> consequence: 80% of RED members are forced to make new sites and find 
> new victims
>
> current degree of obfuscation: 34.56%
> current number of blocked domains: 100
>
> round 6:
>
> action: RED obfuscates their FROM fields by 20% and resends billions 
> of phish
> consequence: 0% of GREEN members are suckered and lose some cash
>
> ----------
>
> GAME OVER: RED loses at round 6, as 0% of GREEN members are suckered, 
> due to over-obfuscation.
>
> final degree of obfuscation: 41.47%
> final number of blocked domains: 100
>
> ----------
>
> observations:
>
> 1. The model is over-simplified, in reality it's unlikely that BLUE 
> would consistently achieve 80%.  However in reality it's also 
> unlikely that RED would enjoy a linear relationship between 
> obfuscation and success, specifically, the more RED obfuscates the 
> less success it has.  Both teams might suffer diminishing returns 
> from their efforts. (for the purposes of the above model, these 
> effects have been allowed to cancel each other out)
>
> 2. The model has a constant 1% reduction in the victim rate, this is 
> debatable, however it will never go upwards, eg., there is nothing 
> RED can do to push that number back towards 100%.  Conversely, 
> everything BLUE does pushes that number towards 0%.  In addition, 
> other anti-phishing technologies will also be pushing the number 
> towards 0%.  GREEN itself might even push the number down.
>
> 3. The model does not allow RED to increase the number of phish they 
> send.  In reality, they way well do so.  However they will blocked 
> faster in this case, not only by BLUE but also by other technologies, 
> such as spam filters. (for the purposes of the above model, these 
> effects have been allowed to cancel each other out)
>
> 4. The model does not allow the game to be terminated voluntarily.  
> In reality, RED will terminate the game voluntarily when phish 
> revenue per hour falls below revenues per hour available from other 
> sources.  This will be some time before 0% of GREEN members are 
> suckered, perhaps as early as round 3.
>
> 5. The blacklist contains 100 items at the time RED loses.  It may 
> contain as little as 60 at the time RED terminates voluntarily.
>
> ----------
>
> links:
>
> (...)
> http://en.wikipedia.org/wiki/Business_War_Games
>
> (this is a sales brochure, however it describes a war game a bit 
> nicer than wiki, it's got diagrams, for a start)
> http://www.coleago.co.uk/uploads/Training/War%20Gaming.pdf
>
> (this isn't relevant to a war game, it might be something like what's 
> happening when the top 20 phished domains are used to select the 
> items to blacklist, OTOH, it might not, I don't know, I'm not a 
> statistician.  I'd love to know the name of the technique, I use 
> something similar to optimise my spam rules...)
> http://en.wikipedia.org/wiki/Monte_Carlo_method
>
> (this was mentioned in one of the papers I quoted previously)
> http://en.wikipedia.org/wiki/Pareto_principle


---
Stuart Udall
stuart at () cyberdelix dot net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192:168/0.2)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/