Death to Phishing

One quiet Monday in July 2004, at the height of the summer vacation season, a call center representative at a midsize U.S. financial institution answered a peculiar call.

The customer on the line was suspicious of an e-mail she had received from the bank.

The e-mail contained a link to a website where the customer was asked to enter her debit card number, card expiration date, PIN and e-mail address. But the message was full of typos and grammatical errors, and it didn’t seem quite right for the bank to request that information.

The call set off a confused chain reaction. The customer forwarded the e-mail to the call center representative, who forwarded it to the call center manager. The manager sent it to someone in the online banking department, who forwarded it to her upper management and to the corporate security department. By the time the e-mail made its way to information security, there were several screens of forwarding information above the original message.

Of course, you’ve figured out that the e-mail was not from the bank at all, nor was the first curious caller its only recipient. The e-mail was a crude phishing attack. At bank headquarters, chaos erupted. The call center was slammed with inquiries from customers who had submitted their information to the fake website, then had misgivings and picked up the phone.

As word of the spoofed e-mail and website spread throughout the bankwe’ll call it Bank XYZ, which agreed to share its story on the condition of anonymityone frantic phone call led to another. What could the bank do? Employees couldn’t send customers an e-mail that would only confuse matters. They didn’t want to issue a public statement that might cause panic. And they had no idea how many customers might have responded to the message but not called the bank. Within hours, the groups involved gathered on a conference line.

“You just want to put me back in that nightmare, don’t you?” says information security analyst Tricia Jones (all bank employee names in this article are pseudonyms), when asked about the call. Roughly 25 or 30 people were on the line. They ranged from executives and attorneys to business-unit managers and technical people. One person called from a boat; another called from a six-hour drive back from vacation. The tension was palpable. Executives wanted to know how broad the attack was and its potential damage. The call center needed to know what to do for customers who had fallen for the scam. Some of the people on the line still didn’t even know what phishing was.

Bank XYZ had just signed a 90-day trial contract with an antiphishing vendor. (The bank later inked a different vendor to a long-term arrangement.) On the conference call, the trial vendor suggested aggressive action, such as sending legal notices to those responsible for the bogus website, or peppering the site with bogus account information. The bank’s lawyers fretted about those

options.

“We weren’t really thinking we were going to be phished, even though we were preparing for it,” Jones recalls. “It was all theory before that, and all the sudden it was happening to us. People were trying to make

decisions on the fly.” The whole thing was a mess.

TodayMore than 12 painful months laterwhen a new phishing attack occurs against Bank XYZ, a well-honed, streamlined incident response plan swings into action. With the active participation of information security, corporate security and other groups, the bank has made itself a less attractive target for phishers. The number of attacks has plummeted, from a peak of dozens

a day to only a handful a month, as phishers target smaller or easier prey.

In the hopes of helping other organizations wrestling with phishing attacks, the bank’s CISO, Glen Williams, and other employees agreed to take CSO behind the scenes and share what they have learned. (The bank and its employees requested anonymity in order to not draw more targeted phishing attacks.) This is their phishing incident response process, start to finishfrom identifying a new attack, to working with a vendor to get the site taken down, to helping affected customers and finding other ways to limit the damages.

This is the death of a phish.

Discovery and Initiation

Although anyone with a published e-mail address might find it hard to believe, detecting a new phishing attack isn’t always easy. That’s why Bank XYZ’s incident response starts with a formalized process for learning about new attacks quickly. The bank counts on three discovery methods: its own e-mail servers, the public at large and third-party services.

Of these methods, the vendor service is most complex. Brandimensions, which the bank has contracted to help with an unlimited number of phishing attacks, hosts a vast, interconnected network of domain names and e-mail addresses intended solely to attract phishing e-mails and other spam. Honeypots. Entire websites are built to publish e-mail addresses, point to one another, and thereby attract the attention of automated Web crawlers that compile spam lists.

“We get millions of e-mails a day,” says CTO Hugh Hyndman of Brandimensions. “Our service and our whole technical infrastructure is based on our receiving and finding phishing attacks.” Brandimensions uses “relevancy detection software” to flag the most damaging e-mails.

Not that bank employees sit around waiting for the news. Sometimes a new phish announces itself violently, as the bank’s e-mail servers get pummeled with phishing e-mails that are bouncing back to their apparent originator. But Jones says the best source for finding out about new attacks is neither the vendor nor the company’s e-mail servers.”It’s your customers and noncustomers”the e-mail-using public”who are going to be the ones that tell you that the phish is out there,” she says.

After that first phish, the bank set up one e-mail address where all suspected phishing e-mails are directed. (Typical addresses for this type of account

are fraud@domainname.com and phish@domainname.com.) That way, more of the e-mail’s header information is left intact, and no one has to scroll through pages of forwarding information to see the original message.

Situation Management, which deals with any kind of outage or crisis and already had around-the-clock coverage, monitors this inbox. When a possible phish arrives, whoever is on call first looks to see if the phish has already been reported. (An individual phish is identified by its message and the URL to which it points.) If the phish is a new one, it gets assigned a number based on the date and entered into the company’s homegrown phishing database. “You see what information they’re looking for, if the website is up, screen shots, you name it,” says a Situation Management team member.

With the attack logged, the first responder sends an e-mail to the phishing incident response team (PIRT). The PIRT, led by Jones, is the technical group that sprung from that first chaotic conference call it consists of members of the information security and antifraud teams, who on a rotating basis are assigned to “baby-sit” whatever phish are born under their watch. The first responder also e-mails the Tiger Teamthe more strategic response group, also created after that first conference call, which includes the CISO and representation from corporate security and Situation Management. He leaves voice mails for key players, such as the CISO. And, most importantly, he informs Brandimensions, which initiates its takedown processes.

The Takedown

The window of opportunity for a phisher is the time between when a phishing e-mail goes out and when the fraudulent website collecting information is taken down. Left unchecked, a phishing site may stay up for days or even weeks, as information trickles in from dawdling customers who’ve fallen for the scam. A good takedown process can slam that window shut within hours.

Companies can keep the takedown function in-house, and many large financial institutions do. But midsize and smaller companies often lack the resources to shut down the sites themselves. The process needs to be initiated at all hours. It also can get complicated, involving not only a website owner but also domain name registrars, Web-hosting companies and network providers around the world. That’s where a growing number of vendors, including Brandimensions, Cyota and Cyveillance, have stepped in.

Their services have evolved. Jones remembers when Bank XYZ first put out an RFP for antiphishing services, around the time of that first phishing attack. “We had a vendor a year ago that said they wouldn’t be able to shut down a site for us because that would be an act of war.” She laughs, the idea ludicrous. “Back when we were trying to figure things out, so were vendors.”

Nowadays, the attempt to do a takedown is standard fareso standard, in fact, that the Treasury Department’s Office of the Comptroller of the Currency has issued guidelines about the steps banks should take to disable spoofed websites. (Takedown, which essentially just relocates the problem, may be the only defense that the targeted company has. Prosecutions of phishers have been next to nonexistent, due to the difficulty of tracing how personal information has been captured, sold and exploited.)

Many phishing sites are launched on hacked computers, so in a best-case scenario, taking down the site is simply a matter of contacting a website’s owners, pointing them to the URL of the webpage, and asking them to remove the offending content (and patch their Web servers). “You say, Hey, did you know there’s a URL on your website that’s a phishing attack?” Brandimensions’ Hyndman says. “They look at it and go, Oh my God, and they remove that website.”

The reality, however, is usually much more complicated. Phishers are pros at hiding their tracks, and they often launch or route their attacks through countries where cybersecurity laws are lax and enforcement is next to impossible. If attempts to locate the website owners failor if the owners do not respond within an hourBrandimensions escalates the situation.

Basically, responders work their way up the network stream seeking someone who will shut down the site. They try to work with the ISP or Web hosting company, and then if necessary contact the domain name registrar that’s directing the URL to a given IP address. They’ll send e-mails and faxes they’ll make phone calls. If necessary, they’ll send notices threatening legal action. Often, when the site is hosted outside the United States, they’ll seek help from local groups of first responders organized by CERT/CC at Carnegie Mellon.

In the most difficult scenario, a phishing site is domain-based. (See “After Phishing? Pharming!” Page 44, for details about how domain-name servers and domain-based attacks work.) Hyndman has seen phishing websites set up to automatically change their IP addresses as often as every three minutes, hopping from one hacked computer to another in a complex game of cat and mouse played out across the globe.

When a site proves to be particularly vexing to shut down, the vendor may offer to try a controversial practice sometimes known as dilution. This involves feeding fake information into a phishing sitethe goal being to “dilute” the real information, making the phisher’s haul less valuable.

Dilution is tricky for many reasons. Opinions differ on how best to generate the fake information. Also, patterns (where the traffic is coming from or how often) can tip off phishers that the information is bogus, possibly prompting them to retaliate against the targeted company. There are also legal concerns. High-volume dilution can amount to denial of servicean attack in which so much bogus traffic floods a website that it collapses. Dave Jevans, chairman of the Anti-Phishing Working Group, laughs when asked about dilution. “That’s the polite term,” he says. “Denial of service”the impolite term”is illegal. Which is why you find not everybody is using dilution.”

“We don’t do denial of service because we make [dilution] look like actual users” are visiting the site at a reasonable traffic rate, Hyndman responds. “We won’t try to stop the site because it’s usually running on a hacked computer.” Still, he acknowledges that most companies are leery of the practice.

The thorny legal implications of dilution drive home the point that when a phishing attack occurs, some decisions are just too complex to make on a tense conference call at the height of summer vacation season. In the long run, Bank XYZ decided that dilution was worth the risk only if the situation became critical, with a large number of people responding to the phish and causing the bank “significant” losses.

Damage Control

While the vendor attempts to take down the bogus site, Bank XYZ’s corporate security department tries to keep the bank’s losses from adding up to “significant”and significant losses are a definite possibility. The TowerGroup, a financial services consultancy, estimates that in 2004, phishing cost the banking industry approximately $140 million in direct losses alone. That’s where Katherine Miller, a level-headed financial crime investigator at the bank, comes in. While Jones coordinates the bank’s technical response to the attack, Miller heads up the phishing-related antifraud efforts.

When the possibility of a phishing attack was theoretical, it didn’t seem that this part of the response would be very complicated. “It’s easy for management, who is more removed from the clientele base, to say, &lsquoIf this occurs, we’re going to do ABC. For every client that we know [was affected], we’re going to shut down all those accounts, and we’re going to replace them,'” Miller says. “But then the reality hits.”

That first attack opened the floodgates. Over the next months, Bank XYZ was hit again and again, up to dozens of times a day. Sometimes the attacks were copycat phishes, launched after a tool kit, complete with templates, was released into the phishing community. (This sharing practice gains the original phisher credibility among his cohorts, while also throwing law enforcement off his track.) But other times the phishing attacks were unique. Bank employees came to realize that they were facing a maddening series of “what if” scenarios.

If the customer gave up only her ATM card and PIN, was it safe for the bank just to reissue an ATM card? If a customer gave up his banking log-on information, did all his account numbers need to change? If a customer gave up her Social Security number at a phishing site with Bank XYZ’s logo, how proactive should the bank be about counseling the customer on identity theft? And how, by the way, could the call center realistically provide coverage during the deluge of calls caused by a phishing attack?

“For every phone call that you take, there’s a reaction that has to occur,” Miller points out. “Accounts don’t just close themselves. That’s a time-consuming process.” It’s also an expensive one: The TowerGroup estimates that replacing a single ATM card costs about $7.50.

It took months to work out the resulting procedures. For instance, the bank eventually decided to have the call center handle initial account changes, but to have someone from the fraud department follow up with customers within 24 hours, for further counseling and investigation. Another policy: When online banking information was divulged, before changing all the customer’s account information, the bank would look at recent account activity and try to determine what information had been accessed.

Of course, all of this begged a larger question: Who wasn’t calling? Which customers hadn’t realized they’d been duped? Answers,

occasionally, came in an unexpected gift. Sometimes, either the vendor or members of the fraud department were able to exploit a vulnerability in a phishing website that allowed them to actually see which customers had entered account information, put a hold on those accounts, and contact the customer to get the account information changed.

Like dilution, this practice is aggressive at best, and possibly illegal at worst. “You’re still connecting to someone’s systems you don’t own, and potentially you could be liable for something,” says Ryan Crum, a manager in PricewaterhouseCoopers’ Security Practice. After talking it over with the legal department, Bank XYZ decided that knowing exactly who was giving up their account information was worth the risk.

Other times, data was more easily obtained. Sometimes cooperative ISPs turn over forensic information about illegal activity on their servers. The bank has been able to learn about where a phishing e-mail was sent or, even better, what information was gathered.

But all this is rare. Instead, the fraud team focuses on how and where losses are occurring. Early phishers were mostly after ATM numbers and PINs, because that was all the information a criminal needed to create a fake ATM cardcalled white plasticand use it to withdraw funds. These fund withdrawals were coming off the bank’s bottom line, so this led to some painful decisions.

“Maybe [Jones] is baby-sitting a phish, and we’re having a problem getting it closed down,” Miller posits. “Not only that, but the call centers were reporting a volume yesterday of 100 today it’s 200, and it’s climbing. And at the same time the debit card department is reporting that the number of white plastic losses are increasing in volume.”

Miller’s voice is calm as she paints this increasingly alarming scenario. She continues: “Now we have a situation where we really need to find additional ways to mitigate risk. Maybe all these actions are taking place in Bulgaria. So we might say, maybe we can shut down the ATMs in Bulgaria.” The tough question, of course, is whether the possibility of stopping those losses is worth the risk of stranding customers traveling in Bulgaria.

Here is one happy part of the story. Eventually, the bank was able to cut the phishing-related white card losses down to zero, without disrupting ATM service at all. How? By changing the authentication process. Every ATM card has data encoded on its magnetic strip that the customer can’t see but that most ATM machines can read. The company worked with its network provider to use that hidden information to authenticate ATM transactionsan important step that, according to Gartner, only about half of U.S. banks have taken.

“Since the number isn’t printed on the back of the card, customers can’t accidentally disclose it,” CISO Williams explains. The information was already in the cards, so Bank XYZ didn’t have to go through an expensive process of reissuing cards. “It was a very economical solution, and it’s been very effective.”

Denouement

By whatever means, the phishing site eventually comes down. Then all that’s left is the reporting.

Brandimensions burns a compact disc with information about the phish, including screen shots, and gives it to Bank XYZ. The bank then passes the information on to the FBI, which looks for patterns or anomalies in the attacks. (Through Miller, the FBI agent assigned to Bank XYZ declined to comment for this story.)

Technically, national banks are also supposed to report incidents involving spoofed websites to the Treasury Department’s Office of the Comptroller of the Currency, in the form of a suspicious activity report, or SAR. Miller won’t publicly comment on SARs at all, even anonymously. She’ll only say that the bank reports phishing attacks to appropriate regulatory agencies.

Within the bank, Miller reports to business lines about monthly fraud losses. Meanwhile, a cross-departmental team helps educate customer-facing employees and works with public affairs on customer education. It’s a many-fronted battle in a war that’s far from won.

Now that the ATMs have been hardened, phishers are going after online banking log-ons instead, and using the account access to do fraudulent fund transfers. There are also mounting concerns that if customers stop giving up information voluntarily, the phishers will start taking it instead, with technical approaches such as pharming. Fraudsters are an opportunistic lot. Banks are just trying to stay no more than a few steps behind.

But for now, at least, when a new attack targets Bank XYZ, the CISO is surprised for entirely different reasons than on that first chaotic day. “Today I came in and had a voice mail that we had a phish,” says Williams, 367 days after that first ugly scene. “I was like, Oh, we haven’t had one of those in a while.” There’s not much he has to do about it, either. There are no tense conference calls where people are asking for basic definitions. Everyone knows his or her job.

“We have confidence in the incident response process,” Williams says. “We defined how it should go, and it started working. And once you have a way to manage it, it no longer requires the CISO’s involvement.” The death of a phish doesn’t need to be extraordinary. It’s just in a day’s work.