Dealing with a phishing attack

The following article is by Uri Rivner and has been reproduced on OUT-LAW from the RSA Security blog with Uri's kind permission.

In detective stories, one of the last things that the detective finds is the motive. Find the motive, and the whole plot is unveiled. I think the same applies to fighting fraud. When developing solutions against fraud, it's important to discover the motive, the root, the invisible reason behind the visible behavior of the fraudsters. Find the motive, and you're halfway to solving the crime. 

To illustrate this point, I'd like to talk about the evolution of anti-phishing services. Phishing wasn't the first type of fraud hitting online financial institutions; some keyloggers were already in use before phishing became a mainstream crime. The first reports of wide-scale email fraud came from Australia and Brazil, soon spreading to more lucrative targets – the US and the UK – and in late 2003 it became clear that the global financial industry was facing a new menace.

First to introduce "anti-phishing solutions" were anti-spam and brand monitoring companies. Anti-spam providers offered alert services based on scanning spam emails and finding specific keywords such as 'online banking', 'password', and the name of the targeted bank. Brand monitoring companies, who were already working with banks to fight unauthorised use of their logos and brand names, offered to extend the service to phishing and provide early detection of attacks. There's an interesting point to mention in this context: in the brand monitoring business, detection is vital. No-one is likely to call customer service in a panicked voice to report brand abuse, like people do when seeing a phishing email; the misuse can stick around for weeks or even months before a chance discovery – if you're lucky. So from a brand monitoring company's perspective, detection is everything.

The benefit of fast detection, of course, is that the bank will know about a phishing attack as soon as the emails are sent, and this minimizes the 'window of opportunity' for the bank's unsuspecting customers to hand over their credentials to the bad guys.

In these early days, however, the market did not offer any better solutions, so banks hit by phishing were happy to try these "anti-phishing solutions".

Here's an example. ABC Bank, an imaginary financial institution, is a new target for phishers:

The bank had no attacks, then experienced its first phishing attack (people in the IT Security department didn't sleep that night, you can be sure of that), and in the following months there were more and more attacks. At that point the bank felt ready to try a 'fast detection' solution.

The result was something like this:

Fast detection of the phishing attack didn't make a dent in the phishing wave. Here's why: According to the Anti Phishing Working Group, the average lifetime of an attack is 5.3 days (15-page / 1MB PDF). That's 127 hours. The lifetime consists of two phases: detection time and shut-down time. First you need to be aware of the attack, then you need to shut it down.

In most phishing attacks, vigilant and internet-savvy users call the bank's customer service and say there's something very phishy going on. Or they'll send an email to the bank's abuse box. If the bank has the correct procedures in place, the IT Security team will learn about a phishing attack shortly after these alerts. From speaking to banks that we work with, the average detection time span, therefore, is four hours.

So even if you deploy the best detection system this side of the galaxy, you'll only carve a few hours off the attack's lifetime. From an average of 5.3 days you can go down to five. This won't bother the fraudsters at all: the attack will be live long enough for any potential victim to deliver his credentials to the spoofed site.

Don't get me wrong: detection has its merits. It's good to know about the attack before people call your customer service; you can control and contain the situation better. But effective anti-phishing strategies are all about depriving the fraudsters of profit or increasing their efforts and risks. If there's no profit in attacking your FI (financial institution), they'll start attacking another FI. Since early detection doesn't really change anything, there is no resulting change in profit or risk, and hence no driver for fraudsters to take their business elsewhere.

So this wasn't "it". Banks who contracted alert-providers sensed that something was missing… that they didn't actually get a valuable service… and that their real problem is this: how can we shut down the attacks faster?

If shutting down phishing attacks seems straightforward, think of the following scenario:

You are the IT Security manager of Bank Exemplar, an imaginary bank in Europe. It's a minute after midnight when your pager breaks the news: the bank is under attack. Your deputy is already at the IT centre, reporting a massive assault. There are three email variants: the first email variant points the user to an IP that belongs to a botnet-controlled PC in Canada; the second variant points to a news site in Peru whose web server was compromised; while the third directs the user to a hijacked school network in China. At the other end of the links waits a website that has a devilish resemblance to the real Bank Exemplar online banking site.

The shut-down process commences. In our specific case it may look like this:

• Bank Exemplar contacts the local Computer Emergency Response Team (CERT);
• The local CERT contacts the central police in China;
• The police in China approach the local authorities in the Guangdong province where the attack is hosted; and
• The local authorities finally contact the ISP and instruct a shut-down

As you can imagine, such a process takes days to complete. No wonder the official world average for phishing attack shut-down is over 5 days. And it's not just about bureaucracy: there's also the task of getting the ISP's cooperation. That in itself is far from a trivial matter.

The ISP in Canada needs to be convinced that the PC in Vancouver, belonging to a respectable customer who is always paying her bills, is indeed a zombie machine; only then will it suspend the internet account so the fraud site hosted on that PC will be disabled. The ISP in Peru doesn't really want to upset their paying customer, the news website, even if someone did breach the site's server and it is now hosting a phishing attack. And the ISP in China is an even harder nut to crack: the guy responsible for the 'Abuse Department' only speaks Cantonese and never responds without a written request.

The examples I give here are quite typical; that's what our own Anti Fraud Command Center (AFCC) has to cope with on a daily basis. And it's not like the ISP people just wait for the AFCC to call. Someone from Telefonica, the largest internet provider in Spain, told me that they handle over 100,000 email inquiries every month. Of course, only a fraction of those relate to fraud or phishing; the majority are just regular communications going to the Network Operations Center. To be successful in quickly shutting down an attack on Bank Exemplar, you'll need to make sure this inquiry is given top priority, or else it will simply be submerged in a huge pile of other non-priority complaints.

OK… you got the picture. Shutting down the attack – the number one priority for the bank during a phishing attack – is quite complex. Which is why the next step in the evolution of anti-phishing solutions was concentrated within shut-down services. Not all banks subscribed: some financial institutions built in-house operations for handling phishing attacks. But many financial institutions  decided to outsource this operation. If the service is good, shut-down can be very fast: the median lifetime of attacks handled by the AntiFraudCommandCenter is somewhere around 5–6 hours.

Our imaginary bank now has a fast shut-down service and has managed to reduce the attack lifetime from days to hours on average. Will this be enough to stop the phishing wave? Let's see…

Hmmm… it certainly did more good than simple fast detection. The window of opportunity for fraudsters to collect customer's credentials gets narrower; most potential victims get a broken link when clicking on the URL in the fraudulent email. But – and this is key – the phishing doesn't go away. Some fraudsters select easier targets, but others continue to attack and may even increase the frequency of attacks in order to harvest more credentials. There's still money to be made, even if you need to double your efforts.

It was for this reason that we decided to develop some proactive counter-measures that will 'strike back' and directly impact the business case of the fraudsters. I'm not talking about denial of service or anything like that; this is a very dangerous game to play. It's something else, designed to make phishers think twice before attacking a protected bank. It leverages the intrinsic vulnerability of the phishing supply chain, which is basically built on trust. Local crime rings drive the demand, but they depend on international fraudsters (who they don't know in-person) to come up with the goods.

I'll have to be a bit mysterious about the exact nature of these counter-measures; loose lips sink ships and all that. The general idea is to dilute the quality of data collected during the attack.

Suffice to say that when the phishing fraudster attempts to sell his wares to the local crime ring, they're not going to be happy with the goods. Not at all.

In fact they'll be so furious, that they'll go to the fraud forum and bad-mouth the dishonest source that sold them the credentials. This is the last thing a phisher wants. He will lose a reputation that has been painstakingly built-up over time, and may be kicked out of the forum into which he labored so hard to get.

The result of deploying such a strategy is very visible:

Phishing levels will drop dramatically after a few weeks, as fraudsters understand that they've been scammed by the bank. Supply will dwindle, and word will spread that the bank isn't fun to attack anymore.

Looking back at the progress we've made in the last few years, it's clear that we have come a long way. Today we know more than we ever did about online fraudsters, their dynamic and their motives. Anti-fraud solutions have got better and better with the more we have understood about why fraudsters behave the way they do.

And so, like in every Hollywood film, the story has a happy ending.

Er… Not quite.

You see, supply-side counter measures are not a sustainable strategy. As long as the demand-side exists, and the only thing separating the local crime ring from their loot is the lack of credentials, a way will be found to obtain them. It might be a more advanced form of phishing, stronger and more resilient than its predecessor; or it might be something else, like hard-to-kill Trojans. So at some point in the future, our ABC bank may face a new online threat:

How can we effectively impact the demand-side? Well, I guess that's a topic for one of the next posts. It certainly helps to know the dynamics of fraud, and the motives, in order to find the right solutions.

I'll end with one additional note. Paradoxically, the more we use our knowledge on online fraudsters, the more we're forcing them to adapt and evolve. This has a very clear implication: our battle with online fraud is going to be a long, long campaign. Our reaction will cause counter-reaction, our moves will trigger counter-moves. Following the development in phishing techniques can demonstrate this well, but the truth is that the arms race we've seen so far is a pale shadow of what we're going to see in the coming years.

But that's what we're all here for. We're the good guys. We're giving the online fraudsters a good fight, and we'll continue to do so for as long as it takes.