One quiet Monday in July 2004, at the height of the summer vacation season, a call center representative at a midsize U.S. financial institution answered a peculiar call.
The customer on the line was suspicious of an e-mail she had received from the bank.
The e-mail contained a link to a website where the customer was asked to enter her debit card number, card expiration date, PIN and e-mail address. But the message was full of typos and grammatical errors, and it didn't seem quite right for the bank to request that information.
The call set off a confused chain reaction. The customer forwarded the e-mail to the call center representative, who forwarded it to the call center manager. The manager sent it to someone in the online banking department, who forwarded it to her upper management and to the corporate security department. By the time the e-mail made its way to information security, there were several screens of forwarding information above the original message.
Of course, you've figured out that the e-mail was not from the bank at all, nor was the first curious caller its only recipient. The e-mail was a crude phishing attack. At bank headquarters, chaos erupted. The call center was slammed with inquiries from customers who had submitted their information to the fake website, then had misgivings and picked up the phone.
As word of the spoofed e-mail and website spread throughout the bankwe'll call it Bank XYZ, which agreed to share its story on the condition of anonymityone frantic phone call led to another. What could the bank do? Employees couldn't send customers an e-mail that would only confuse matters. They didn't want to issue a public statement that might cause panic. And they had no idea how many customers might have responded to the message but not called the bank. Within hours, the groups involved gathered on a conference line.
"You just want to put me back in that nightmare, don't you?" says information security analyst Tricia Jones (all bank employee names in this article are pseudonyms), when asked about the call. Roughly 25 or 30 people were on the line. They ranged from executives and attorneys to business-unit managers and technical people. One person called from a boat; another called from a six-hour drive back from vacation. The tension was palpable. Executives wanted to know how broad the attack was and its potential damage. The call center needed to know what to do for customers who had fallen for the scam. Some of the people on the line still didn't even know what phishing was.
Bank XYZ had just signed a 90-day trial contract with an antiphishing vendor. (The bank later inked a different vendor to a long-term arrangement.) On the conference call, the trial vendor suggested aggressive action, such as sending legal notices to those responsible for the bogus website, or peppering the site with bogus account information. The bank's lawyers fretted about those
"We weren't really thinking we were going to be phished, even though we were preparing for it," Jones recalls. "It was all theory before that, and all the sudden it was happening to us. People were trying to make
decisions on the fly." The whole thing was a mess.
TodayMore than 12 painful months laterwhen a new phishing attack occurs against Bank XYZ, a well-honed, streamlined incident response plan swings into action. With the active participation of information security, corporate security and other groups, the bank has made itself a less attractive target for phishers. The number of attacks has plummeted, from a peak of dozens
a day to only a handful a month, as phishers target smaller or easier prey.
In the hopes of helping other organizations wrestling with phishing attacks, the bank's CISO, Glen Williams, and other employees agreed to take CSO behind the scenes and share what they have learned. (The bank and its employees requested anonymity in order to not draw more targeted phishing attacks.) This is their phishing incident response process, start to finishfrom identifying a new attack, to working with a vendor to get the site taken down, to helping affected customers and finding other ways to limit the damages.
This is the death of a phish.
Discovery and Initiation
Although anyone with a published e-mail address might find it hard to believe, detecting a new phishing attack isn't always easy. That's why Bank XYZ's incident response starts with a formalized process for learning about new attacks quickly. The bank counts on three discovery methods: its own e-mail servers, the public at large and third-party services.
Of these methods, the vendor service is most complex. Brandimensions, which the bank has contracted to help with an unlimited number of phishing attacks, hosts a vast, interconnected network of domain names and e-mail addresses intended solely to attract phishing e-mails and other spam. Honeypots. Entire websites are built to publish e-mail addresses, point to one another, and thereby attract the attention of automated Web crawlers that compile spam lists.
"We get millions of e-mails a day," says CTO Hugh Hyndman of Brandimensions. "Our service and our whole technical infrastructure is based on our receiving and finding phishing attacks." Brandimensions uses "relevancy detection software" to flag the most damaging e-mails.
Not that bank employees sit around waiting for the news. Sometimes a new phish announces itself violently, as the bank's e-mail servers get pummeled with phishing e-mails that are bouncing back to their apparent originator. But Jones says the best source for finding out about new attacks is neither the vendor nor the company's e-mail servers."It's your customers and noncustomers"the e-mail-using public"who are going to be the ones that tell you that the phish is out there," she says.
After that first phish, the bank set up one e-mail address where all suspected phishing e-mails are directed. (Typical addresses for this type of account
are email@example.com and firstname.lastname@example.org.) That way, more of the e-mail's header information is left intact, and no one has to scroll through pages of forwarding information to see the original message.
Situation Management, which deals with any kind of outage or crisis and already had around-the-clock coverage, monitors this inbox. When a possible phish arrives, whoever is on call first looks to see if the phish has already been reported. (An individual phish is identified by its message and the URL to which it points.) If the phish is a new one, it gets assigned a number based on the date and entered into the company's homegrown phishing database. "You see what information they're looking for, if the website is up, screen shots, you name it," says a Situation Management team member.
With the attack logged, the first responder sends an e-mail to the phishing incident response team (PIRT). The PIRT, led by Jones, is the technical group that sprung from that first chaotic conference call it consists of members of the information security and antifraud teams, who on a rotating basis are assigned to "baby-sit" whatever phish are born under their watch. The first responder also e-mails the Tiger Teamthe more strategic response group, also created after that first conference call, which includes the CISO and representation from corporate security and Situation Management. He leaves voice mails for key players, such as the CISO. And, most importantly, he informs Brandimensions, which initiates its takedown processes.
The window of opportunity for a phisher is the time between when a phishing e-mail goes out and when the fraudulent website collecting information is taken down. Left unchecked, a phishing site may stay up for days or even weeks, as information trickles in from dawdling customers who've fallen for the scam. A good takedown process can slam that window shut within hours.
Companies can keep the takedown function in-house, and many large financial institutions do. But midsize and smaller companies often lack the resources to shut down the sites themselves. The process needs to be initiated at all hours. It also can get complicated, involving not only a website owner but also domain name registrars, Web-hosting companies and network providers around the world. That's where a growing number of vendors, including Brandimensions, Cyota and Cyveillance, have stepped in.
Their services have evolved. Jones remembers when Bank XYZ first put out an RFP for antiphishing services, around the time of that first phishing attack. "We had a vendor a year ago that said they wouldn't be able to shut down a site for us because that would be an act of war." She laughs, the idea ludicrous. "Back when we were trying to figure things out, so were vendors."
Nowadays, the attempt to do a takedown is standard fareso standard, in fact, that the Treasury Department's Office of the Comptroller of the Currency has issued guidelines about the steps banks should take to disable spoofed websites. (Takedown, which essentially just relocates the problem, may be the only defense that the targeted company has. Prosecutions of phishers have been next to nonexistent, due to the difficulty of tracing how personal information has been captured, sold and exploited.)
Many phishing sites are launched on hacked computers, so in a best-case scenario, taking down the site is simply a matter of contacting a website's owners, pointing them to the URL of the webpage, and asking them to remove the offending content (and patch their Web servers). "You say, Hey, did you know there's a URL on your website that's a phishing attack?" Brandimensions' Hyndman says. "They look at it and go, Oh my God, and they remove that website."
The reality, however, is usually much more complicated. Phishers are pros at hiding their tracks, and they often launch or route their attacks through countries where cybersecurity laws are lax and enforcement is next to impossible. If attempts to locate the website owners failor if the owners do not respond within an hourBrandimensions escalates the situation.
Basically, responders work their way up the network stream seeking someone who will shut down the site. They try to work with the ISP or Web hosting company, and then if necessary contact the domain name registrar that's directing the URL to a given IP address. They'll send e-mails and faxes they'll make phone calls. If necessary, they'll send notices threatening legal action. Often, when the site is hosted outside the United States, they'll seek help from local groups of first responders organized by CERT/CC at Carnegie Mellon.
In the most difficult scenario, a phishing site is domain-based. (See "After Phishing? Pharming!" Page 44, for details about how domain-name servers and domain-based attacks work.) Hyndman has seen phishing websites set up to automatically change their IP addresses as often as every three minutes, hopping from one hacked computer to another in a complex game of cat and mouse played out across the globe.
When a site proves to be particularly vexing to shut down, the vendor may offer to try a controversial practice sometimes known as dilution. This involves feeding fake information into a phishing sitethe goal being to "dilute" the real information, making the phisher's haul less valuable.
Dilution is tricky for many reasons. Opinions differ on how best to generate the fake information. Also, patterns (where the traffic is coming from or how often) can tip off phishers that the information is bogus, possibly prompting them to retaliate against the targeted company. There are also legal concerns. High-volume dilution can amount to denial of servicean attack in which so much bogus traffic floods a website that it collapses. Dave Jevans, chairman of the Anti-Phishing Working Group, laughs when asked about dilution. "That's the polite term," he says. "Denial of service"the impolite term"is illegal. Which is why you find not everybody is using dilution."
"We don't do denial of service because we make [dilution] look like actual users" are visiting the site at a reasonable traffic rate, Hyndman responds. "We won't try to stop the site because it's usually running on a hacked computer." Still, he acknowledges that most companies are leery of the practice.
The thorny legal implications of dilution drive home the point that when a phishing attack occurs, some decisions are just too complex to make on a tense conference call at the height of summer vacation season. In the long run, Bank XYZ decided that dilution was worth the risk only if the situation became critical, with a large number of people responding to the phish and causing the bank "significant" losses.
While the vendor attempts to take down the bogus site, Bank XYZ's corporate security department tries to keep the bank's losses from adding up to "significant"and significant losses are a definite possibility. The TowerGroup, a financial services consultancy, estimates that in 2004, phishing cost the banking industry approximately $140 million in direct losses alone. That's where Katherine Miller, a level-headed financial crime investigator at the bank, comes in. While Jones coordinates the bank's technical response to the attack, Miller heads up the phishing-related antifraud efforts.