SIDN Labs has teamed up with Fraudehelpdesk to run an innovative pilot scheme. From 1 November, the two organisations will be sharing information about domain names suspected of being used for phishing. The aim is to explore the potential that threat intelligence sharing has for speeding up the process of identifying sources of phishing mail and taking infected .nl websites off line.
At the heart of the pilot is a technical interface between two big data systems: SIDN Labs' ENTRADA and Fraudehelpdesk's APATE (APATE). When Fraudehelpdesk receives a new report of abuse (step 1 in the diagram below), they will let us know about any .nl domain name involved (step 2). Our system will respond automatically by sending back the following information about the domain name's query history and registrant (step 3):
The number of DNS queries received for the domain name in the last seven days
The registration date of the domain name
Whether the registrant is based outside the Netherlands (yes/no)
The registrar's pseudonym
Step 3 is covered by a privacy policy in line with our ENTRADA privacy framework.Project workflow1. User reports suspicious e-mail2. FHD passes on .nl domain name3. Additional info about suspect domain name4. Classification and prioritisation of e-mail5. Phishing!We believe that the link-up with ENTRADA will help Fraudehelpdesk to establish more quickly whether a domain name is being used for phishing. That in turn will improve the process of prioritising reports (step 4). Wherever phishing is confirmed, Fraudehelpdesk will publish details on their website and in their social media feeds (step 5). Here at SIDN Labs, we'll receive feedback from Fraudehelpdesk about the number of reports and their APATE classification. That information should enable us to improve our own phishing detection mechanisms, such as NDEWS. Fraudehelpdesk and SIDN Labs are making a joint presentation about the project at the ECP Annual Congress on Thursday 17 November. The slides will be published on SIDN Labs - publication.
