Phish tales

David Jevans discusses the challenges faced in fighting the global war on phishing and crimeware during the financial crisis.

When I founded the Anti-Phishing Working Group in 2003, I thought that we would have eliminated phishing by mid-2004. How wrong I was.

The Anti-Phishing Working Group (APWG) was founded to bring together the diverse communities of banks, ISPs, e-commerce companies, security vendors and law enforcement agencies. Our core philosophy was to create a forum where these diverse players could talk frankly and honestly about the evolving phishing attack situation, without fear that these conversations would become public. This format proved to be immensely successful, and the APWG now has over 1500 member companies and government agencies.

In 2003, phishing attacks spread from attacks against eBay and PayPal customers to a wave of coordinated attacks against the customers of Australian financial institutions. In the summer of 2003, these attacks were then aimed against customers of UK financial institutions and in late 2003 US banking customers began to be targeted.

This global pattern indicated that cyber criminals were becoming just as organized as traditional crime gangs. They were testing new techniques in smaller markets like Australia, where users are easily targeted by both their network address and because there are a smaller number of financial institutions. The model was then perfected and expanded in the UK, where there were still a small number of institutions, and an easily targeted customer base. The scam was then scaled up to the US market, particularly targeting customers of the top few banks.

It became clear that one particular group could not solve the phishing problem on their own. It would require cross-industry collaboration. Thus the APWG was formed.

As phishing scams became ever more sophisticated and professional, members of the APWG were able to discuss the evolving tactics and best practices for detecting these attacks, shutting down the phishing sites and tracking and reducing losses. In closed-door APWG meetings, members were able to discuss the indirect financial losses from phishing attacks, for example the costs of call centers receiving tens of thousands of phone calls from consumers when a major attack was launched.

The APWG publishes monthly reports that track phishing statistics around the globe. These statistics allowed us to see patterns where some financial institutions would be attacked with much more intensity than others. Eventually it became clear that one significant factor in the number of attacks that an institution faced was related to how easily criminals could transfer funds out of compromised customer accounts. We also began to see cross-channel fraud, where account numbers and PINs were used to create ‘white plastic’ ATM and debit cards. Financial institutions started to realize that the phishing problem spanned all types of fraud, and was involved in ATM, debit card, check card, wire transfer, ACH and account opening fraud. More recently we have been seeing the telephone banking channel used as an attack vector, where phishers send out emails requesting customers to call a fake call center, where the IVR system is used to collect account numbers and PINs from customers without them ever having to visit a spoofed bank website.

The cyber criminals fight back
Through 2005 and 2006 the security community began to develop anti-phishing technologies and service offerings such as outsourced takedown services to get spoofed websites shut down in a timely fashion. The phishers responded by increasingly hosting their spoofed websites in foreign countries, making takedowns very time consuming and requiring foreign language skills and working around the clock to deal with sites hosted varying time zones.

For every defensive measure that is put in place by the industry, the criminals react with a creative new approach to continue their fraudulent activities. For example, the security and web browser community began to track known phishing sites and share those web addresses as a block-list, which would allow browsers and email servers to prevent users from receiving known phishing emails or visiting known phishing sites. One of the prominent phishing gangs, known as the ‘Rock Phish Gang’, responded by using tens of thousands of sub-domains on their phishing sites, thus overwhelming the block-lists.

Another example of escalation in the war against cyber fraud was the invention of fast-flux technology by the leading phishing gangs. Fast-flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies. A sophisticated type of fast-flux is when multiple nodes in the fraud network register and de-register their addresses as part of the DNS record list for the DNS zone. This makes taking down phishing and crimeware sites extremely difficult as they are hosted on many machines with changing IP addresses. The APWG and our members have been working with ICANN, the Internet Corporation for Assigned Names and Numbers, to create policies for rapid takedowns of fraudulent domain names that are being used to host phishing and fast-flux sites. This has been a multi-year effort, and there is still much work to do with policy and education among the registrar and registry communities.

A very disturbing trend over the last year has been the use of social networks to spread crimeware and phishing. There have been attacks against users of MySpace and LinkedIn that have infected tens of thousands, and in some instances up to a million users in a very short time frame. These attacks do not rely on traditional email, as they spread inside the social networks using their internal web-based messaging systems. This can make these attacks very difficult to track and profile.

2009 and Beyond
We expect that the current global financial crisis will continue to give phishers new ways to create believable social engineering attacks to steal account credentials and to spread crimeware. In the fourth quarter of 2008 there were numerous attacks against customers of major financial institutions that were being acquired or were in the news receiving government aide. In 2009 we can expect an increase in money mule recruitment scams, where criminals recruit unemployed consumers to act as online funds transfer agents, or to reship goods that were purchased using stolen credit card numbers.

The rapid and continuous evolution and expansion of online financial fraud through phishing, crimeware and social engineering is something that requires a coordinated global response from the financial services industry, ISPs, security vendors, e-commerce merchants and law enforcement agencies. The APWG and our members have been working to expand our systems and tools for secure collaboration and data sharing. We have facilitated the sharing of phishing site URLs between members, and are expanding this to allow financial institutions and security researchers to share information about fraudulent websites and IP addresses of known and suspected cyber criminals.

In these challenging financial times, its more important than ever for the financial services industry, the security industry, ISPs and law enforcement to work together to share information and pool our resources to keep our customers safe, and to secure our assets. Come and join us.

David Jevans is the chairman of the Anti-Phishing Working Group. For more information please visit www.antiphishing.org.

Crimeware escalation
Over the last several years we have seen phishing be augmented by the spread of malicious software that is designed to steal online account credentials. This malicious software that is designed for electronic crime has been dubbed ‘crimeware’. The crimeware wave seems to have started in Brazil in the 2003 timeframe, and has naturally spread around the world. Crimeware variants are merged with remotely controlled malicious software to create networks of hundreds of thousands of compromised home computers (botnets) that are used by cyber criminals to launch phishing, crimeware and spam attacks. The botnet explosion since 2006 seems to have infected millions of personal computers around the world that are being used by criminals without the knowledge of the person who owns the computer.

Recent activity in the crimeware landscape is the evolution of targeted crimeware that is designed to get onto the computer of a targeted employee in a large corporation or government agency. Once that person’s computer is infected, the criminals can upgrade the crimeware to add new functionality to compromise other computers, steal intellectual property, create backdoor access paths into the corporate network, or even to run customized software to generate transactions inside the company network. This represents the ultimate professionalism of the cyber crime industry, where crime gangs are plotting these attacks for many months, and using highly sophisticated crimeware and targeted social engineering to get this crimeware into corporate networks. We call this ‘spear phishing’.