Last month, e-mail users across the United States started receiving messages, ostensibly from Netflix, claiming the company was having trouble with their billing information and urging customers to click on a link to repair it. The message, it turned out, was actually a lure for a phishing campaign — that is, an effort to fool e-mail users into giving away usernames, passwords, and financial information. In a matter of weeks, the US Federal Trade Commission was advising consumers to dismiss the emails without response and forward copies to a funny-sounding address: “firstname.lastname@example.org.”
What, exactly, is APWG?
Standing guard against a vast ecosystem of online scammers, the Anti-Phishing Working Group is the world’s most important independent coalition combating Internet crime. Collecting vast stores of information on attacks and sharing the data among members that include Microsoft, Facebook, and a host of Internet service providers and government agencies, the organization aims to stamp out swindles before they really take off.
What’s striking about this 15-year-old nonprofit is just how small it is. Even as trillions of dollars have been invested in Internet companies that have become central to our economy and our lives, responsibility for pushing back on one of the primary threats to the Web has fallen, in no small part, to an organization with just five full-time employees.
“Dave (Jevans) is in Menlo Park, me in Cambridge,” says Peter Cassidy, the co-founder of the organization, describing the small group at its core. “Mike (D’Ambrogia) the programmer in Sonora, Foy (Shiver) running conference and membership administration in Atlanta and Guhan (Iyer) running network engineering remotely from Alameda.”
No one appointed these guardians of our central nervous system. Two of them, Cassidy and Jevans, hatched the idea with other participants in a cybersecurity conference over dinner at a Vietnamese restaurant on Fisherman’s Wharf in San Francisco.
There are limits to the APWG’s reach. The group, after all, is only as good as the records the members provide, report, and share. And some large Internet companies choose not to be members, concerned about the bad publicity that can come with reporting a breach, or reluctant to share data with competitors. Indeed, Cassidy describes his work as that of a cyber diplomat trying to get governments, law enforcement agencies, and companies to agree on a new set of standards and work beyond borders.
The group has had some success in shutting down operations by providing information to authorities. But since there are no international procedures to work across jurisdictions, it can be hard to nail the bad guys.
Whatever its limitations, though, the working group has put together an impressive track record. Take that Netflix attack from last month. The group began receiving reports on the campaign almost as soon as it started. And the data it produced on the attack were among 532,765,897 million fields of data it provided last month alone — allowing Internet service providers and other members to crack down on live phishing web sites and block users from accessing them.
Phishing attacks are still one of the most common computer threats and they’re becoming more sophisticated than ever. The reason is simple: phishing remains extremely profitable. According to a Verizon report from last year, 92 per cent of malware is still delivered by email. On average a regular user receives 16 malicious emails per month, according to Symantec’s 2018 Internet Security Threat Report, meaning that users need to avoid opening the wrong attachment or clicking on a bad link roughly 200 times a year.
It’s a vast problem. How, exactly, does a small group like the APWG handle it? In part, by pulling in a big group of partners: The organization is a clearinghouse for more than 200 million records per month provided by the more than 2200 participating companies, international nonprofits, universities, government agencies, and treaty organizations. Cassidy says the diversity of participating organizations allows the consortium to identify the multiple strategies used by malware inventors and develop the best responses.
Often, he says, the data is used “to inform a registrar or an ISP that their infrastructure is being set up to launch a phishing attack.” Having collected so much data over the years, he says, the working group can often anticipate what’s coming.
The APWG, for its part, is constantly working on analyzing reports of phishing attacks more efficiently, and more precisely, to respond faster and prevent more incidents.
“We’re realizing now that the Internet itself is under such constant attack,” Cassidy says. “It doesn’t look like robbery anymore. It looks like a plague. Everybody who has an Internet-connected device is attacked all the time, all day.”
It’s a daunting task. But the working group’s approach, fighting the plague across silos and across borders as best it can, is one-of-a-kind. “It really is a 24/7 engineering operation like none other right now in the nonprofit realm,” Cassidy says. “And it is designed to be sort of a public benefit.”
As an end user you normally won’t have any interaction with the APWG. The reports are only shared with institutional members and never become public. But you might get an inkling of what’s going on when you click on a malicious link and get a pop-up message that tells you not to proceed. Then, you can be reminded of that little band of Internet warriors working to keep you safe.
Stefanie Dreyer is currently a global journalism fellow at the Munk School of Global Affairs & Public Policy in Toronto. Follow her on Twitter @TheStefDreyer.