Home / Blogs

Helping Banks Fight Phishing and Account Fraud, Whether They Like It or Not

John Levine

On Wednesday, Project Honey Pot filed an unusual lawsuit against "John Does stealing money from US businesses through unauthorized electronic transfers made possible by computer viruses transmitted in spam." Their attorney is Jon Praed of the Internet Law Group, who is one of the most experienced anti-spam lawyers around, with whom I have worked in the past.

The goal of this suit is to identify the criminals behind a vast amount of theft through the ACH, the Automated Clearing House that handles direct deposits and electronic payments in the US. The pattern is that the bad guys install malware on the PC of company financial officers, and use it to make ACH transfers to money mules who then wire it out of the country.

Although the primary target of this suit is the crooks, an equally important subsidiary target is banks, who have consistently stonewalled attempts to learn about the extent of the losses the details of the scam, and what the banks are doing to deter it.

Bank stonewalling is not a new problem. Adam Brower wrote about his experience with one of them:

I can supply some perspective from my own experience. I noticed the article today, too, and spent some time nodding my head and clucking over my morning coffee.

For nearly a year, two years ago, I made it my personal mission to convince just one bank to aggressively pursue just one phisher. I did this, by the way, not as a representative of any anti-spam project, but as a citizen. I encountered the expected silence from a majority of the executives with whom I attempted to establish contact. From a very few others, I received polite thanks for my interest, advice to contact LEO, and from two of them, invitations to open accounts!

After months of such wheel-spinning, a door seemed to open. I received a thoughtful reply from a mid-level executive at a major New York-based bank. We exchanged emails for three weeks. After he accepted my very weak bona fides (I am, after all, far from expert in these matters, my sole strengths being doggedness and an occasional way with language) I sent him links to the wealth of investigative data available on the web, samples of phishing spam targeting his institution, background info on the rockphish phishing package Et al., and he lapped it up. I was astounded that so much of this was apparently news to a man in his position. We spoke on the phone three times, each time ending with agreement that the bank's enormous resources could and should be brought to bear against the crooks who were victimizing its customers and costing it unreported millions in losses each year. During the last call, he informed me that he intended to whiteboard, at a coming meeting, the entire body of stuff I had sent him, and to propose forming an internal task force to gather evidence against the malefactors and to contact and interface with LEO. Naif that I was, I was surprised when he hinted that there was institutional reticence when it came to providing reports of compromises to LEO. It's obvious to me now that the last thing in the world a big bank wants announced is the scale of their losses in this context, or the number of intrusions, but he seemed determined to stir the pot.

Subsequently, two weeks passed without a word. Email went unanswered. One day I called the office number on which we had spoken earlier. I was informed that Mr. Doe had left the firm. later, when I tried again, I was told that no-one by that name had ever worked there. Whether our conversations and his (supposed) departure were connected, who knows? Maybe he just decided to take his golden parachute, but it certainly could read like something from a Ludlum novel.

By John Levine, Author, Consultant & Speaker. More blog posts from John Levine can also be read here.

Related topics: Cybercrime, Cybersecurity, Email, Law, Spam


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


OK, the attorney Jon Praed wins. So Alex Tajirian  –  Aug 24, 2009 4:38 PM PDT

OK, the attorney Jon Praed wins. So what?

Phishing has become a very complex business, whereby taking-out a phising site is becoming harder and ineffective. The new breed of online criminals are using sophisticaled techniques. One technique uses “Rock Phish” sites that continue to work for a particular domain that is mentioned in a spam email after the site is taken down (provided that they can be resolved to at least one working IP). Whenever one site is removed, the name server resolves to machines still hosting a working copy of the proxy. While banks remove proxy machines and domains constantly, they are replenished frequently enough to keep a number of sites working every day. Another emerging technique is “Fast-flux domains,” whereby domain names are arranged to resolve to a set of IP addresses, say, five, for a short period, then switched to another five.

ACH transfers involve smaller amounts of money than wire transfers and they typically take few days longer to clear. Moreover, bank account owners can instruct their banks to block ACH transfers unless authorized by the account owner. Thus, criminals have tradeoffs in avoiding detection.

A large percent of the illegal phishing and money transfers takes place entirely outside the U.S. It is relatively easy to recruit “mules.” They are typically unsuspecting starving students and job seekers who can be anywhere from South Africa to Australia. By the time the banks and the mules find out about the scam, it is already too late.

Thus, you need better risk management tools.

Read the complaint John Levine  –  Aug 24, 2009 4:54 PM PDT

This case has nothing to do with Rock Phish or fake bank web sites.  Didn't you even look at the complaint?

How does that help bank stonewalling? Alessandro Vesely  –  Aug 26, 2009 1:55 AM PDT

Getting 100 bucks for each spam message should sound like a good business for everyone. However, John Doe Defendants' identity is currently unknown to Plaintiff because Defendants have intentionally acted to hide their identity to evade detection. Apparently, the suit only aims at spammers conducting their business within a state in the US, where they can be identified and prosecuted. From an immunological point of view, it attacks the weakest strains only: full blown criminals, but not yet quite proficient.

I'd note that while catching a few viruses may strengthen one's defenses, catching too many may kill the hosts, and, in case that depends on a structural inadequacy, the whole species is at risk. It's time to update our protocols. However, it is not clear to me how this suit may help diffusing anti-spam upgrades.

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

Mobile Internet

Sponsored by Afilias Mobile & Web Services

DNS Security

Sponsored by Afilias

IP Addressing

Sponsored by Avenue4 LLC


Sponsored by Verisign

Promoted Posts

Buying or Selling IPv4 Addresses?

Discover ACCELR/8, a transformative IPv4 market solution developed by industry veterans Marc Lindsey and Janine Goodman that enables organizations buying or selling blocks as small as /20s. more»

Industry Updates – Sponsored Posts

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Why the Record Number of Reverse Domain Name Hijacking UDRP Filings in 2016?

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Port25 Announces Release of PowerMTA V4.5r5

New Case Study: Jobtome.com Replaces 30 Postfix Servers with a Single PowerMTA