Home » Data Protection » Malware/Cybercrime

Death to Phishing

What happens after a phishing attack? Here's one midsize bank's phishing incident response plan.

In the most difficult scenario, a phishing site is domain-based. (See "After Phishing? Pharming!" Page 44, for details about how domain-name servers and domain-based attacks work.) Hyndman has seen phishing websites set up to automatically change their IP addresses as often as every three minutes, hopping from one hacked computer to another in a complex game of cat and mouse played out across the globe.

When a site proves to be particularly vexing to shut down, the vendor may offer to try a controversial practice sometimes known as dilution. This involves feeding fake information into a phishing siteâ¬the goal being to "dilute" the real information, making the phisher's haul less valuable.

Dilution is tricky for many reasons. Opinions differ on how best to generate the fake information. Also, patterns (where the traffic is coming from or how often) can tip off phishers that the information is bogus, possibly prompting them to retaliate against the targeted company. There are also legal concerns. High-volume dilution can amount to denial of serviceâ¬an attack in which so much bogus traffic floods a website that it collapses. Dave Jevans, chairman of the Anti-Phishing Working Group, laughs when asked about dilution. "That's the polite term," he says. "Denial of service"â¬the impolite termâ¬"is illegal. Which is why you find not everybody is using dilution."

"We don't do denial of service because we make [dilution] look like actual users" are visiting the site at a reasonable traffic rate, Hyndman responds. "We won't try to stop the site because it's usually running on a hacked computer." Still, he acknowledges that most companies are leery of the practice.

The thorny legal implications of dilution drive home the point that when a phishing attack occurs, some decisions are just too complex to make on a tense conference call at the height of summer vacation season. In the long run, Bank XYZ decided that dilution was worth the risk only if the situation became critical, with a large number of people responding to the phish and causing the bank "significant" losses.

Damage Control

While the vendor attempts to take down the bogus site, Bank XYZ's corporate security department tries to keep the bank's losses from adding up to "significant"â¬and significant losses are a definite possibility. The TowerGroup, a financial services consultancy, estimates that in 2004, phishing cost the banking industry approximately $140 million in direct losses alone. That's where Katherine Miller, a level-headed financial crime investigator at the bank, comes in. While Jones coordinates the bank's technical response to the attack, Miller heads up the phishing-related antifraud efforts.