When asked whether laws would be helpful in preventing ISPs and domain name registrars from enabling criminal activity, Jevans answers, “There are laws now, but the issue isn’t really the law, it’s the process of those laws. A website that uses all of your graphics and identity is in violation of the Millennium Copyright Act. Even before a criminal has launched a phishing attack they are in violation of the law. A company can file a lawsuit to have that site taken down, or they can file a complaint. However, that’s a 90 day process and that doesn’t really help you. That’s when you have to start working the domain name registrar who may or may not comply. A lot of times, a registrar will want you to provide a court order before they’ll take the site down. So the law is there but it’s the process of enforcement that is at issue.”

“The APWG is working on technical standards for reporting suspicious sites and doing a take-down on them, but that’s going to be while in coming to fruition. It’s not just coming up with a standard of how to report these things. It’s also going to involve who can report what and how can we verify the information, and how can we prevent a malicious take-down of valid sites. Frankly, developing standards is going to take years,” notes Jevans.

It’s a wild-west email world at the moment. It’s spammers and spoofers, phishermen and organized crime against the brave, good citizens. Rogue ISP’s operating in far-flung corners of the earth are offering ‘bullet-proof sites’ that will remain online, “no matter what”. With a lack of cooperation from the worst offender nations, it’s a lawless frontier requiring the vigilante justice of town folk with pitchforks.

Jevans characterizes vulnerable companies as financial institutions and ISPs, eCommerce companies, and anyone doing business on the Internet. He recommends putting together a call list of organizations that need to be contacted when a phishing attack occurs. The list should contain contacts at the ECTF, FBI, and for financial institutions, it should also contain the Secret Service. It is recommended that companies make contact with these agencies as soon as possible to develop relationships so that when something occurs, they’ll know who you are and how to immediately address the issue.


It is also recommended that companies take a good look at their email infrastructure. Is it reliable? Does it have filtering capabilities? The APWG is seeing companies get overwhelmed with sudden bounced messages when a phishing attack occurs. It’s similar to an email denial of service attack. If a phisher launches an attack on millions of users and over one million of those addresses bounce back as invalid, overwhelming mail servers and taking them out of service, a company needs to enact filters to keep the attack from taking the server off line.

A sudden influx of bounced messages that a company did not initiate should indicate that a phishing attack is taking place somewhere in their name.

“A company needs to be able to monitor email bounce-backs. This is where a company can practice vigilance. You need to have a response plan and know what to do when this occurs. If you’re an online bank, are you going to turn off online banking for a couple of hours? Are you going to look in your web logs and track account access? Will you notice that suddenly all of your customers seem to have moved to Russia?” Asks Jevans.