Speaking at the OCTOPUS Cooperation Against Cybercrime conference in Brussels last week, the non-profit group's secretary general Peter Cassidy described an XML format that will standardise cyber-crime reporting. The format is a set of extensions to an existing specification - the Incident Object Data Exchange Format created by the IETF - which was designed to let computer security incident response teams (CSIRTS) exchange information on security incidents.
A white paper describing the Extension to IODEF-Document Class for Reporting Phishing, Fraud, and Other Non-Network Layer Reports says that the format could be used in a variety of use cases, including collaboration between between private sector customers and their business partners in preparing reports for law enforcement. It can also help companies to share data for trend tracking purposes, added David Jevans, chair of the APWG.
"You might not notice something if you're just one bank, but if ten banks share this information then you will start to see these patterns," he said.
The reporting format will form the basis for the expanded APWG online reporting system, which Jevans says has been four years in the making, and which will be unveiled at the third Counter eCrimes Operation Summit (CeCOS) in Barcelona in May.
The APWG already operates a phishing URL repository that enables partners to share information at a single point. The expanded system will harbor information such as source IP addresses for malicious attacks, sites that are recruiting money mules, and domains that are being registered for malicious purposes.
"We're also using it to accelerate the work [PPT presentation] that we've been doing with ICAAN around domain name registrar accelerated take-down," he said. "You need to be able to start communicating with domain registrars, and getting them to de-register a domain name ASAP."
Investigators have complained in the past that sites used for cyber crimes like phishing and escrow fraud have not been taken down in time by ISPs. By the time a court order is obtained, a month could have passed, and the financial damage to victims has already been done.
"We co-locate it. The APWG runs the gear, and some of them donate gear to us," Jevans said, adding that it was necessary for a non-profit group to host the system. "You can't find people willing to build this kind of thing, because it's an investment of time and effort. But if a non-profit works will all the different industry guys, it's proven to work in the past for us."
The APWG is also working on a cyber crime reporting tool that will enable companies to convert proprietary cyber crime incident information into its new format. The pre-alpha version of the e-Crime Reporting and Incident Sharing Project (e-Crisp X) is available here.