[ImprovedMove Co., Ltd.]
A new approach to preventing the recurrence of phishing domains: Introducing a “good squatting strategy (phishing takeover)”
*ImprovedMove Co., Ltd.*
Press release: September 6, 2024
**
A new approach to preventing the recurrence of phishing domains: Introducing a “good squatting strategy (phishing takeover)”
Tokyo, September 6, 2024 –
On June 20, 2024, ImprovedMove Co., Ltd. (hereinafter referred to as the “Company”) proposed, proposed, and implemented a new approach called “Good Squatting Strategy (Phishing Takeover)” aimed at preventing the recurrence of phishing acts. Thank you. This initiative is intended to prevent phishers from reacquiring domains and protect public safety.
*Background*
Our company handled a takedown case of a phishing site scam targeting a domestic financial institution with capital of several billion yen.
The phishing site (www.gemini-a8.com), which was one of the main threats in , there remained a possibility that phishers could acquire this domain again.
Even if the phishing site is taken down, many links to the phishing site will remain, and if the phisher reacquires the domain and restarts the site, potential victims may be victimized by the scam again. There was a considerable amount of
*New approach*
To prevent this risk from occurring, we have introduced and
implemented a “good squatting strategy (phishing takeover)”. This means that we will take ownership of the phishing domain
(www.gemini-a8.com) and prevent it from being re-acquired by phishers. To be precise, we acquired and secured the domain immediately after it was put up for sale on the market. This approach also contributes to preserving and providing evidence and preventing new fraudulent operations.
Why you need to get a phishing domain
Millions of links, one destination, a phishing domain as a master key Phishing links are typically numerous, sometimes in the tens of thousands or more. However, while there are countless names, there is actually one thing in common among them, and that is the domain name.[1]
In other words, an important feature of a phishing link graph is that the countless links ultimately point to one domain name (phishing domain) as the direction of the edge arrow. The reason why the arrow is pointing towards the domain is to manipulate potential victims, which is a consequence of the fact that the aim is to defraud. If we reverse the perspective, we can see that this can be translated into “those who control the phishing domain control the entire link graph.” This is why you need to acquire phishing domains to reverse your link graph. Then, if the central node (phishing domain) does something that contradicts the phishing agent’s intent to defraud, the arrow will be reversed and the entire link graph will be recursively invalidated. In other words, posting a warning page and tracking.
[1]
Even if you go through a redirect, there is only one destination, so it can be counted as essentially the same destination. For example, even if you go through multiple redirects, the destination still points to the phishing domain, so if you look at them all as a path, you can count them as pointing to the same destination (compression).
By acquiring a domain and hosting the warning page, we achieved the following objectives.
*Effect and purpose*
1. *Prevents reacquisition by phishing companies*: By owning the domain, we eliminate the risk of reacquisition.
2. *Disable the entire Link Graph*: Disable the link graph constructed by phishers to prevent damage from expanding.
3. *Real-time tracking*: Tracking on the alert page reveals the attacker’s network and takes further action.
4. * Alert potential victims and encourage severance of
relationships with the inducer * :
Warn victims through a warning page and force them to sever ties with phishers.
5. *Collecting and storing information on phishing companies that have accessed the site*: Collect information on phishing companies through tracking and take countermeasures.
6. * Preservation of domain history and evidence* : Preserve domain history and keep it available as evidence to provide to law
enforcement agencies.
7. *Ensuring the availability of providing information to law enforcement agencies*: Establishing a state in which collected data can be provided to law enforcement agencies so that they can jointly take countermeasures.
8. *Preventing new impersonation operations*: By acquiring the domain, phishing companies can be prevented from conducting
impersonation operations again.
*What is a link graph*
Link graphs as a source of economic value for phishers
The link graph is a collection of links to phishing sites and plays an important role in increasing the effectiveness of phishers’ attacks. One side (edge = link) can be thought of as one unit that generates profit (profit from one victim), and can be seen as the “main body” that creates a commercial area in the phishing business (phishing sites are nodes). The loss per unit of phishing fraud can range from tens of millions of yen to hundreds of millions of yen.
The phishing site (www.gemini-a8.com) has been reported to be involved in numerous SNS scams, investment scams, and virtual currency scams, including phishing scams targeting our clients, financial institutions with capital in the billions of yen. was directly involved in ( Click here for details on success stories
).
It can be said that the link graph, rather than the phishing site (node), is the source of value for phishers.
* Taking advantage of the properties of the link graph (takeover from takedown: “reversal” of risk due to seizure of enemy infrastructure) * After the takedown, the phishing domain is purchased, a warning page is posted, and tracking is performed there to invalidate the existence of the existing link. By posting a warning page and “reversing” the meaning of the link, the entire link graph will be invalidated. In other words, as a countermeasure after a takedown, you can acquire a phishing domain, post a warning page, and perform tracking.You can take advantage of the infrastructure built by the phishing company, “flip” the edge arrow, and use it as your own. (takedown to takeover).
An easy-to-understand example of this attempt is as follows.
For example, let’s say a scammer is using a fake company name to commit fraud in the city. We will remove the sign that the fraudster was using and legally purchase it so that he does not commit fraud in the same location again. They then post a warning saying, “A scam was being committed here,” to alert passersby. Moreover, we will ambush at the location and watch for the impostor to return. Once the scammers return, follow their movements and eventually locate their home base. In the meantime, prepare to notify the police and catch the scammer red-handed. The police will meet you upon your arrival, and you will no longer be able to use the base itself.
Takedown involves removing a signboard, legal purchase of a signboard involves acquiring a domain, warning display requires attention by posting a warning page, tracking involves ambushing, monitoring and tailing, evidence preservation involves collaboration with law enforcement agencies, Link Graph is the home base, (This is a very rough analogy for clarity and is not a complete correspondence).
By purchasing a phishing domain, posting a warning page, and tracking it, it is possible to “reverse” and take control of the entire link graph (base) that the phishing agent has created by posting fraudulent links. In other words, the domination and color reversal of the central node (phishing domain) propagates recursively (BFS/DFS) and reverses the color of the entire graph (from bad to good) (Othello’s color reversal). It’s really a takeover from a takedown. Phishers are cornered by the link graph they create.
It is worth noting that link invalidation occurs “spontaneously” due to the presence of the warning page, and the entire link graph spontaneously collapses without any intervention. This is a necessary consequence of the node’s meaning being “reversed.” Link graph collapse seems to proceed like a kind of BFS or DFS.
Possible objections
Since good squatting can collapse an entire link graph, “If phishers shift to a style of fraud that shortens the domain acquisition and relinquishment cycle, wouldn’t they be able to respond?” A possible objection can be made. You can answer this as follows.
The length of the cycle and the size of the link graph (number of links) are proportional. Shorter cycles also reduce the size of the link graph. This is because it takes time and money to build. Small link graph sizes also reduce impact and economic effectiveness. Therefore, merchants are forced to make trade-offs. If you want it to be more effective, you need to increase the size of the graph, but in that case the damage from good squatting will also increase. To avoid this, it is necessary to reduce the graph size and shorten the cycle, but in this case the economic effect will decrease. This means that we will have to reconsider our approach structurally and it will still be effective.
In other words, although there was a possibility of monetization even after the takedown due to reacquisition, the opportunity for monetization is now limited to the time frame from domain acquisition to abandonment (takedown). It can be said that the economic effect decreases in the form of “shrinking the framework”.
*Conclusion*
Effective June 20, 2024, ImprovedMove Co., Ltd. acquired and became the owner of the phishing domain (www.gemini-a8.com). As mentioned above, the purpose of this is to prevent the spread of fraud using the domain and to nullify the phishing infrastructure (link graph) behind it.
Our efforts are legally and ethically sound and play an important role in preventing phishing from happening again. We will continue to do our best to protect the safety of society.
*Disclaimer*
Of course, our company acquired the phishing domain
(www.gemini-a8.com) on June 20, 2024, and we had no involvement with this domain prior to this, so it is important to note that Thank you for your understanding.
In addition, regarding the legitimacy of the purchase process, the phishing domain was acquired through the normal purchase process at a legitimate domain vendor after it was put up for sale on the market, so you can rest assured that compliance is satisfied in this respect as well. Please.
*Contact information*
Our contact page
Please select “Inquiry subject: Press release/media publication inquiry” and contact us.