Home / Blogs

Helping Banks Fight Phishing and Account Fraud, Whether They Like It or Not

John Levine

On Wednesday, Project Honey Pot filed an unusual lawsuit against "John Does stealing money from US businesses through unauthorized electronic transfers made possible by computer viruses transmitted in spam." Their attorney is Jon Praed of the Internet Law Group, who is one of the most experienced anti-spam lawyers around, with whom I have worked in the past.

The goal of this suit is to identify the criminals behind a vast amount of theft through the ACH, the Automated Clearing House that handles direct deposits and electronic payments in the US. The pattern is that the bad guys install malware on the PC of company financial officers, and use it to make ACH transfers to money mules who then wire it out of the country.

Although the primary target of this suit is the crooks, an equally important subsidiary target is banks, who have consistently stonewalled attempts to learn about the extent of the losses the details of the scam, and what the banks are doing to deter it.

Bank stonewalling is not a new problem. Adam Brower wrote about his experience with one of them:

I can supply some perspective from my own experience. I noticed the article today, too, and spent some time nodding my head and clucking over my morning coffee.

For nearly a year, two years ago, I made it my personal mission to convince just one bank to aggressively pursue just one phisher. I did this, by the way, not as a representative of any anti-spam project, but as a citizen. I encountered the expected silence from a majority of the executives with whom I attempted to establish contact. From a very few others, I received polite thanks for my interest, advice to contact LEO, and from two of them, invitations to open accounts!

After months of such wheel-spinning, a door seemed to open. I received a thoughtful reply from a mid-level executive at a major New York-based bank. We exchanged emails for three weeks. After he accepted my very weak bona fides (I am, after all, far from expert in these matters, my sole strengths being doggedness and an occasional way with language) I sent him links to the wealth of investigative data available on the web, samples of phishing spam targeting his institution, background info on the rockphish phishing package Et al., and he lapped it up. I was astounded that so much of this was apparently news to a man in his position. We spoke on the phone three times, each time ending with agreement that the bank's enormous resources could and should be brought to bear against the crooks who were victimizing its customers and costing it unreported millions in losses each year. During the last call, he informed me that he intended to whiteboard, at a coming meeting, the entire body of stuff I had sent him, and to propose forming an internal task force to gather evidence against the malefactors and to contact and interface with LEO. Naif that I was, I was surprised when he hinted that there was institutional reticence when it came to providing reports of compromises to LEO. It's obvious to me now that the last thing in the world a big bank wants announced is the scale of their losses in this context, or the number of intrusions, but he seemed determined to stir the pot.

Subsequently, two weeks passed without a word. Email went unanswered. One day I called the office number on which we had spoken earlier. I was informed that Mr. Doe had left the firm. later, when I tried again, I was told that no-one by that name had ever worked there. Whether our conversations and his (supposed) departure were connected, who knows? Maybe he just decided to take his golden parachute, but it certainly could read like something from a Ludlum novel.

By John Levine, Author, Consultant & Speaker. More blog posts from John Levine can also be read here.

Related topics: Cybercrime, Email, Law, Security, Spam

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

OK, the attorney Jon Praed wins. So Alex Tajirian  –  Aug 24, 2009 4:38 PM PDT

OK, the attorney Jon Praed wins. So what?

Phishing has become a very complex business, whereby taking-out a phising site is becoming harder and ineffective. The new breed of online criminals are using sophisticaled techniques. One technique uses “Rock Phish” sites that continue to work for a particular domain that is mentioned in a spam email after the site is taken down (provided that they can be resolved to at least one working IP). Whenever one site is removed, the name server resolves to machines still hosting a working copy of the proxy. While banks remove proxy machines and domains constantly, they are replenished frequently enough to keep a number of sites working every day. Another emerging technique is “Fast-flux domains,” whereby domain names are arranged to resolve to a set of IP addresses, say, five, for a short period, then switched to another five.

ACH transfers involve smaller amounts of money than wire transfers and they typically take few days longer to clear. Moreover, bank account owners can instruct their banks to block ACH transfers unless authorized by the account owner. Thus, criminals have tradeoffs in avoiding detection.

A large percent of the illegal phishing and money transfers takes place entirely outside the U.S. It is relatively easy to recruit “mules.” They are typically unsuspecting starving students and job seekers who can be anywhere from South Africa to Australia. By the time the banks and the mules find out about the scam, it is already too late.

Thus, you need better risk management tools.

Read the complaint John Levine  –  Aug 24, 2009 4:54 PM PDT

This case has nothing to do with Rock Phish or fake bank web sites.  Didn't you even look at the complaint?

How does that help bank stonewalling? Alessandro Vesely  –  Aug 26, 2009 1:55 AM PDT

Getting 100 bucks for each spam message should sound like a good business for everyone. However, John Doe Defendants' identity is currently unknown to Plaintiff because Defendants have intentionally acted to hide their identity to evade detection. Apparently, the suit only aims at spammers conducting their business within a state in the US, where they can be identified and prosecuted. From an immunological point of view, it attacks the weakest strains only: full blown criminals, but not yet quite proficient.

I'd note that while catching a few viruses may strengthen one's defenses, catching too many may kill the hosts, and, in case that depends on a structural inadequacy, the whole species is at risk. It's time to update our protocols. However, it is not clear to me how this suit may help diffusing anti-spam upgrades.

To post comments, please login or create an account.

Related Blogs

DNSSEC Workshop Streaming Live From ICANN 51 On Wednesday, Oct 15

.trust Technical Policy Launch

Some Observations from NANOG 62

If Compliance Were an Olympic Sport

Where Is Cyberspace?

Related News

Topics

Industry Updates – Sponsored Posts

3 Questions to Ask Your DNS Host About DDoS

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

Neustar to Build Multiple Tbps DDoS Mitigation Platform

The Latest Internet Plague: Random Subdomain Attacks

Digging Deep Into DNS Data Discloses Damaging Domains

New gTLDs and Best Practices for Domain Management Policies (Video)

Nominum Announces Future Ready DNS

Non-English "IDN Email" Addresses Are Finally Working!

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Continuing to Work in the Public Interest

Verisign Named to the OTA's 2014 Online Trust Honor Roll

4 Minutes Vs. 4 Hours: A Responder Explains Emergency DDoS Mitigation

Dyn Acquires Internet Intelligence Company, Renesys

Tips to Address New FFIEC DDoS Requirements

Smokescreening: Data Theft Makes DDoS More Dangerous

dotStrategy Selects Neustar's Registry Threat Mitigation Services for .BUZZ Registry

24 Million Home Routers Expose ISPs to Massive DNS-Based DDoS Attacks

What Does a DDoS Attack Look Like? (Watch First 3 Minutes of an Actual Attack)

Sponsored Topics