New Industry Helping Banks Fight Back

[R.A. Hettinga]

<http://www.washingtonpost.com/ac2/wp-dyn/A6367-2005Mar4?language=printer>

The Washington Post

washingtonpost.com
New Industry Helping Banks Fight Back
Sleuths Hit Online Identity Thieves With 'Takedowns,' 'Poisoning'

 By Brian Krebs
 washingtonpost.com Staff Writer
 Friday, March 4, 2005; 6:34 AM

 A bustling new sector of the technology industry is helping companies cope
with a surge in online financial fraud known as "phishing," which uses
e-mail to lure people into giving up their financial data at counterfeit
bank and e-commerce Web sites.

 But the fledgling industry as a whole has adopted divergent approaches to
combating the problem, and there are signs that federal regulators could
soon step in and mandate specific technologies. As a result, many banks
have put off adopting the new services until the market matures. In the
meantime, some security experts say, a few banks are resorting to
hacker-like tactics in their own defense.

 Only a fraction of the roughly 9,000 financial institutions nationwide
have been targeted by phishers, but that ratio is changing for the worse
each day. To date, online con artists have impersonated more than 150
banks, yet only about a third of those targets have deployed commercial
protective technologies, said David Jevans, chair of the Anti-Phishing
Working Group, a coalition of banks and technology companies.

 The anti-phishing market is so young that there is little public analyst
information about how much banks are spending on the new technologies. The
annual sales for each of the companies contacted for this story varied
widely, ranging from less than $1 million to $20 million. But several
companies only began selling their services in mid-2004, and nearly all
said they expected business to double in 2005 as attackers begin targeting
other industries.

 Jim Maloney, chief security officer for Portland, Ore.-based Corillian,
said the company provides anti-phishing services to roughly 20 banks, with
nearly as many currently evaluating its products. Maloney declined to name
the company's clients, but said the banking sites it manages in-house range
from credit unions to several of the top 30 biggest financial institutions.
 Getting Ahead of the Phishers



Most anti-phishing companies offer a mix of products, such as domain-name
monitoring -- checking to see if potentially deceptive Internet addresses
have been registered -- and a "takedown" service that involves contacting
the Internet service provider (ISP) responsible and persuading them to shut
down the offending site.

 But phish busting is a complex endeavor that involves combating online
criminal activity on a multitude of fronts, and most companies admittedly
excel at just one or two of those areas. Some companies sift junk e-mail;
others scour the Web for fraud sites. Some rely on close relationships with
domain registrars and ISPs to gain intelligence on current or future
attacks. Still others monitor online banking sites for signs that the sites
are being cased as possible targets.

 In acknowledgement of the fragmented market for the technologies they
offer, several leading anti-phishing companies recently formed the
"Anti-Fraud Alliance" to appeal to companies looking for a more
comprehensive strategy. The group's members have agreed to promote and
re-sell each others' products.

Perhaps the most recognizable name in the alliance is Cupertino,
Calif.-based Internet security firm Symantec Corp., makers of Norton
antivirus software. Symantec provides customers with information about the
latest e-mail scams. Last May, at the height of 2004's phishing epidemic,
Symantec acquired anti-spam company Brightmail and now sells access to its
spam caches to give clients early warning of scam e-mails.

 One of the more unique approaches comes from Corillian, another member of
the alliance. The company got its start in 1997 developing online banking
sites for financial institutions and has built more than 60 such sites so
far, a dozen of which are controlled directly from its headquarters.
Because of this background, Corillian is adept at spotting the telltale
signs of an impending phishing attack.

Phishers casing a bank often spend unusual amounts of time on a site they
wish to target, or use automated tools to quickly download a copy of every
page on the site. Corillian also pays special attention to suspicious bank
Web site traffic on weekends, when most phishers conduct their
reconnaissance, Maloney said.

 To look more authentic, many fraudulent Web sites also link directly to
high-quality images on the targeted bank's real site. By scouring the
bank's Internet logs for "hits" from unauthorized sites using their
customers' images, the company often can locate a fraud site while it is
still being built.

Phishers nearly always verify stolen information before selling it on the
black market, so when Corillian spots someone accessing numerous online
bank accounts from the same Internet address, the company notifies the bank
that those accounts have likely been compromised.

 Alliance partner NameProtect, also based in Portland, watches for signs
that phishers are incorporating its clients' trademarks by monitoring spam
and domain-name registrations and by trawling the Internet for counterfeit
bank sites that are still in production.

 In mid-2004, NameProtect inked a deal with MasterCard International to
track the underground market for credit card information. Since then, the
company has helped MasterCard find tens of thousands of stolen account
numbers, said Sergio Pinon, MasterCard's senior vice president of global
security.

 NameProtect also shares most of its intelligence with the U.S. Secret
Service and the FBI. Last year, the company helped authorities track down
and shutter dozens of fraud-enabling Web sites that trafficked in more than
1.4 million stolen credit card numbers.

 One of NameProtect's closest competitors, Boise, Idaho-based MarkMonitor,
last July launched a new service to help customers keep their brand names
out of phishers' hands by monitoring online chat rooms and Internet-address
registries to spot potential scam Web sites. MarkMonitor uses this data as
evidence to convince registrars to transfer ownership of the domains to the
companies that own the trademarks.

 MarkMonitor, which is not part of the Anti-Fraud Alliance, also is rolling
out another service called "identity tracker," which can search the
company's millions of Internet address records to connect a fraudulent or
infringing site with the site's creator or owner.

 Phishers who register domain names that contain trademarked words usually
purchase the sites under false identities -- often using the credit data
and identities of previous fraud victims. But Mark Shull, MarkMonitor's
president and chief executive officer, said that in many cases scam artists
reuse at least one piece of information with each registration, usually an
e-mail address. By correlating registration data for a known fraud site
against millions of other records, the company often finds that the same
individual has registered dozens or even hundreds of addresses that could
be used in future attacks.

 "In many cases there are sites out there that give you the true identity
or at least some piece of real information about whoever is behind it,"
Shull said.
 Poisoned Phish



Few banks are eager to discuss publicly the steps they are taking to keep
out hackers and identity thieves, in part because the scammers can use the
information to make future attacks more successful. But some experts say a
number of banks have taken a page from the attackers' playbook by using
legally questionable techniques to disable public access to fraudulent
sites.

 Shutting down a phishing Web site can be a time-consuming and expensive
task, particularly if the site is based in a foreign country that either
lacks anti-hacking laws or stringent enforcement of such laws. The typical
fake site stays online for six days before being shut down; in the meantime
the company targeted by the scam must battle a public perception that it is
powerless to prevent customers from being robbed.

 Faced with such uncertainty, experts say some banks will quietly overwhelm
the fraud sites with so much data that they can no longer accept
information from would-be victims. These banks submit massive amounts of
phony personal and financial information to a fraud site to dilute the
phisher's database, a technique known as "stuffing" or poisoning."

 But Tom Liston, president and founder of Ingleside, Ill.-based LaBrea
Technologies and a volunteer at the SANS Internet Storm Center in Bethesda,
Md., said poisoning can result in a de facto "denial-of-service" attack.
When launched with the intent to disable a legitimate Web site, such an
attack is a federal crime that can carry a penalty of up to 10 years in
prison.

 "What you find is that these phishing sites are mostly run off of Web
servers that have been installed on hijacked home computers, so they can't
really take a whole lot of submissions all at once," said Liston, who said
he has written and tested his own stuffing program against several fraud
sites. "I've seen plenty of evidence that indicates that the banks have
taken down sites this way, but most will never admit it or if they do
they'll say it was done inadvertently as a result of poisoning."

 A number of anti-phishing companies offer the retaliatory service, but few
advertise them. One exception is New York City-based Cyota, which
specializes in convincing ISPs to quickly disable phishing sites. The
average fraud site stays active for roughly six days, but the company
claims that most fraud sites targeting its customers last fewer than 5
hours.

 Amir Orad, Cyota's vice president of marketing, said his company offers a
poisoning service but that it does not condone denial-of-service attacks.
Orad said the service is designed to help banks plant dummy account
information at phishing sites, which the banks can then use as breadcrumbs
leading them back to the people behind the attacks.

Submitting too much fake data at once would only alert the phishers that
the bogus information is being offered as a trap, Orad said. He added that
Cyota has applied for several patents on its poisoning technology, which
ensures that several minutes pass between submissions of dummy account data.

 Dan Larkin, unit chief of the FBI's Internet Fraud Compliant Center in
Morgantown, W.Va., said he has heard reports of banks disabling sites by
knocking them offline, but added that the FBI has no evidence that any such
incidents ever occurred.

 Liston said he's not surprised. "Who exactly are the phishers going to
complain to?"
 Phish: An Endangered Species?



All of the anti-phishing companies can point to graphs or statistics on how
rapidly their technologies can detect and disable scams, but few boast that
they have devised a solution to prevent scams from being launched in the
first place.

 Yet security experts say banks can blunt attacks by requiring their online
customers to use so-called "two-factor authentication": something they know
- their username and password - plus something they have, such as a tiny,
unique photograph or file that resides on their own computers.

 Anti-Fraud Alliance member Passmark Security of Redwood City, Calif.,
offers such a service, and last month the company announced that a federal
credit union has opted to require all of its customers to use Passmark's
technology for online banking.

 Few banks require such measures, in large part because of worries that
they could drive customers away from Internet banking, which has helped
banks to dramatically reduce customer service costs, said Ed Skoudis,
founder of Intelguardians, a Washington-based information security
consulting firm that frequently works with banks.

 However, financial institutions may be starting to change this view,
perhaps because of federal pressure. In December, the Federal Deposit
Insurance Corp, which investigates financial institutions for compliance
with banking regulations, issued recommendations urging banks to adopt
two-factor authentication technologies as a way to stave off what it called
a wave of "bank account hijacking."

 "If the FDIC writes it, the [Office of the Comptroller of the Currency]
and other regulators are almost certainly going to consider whether there
should be hard and fast rules," said Jevans of the Anti-Phishing Working
Group.

 Officials from the OCC declined to comment for this story. But many in the
financial services industry say there is little evidence that consumers are
suffering large losses from the attacks, and that in most cases the credit
card company or bank will absorb the costs of fraud.

 Despite an eighty-fold increase in phishing attacks over the past year,
banks haven't suffered corresponding losses because they have improved
their methods for detecting fraudulent transactions before they are fully
processed, said Chuck Wade, project leader for the Financial Services
Technology Consortium, a group of banks, financial services firms,
universities and government agencies.

 Still, Wade said, such precautions are largely hidden from consumers,
while the high visibility of relentless attacks threatens to undermine
consumer confidence in online banking. And that visibility is becoming
increasingly difficult for regulators and lawmakers to ignore.

 "Pretty much everyone in the [banking] industry agrees that better
authentication is important and needed," Wade said. "But we have to
recognize that it has to be done with a long-term view in mind and in a
cooperative fashion across multiple industries."

 There are indications that preventive technologies are helping to deflect
attacks, if only toward banks that may not be as experienced in fighting
online fraud. In recent months, phishers have begun targeting dozens of
smaller, regional financial institutions, many of which have operations in
just a handful of states.

 Kevin Omiliak, vice president of marketing for NameProtect, said online
criminals will continue widening their target lists unless more financial
institutions embrace anti-phishing technologies.

 "If only the top two dozen banks deploy a solution ... then this will
remain a Whac-a-Mole problem for some time," Omiliak said.

 The FBI's Larkin said the anti-phishing industry continues to provide
invaluable intelligence on the networks of online criminals behind these
scams, data that is aiding numerous investigations.

 "As we develop a better approach to the problem in terms of investigating
and prosecuting these types of crimes ... a deterrent effect should
follow," Larkin said. "We're doing some very good things with
investigations that have led to search and seizures that you're not
necessarily going to see the results of for a while. For now, we're simply
making our way up the fraud food chain."


-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com