July 18, 2005 4:00 AM PDT

Between phishers and the deep blue sea

Gavin Reid, trying to shut down a phishing Web site, found one thing was making the job that much harder: The attack was coming from India.

Businesses in that country were finishing up for the day when he arrived for work at his U.S.-based employer. That made coordination difficult for Reid, leader of a security incident response team at a Fortune 500 technology company, as he scrambled to fix the problem for a customer.

"By the time we reached the right contact, it was too little, too late," said Reid, who also serves as a project leader for the Forum of Incident Response & Security Teams. "Three days had passed, and with phishing attacks, much of the damage occurs in the first day."

News.context

What's new:
When a security attack is launched from overseas, time zones and language barriers make it harder for companies to deal with it. This is becoming more of a problem as hackers target soft spots such as China as a base for attacks.

Bottom line:
While security response bodies and law enforcement agencies are cooperating in the fight, there's still more that can be done to coordinate, experts say.

More stories on this topic

When an attack is launched from overseas, time zones and language barriers can add a layer of complexity to quickly resolving the threat. These hurdles are becoming more of a problem as hackers target industry-identified soft spots such as China and Korea as a base for global attacks. And while security response bodies and law enforcement agencies are cooperating in the fight, there's still more that can be done to coordinate, experts say.

The stakes are high. Companies can find their operations sidelined for days and their reputation tarnished after suffering an onslaught from a worm like Sasser, a denial-of-service attack, or a phishing scam that attempts to steal sensitive information from their customers.

All that translates into a financial loss for companies and organizations in the United States, which last year saw viruses cost them $55 million and denial-of-service attacks $26 million, according to a survey of corporations, government agencies, financial and medical institutions, and universities conducted by the Computer Security Institute and the FBI.

The source of these problems is often a network of "zombies," or compromised PCs that can be controlled remotely and sometimes without their owners' knowledge. Miscreants can create or hire armies of thousands of these PCs and use them to launch massive onslaughts of spam, virus and denial-of-service attacks, for example.

What can companies do?
Here are suggested measures to take as threats move from one region of the world to another.

• Create a computer security incident response team for the company.

• If resources are lacking to create a company CSIRT, designate one person or a group to take responsibility for security efforts.

• Keep security patches and antivirus software up to date.

• Enable the data collection feature on routers to get information on the movement of people on the network. This will let companies trace the origin of intrusions and anomalies.

Source: Forum of Incident Response and Security Teams

China and the United States regularly swap out top billing as the country where the most zombies can be found, according to figures from CipherTrust. Last week, China accounted for 21 percent of new zombies, while the United States had 17 percent and South Korea 6.8 percent, the e-mail security company said.

China and South Korea both have high broadband penetration but minimal use of security software by companies and consumers in those countries, said David Jevans, chairman of the Anti-Phishing Working Group. That makes them a soft spot for those looking to create zombie networks, also known as "botnets."

"There are certain companies that pay a fraction of a penny for every computer that gets loaded with adware. So, for some people, hacking into 4,000 computers to make $200 is not attractive. But in developing nations, $200 is good money," said the Forum of Incident Response & Security Teams' Reid.

Eastern Europe, which has steep unemployment combined with a highly educated IT work force, is one of those breeding grounds for cybercrime, security experts said.

Impact on companies
The effects of such activities weigh greatly on companies, especially financial institutions, which rely on customer confidence. Exchange Bank, a Santa Rosa, Calif.-based community bank, has experienced phishing and pharming attempts, most of which originated overseas, said Bob Gligorea, an information security officer at the company. Both types of attack try to glean passwords and other sensitive personal information from customers by setting up Web sites that pretend to belong to trusted providers.

In an effort to stem such security threats, Exchange Bank has taken several steps, from using intrusion prevention systems, to contracting with Internet Security Systems for managed security services, to outsourcing its electronic banking services. The bank is currently in talks with its electronic banking partner about using technology to test customers' PCs for active viruses and Trojan horses, Gligorea said.

Other methods to fight back are also being tried out. Some companies have taken the stance of blacklisting Internet service providers that they suspect have networks heavy infected with zombies, said Chris Rouland, the chief technology officer at Internet Security Systems.

But the Anti-Phishing Working Group's Jevans noted that it's difficult to get ISPs in some countries to shut down one of their customers.

"China and Korea have been the hardest to have an ISP or domain name registrar take down a site," Jevans said. "There are some registrars in China that don't have a contact number, so you can't even call them."

Given that, the announcement last month that China had joined an international effort to beat spam, the London Action Plan on Spam Enforcement Collaboration, was welcomed as a significant step forward.

The Forum of Incident Response & Security Teams, which serves as a global clearinghouse for incident response teams in corporations, government agencies, universities and organizations, has a number

CONTINUED:
Page 1 | 2

2 comments

Join the conversation!
Add your comment
ISP's responsibility and liability
I firmly believe that ISP's bear a heavy weight of responsibility in this problem of "zombies". When phishing attacks have become such a threat to legitimate business interests, the legal system needs to impose some burdens on the players most central to the problem. ISP's have the capability of passively monitoring their client activity for this problem and should be obligated to do so, and to take positive measures such as requiring infected clients to take action if they want to stay connected. Clients, though often less equipped to deal with technical matters, should be given clear directives from their ISP about how to deal with their problem, including buying softwares required by the ISP, and should be held liable for material losses caused by phishing emanating from their machine if they don't carry out the prescribed fixes. There should be no mercy for ISP's or clients who don't meet the obligation to keep their traffic clean.
Posted by Razzl (1318 comments )
Reply Link Flag
ISP's responsibility and liability
I firmly believe that ISP's bear a heavy weight of responsibility in this problem of "zombies". When phishing attacks have become such a threat to legitimate business interests, the legal system needs to impose some burdens on the players most central to the problem. ISP's have the capability of passively monitoring their client activity for this problem and should be obligated to do so, and to take positive measures such as requiring infected clients to take action if they want to stay connected. Clients, though often less equipped to deal with technical matters, should be given clear directives from their ISP about how to deal with their problem, including buying softwares required by the ISP, and should be held liable for material losses caused by phishing emanating from their machine if they don't carry out the prescribed fixes. There should be no mercy for ISP's or clients who don't meet the obligation to keep their traffic clean.
Posted by Razzl (1318 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.