Fighting fraud by baiting phishers

RSA Security's Cyota division is helping fight phishing attacks by giving the online fraudsters what they want: a lot of usernames, passwords, online-banking credentials and credit card numbers.

Phishing occurs when cybercriminals set up fraudulent copies of a genuine Web site--usually of a financial institution--and try to lure customers of that organization into visiting the site and entering their login credentials and other personal details.

Unfortunately for the phishers, one of the techniques Cyota is using to help protect its banking customers is to pump such fraudulent Web sites with so many fake entries that the genuine details are harder to find, according to Naftali Bennett, senior vice president of consumer solutions at RSA and co-founder of Cyota, which was acquired by the security giant late last year.

Naftali Bennett

"The technique is called dilution: We generate a list of bogus credentials and feed the Web site with false usernames, passwords and credit card numbers. The fraudster may have obtained 30 genuine credentials out of 300--we are trying to make it less worthwhile and more risky for the fraudster," Bennett told ZDNet Australia on Thursday.

Dilution is just one of many weapons used by Cyota to help fight against fraud.

According to Bennett, RSA Cyota runs a command center that scans about 1.5 billion e-mails a day looking for new phishing attacks. When an attack is discovered, the company contacts the relevant ISPs to shut the phishing site down.

"The main thing we do is shut down the Web site. It may be hosted from 12 different locations--China, Seoul and Lithuania--but we get a real-time translator, contact the local ISP, and tell them we are calling from the bank; please shut it down," he said.

Having repeated this process about 15,000 times, Bennett claims that his company is getting rather good at it: "On average, the duration of a phishing site is about 6.5 days. With RSA Cyota, it is 5.5 hours--we really shorten the window of opportunity."

The information gathered by RSA Cyota will also be used by Microsoft in IE 7, the next version of its Internet Explorer browser. IE 7 will use Cyota's database of known phishing IP addresses to block access to fraudulent Web sites.

"We have cut a deal with Microsoft, AOL and other ISPs. Within minutes of discovering a phishing attack, we send Microsoft the IP address of the spoofed Web site. If, by mistake, you click on a (phishing) link, you will see a message telling you (that) you can't enter the Web site because it is a fraudulent one," Bennett added.

The technology gained by RSA when it acquired Cyota is also being used to provide banks with a risk-based authentication system that provides an "invisible" second layer of security.

The profiling system seems to be favored by banks for their mass market, low-value customers because it does not require relatively expensive tokens, which have for many years been employed by large banks to protect high-value customers and transactions.

Munir Kotadia of ZDNet Australia reported from Sydney.

[Peet42]

the "Kick a spammer in the nuts daily" idea

This has been going on for some time, and you can join in too!

http://thescambaiter.com/forum/showthread.php?t=5653

[n3td3v]

This is funny

Let me get this straight... "the experts" think they sift through the list of usernames and passwords maunally and manually test them to see if they are fake or not? lol, no. They have written up programs to scan the list of usernames, passwords and automatically check each one at each login to see if its fake or not. The process of checking 1000's of usernames, passwords takes a few seconds for the malicious user.

[n3td3v]

Although...

Thats the problem with the industry at the moment. They think "cyber criminals" are the ones doing the phishing and they think "hackers, programmers" are seperate from that. The industry really do see "phishers" as the "dumb criminals" with no "mind think". The phishers are the hackers, are the programmers...wake up industry, you're going to need to use something a lot more sophisticated than flooding a phisher with fake entries. It takes the malicious user some part of five minutes to modify their backend scripts to counteract such activity. While the front-end operation of sending some scam to someone via e-mail may seem "easy for the dumb criminal" to carry out. Theres a hidden expertise thats needed for the harvesting backend operation to make any phishing operation successful.

[BruceD13]

Not so easy as it seems. The only sure fire way for a scammer to detect bogus info is through IP addresses. If there are repeated entries from the same IP address, likely it is false info fed to them. However, if the phishing forms can be submitted from multiple IP addresses from a distributed system, or after logging out from an ISP and logging in again, or by any number of ways of attaching different IP addresses, then the IP addresses would be different and the false info would be hard to distinguish from "good" info. Everything else can be easily faked so that no program could distinguish true from false info. Anyone who could write a program that could do so, can make a lot more money programming than phishing. Ultimately, the solution is for the institutions to feed the phishers true but dummy info. Then when the phisher tries to use the info to withdraw money, the institution is alerted, and an arrest can be made. Once phishers start going to prison, phishing will stop.

[pbklm]

Sounds to me like maybe n3td3v might be working for the other side. Anyone who is working at stopping cyber criminals should be applauded not chastised. Just an observation from an employee of the other "big brother".

[n3td3v]

The elite RSA have cracked phishing at last

We'll send them 300 fake entries and only 30 will be legitimate. Oh these phishers are going to get so bored checking all of this manually. God, why didn't we think of this before. Thats the end of phishing now, the RSA have finally worked out how to beat these guys. *cough, cough, cough*

[Mister L]

Once again you mislead...

...in no way has RSA claimed to have cracked phishing, or stopped it. They are making it tougher on phishers, and that's a good thing. Other than some lightweight BS XSS vulns that you likely stole from a 15 year old skiddie, exactly what have you done the improve life on the net?

[vhanchon]

I don't know....

but it seems to me cutting the up time of the phishing sites from 6.5 days to 5.5 hours is a "good thing". If this dillution technique makes it so that much of that 5.5 hours is wasted sifting through erroneous data, that also is a "good thing". I am sure that they don't spoof on a 10:1 ratio, to be effective it would have to be on the order of a billion+ to 1 ratio, which seems plausible.

[n3td3v]

This is funny as well

And you don't think the phisher already has his site getting pinged every 5 minutes to make sure its still there. And if the ping reply doesn't feedback the key indicator text from the ping, then the script then deploys another site to launch, all automatically in a split second.

[Mister L]

It IS a good thing, n3td3v is just....

...up to his usual "I'll say anything about anyone if it gets me attention" thing again. RSA has in no way claimed to have stopped the phishers...they are doing what they can to narrow the window and make it tougher for them to be successfu. Very good things indeed.

[mcugaedu]

Go further - Poison their database

Instead of just giving invalid credit card numbers to phishers, they should go further. Set up rigged credit card numbers that will set off alarms if used, and poison the database with *that*.

In fact, I think every database of credit card numbers (or the like) should have maybe 10% "poison" mixed with it. As long as the database is used only for legitimate purposes, the alarms will never be set off because the "poison" accounts are never actually used. But a thief who gets the database will immediately give himself away.

[forsunny]

Better still

Use these bogus accounts/numbers/passwords to track the phishers who use them in real time, and thus be caught by the FBI, Interpol etc.

[forsunny]

Better still

Use these bogus accounts/numbers/passwords to track the phishers who use them in real time, and thus be caught by the FBI, Interpol etc.

[hadaso]

This can be used to launch a denial of service attack

This can be used to launch a denial of service attack by hosting phishing sites on shared IP space. (Not just free hosting. Phishers have access to stolen CC numbers, you know). Blocking access to websites based just on IP address being published on a single list is stupid. There are methods to quite easily identify the phishing site anmong all sites sharing the same IP address. So is IE7 going to be used by MS to convince people to host on whitelisted MSN?

If banks want their customers not to be victims of phishing they just have to recomend that customers dedicate an email address for communications with the bank and no other party (and they should not share this contact address with "selected partners").

Finally: what they should do with the info fed to phishers is not just "dilution", but use it to create a trail of money that leads to the real criminals behind the phishing sites. shortening the life span of a phishing site by a factor of 30 just means that the phishers would have to broaden their networks of compromised computers (botnets) by a similar factors, and this is what they'd do.

Dilution of email address space as a method to fight spam is good, however, and people should learn how to use disposable email addresses and spread them (see xoxy.net or sneakemail.com)

[rallynochaos]

Big Brother's Watching

Big Brother's watching and now in the new version of IE7 he will be telling you what sites you can and can not view.

"If, by mistake, you click on a (phishing) link, you will see a message telling you (that) you can't enter the Web site"

Sound like any other countries (China)? While it sounds like a good idea that they will be "protecting" you from the phishing websites, what happens when they being to "protect" you from other websites? Having this feature built into IE7 will allow Microsoft to keep you from accessing any website they deem dangerous. Is this a strategy to protect you or a plot to control your web experience?