Click the comments link on any story to see comments or add your own.
Subscribe to this blog
21 Aug 2009
On Wednesday, Project Honey Pot filed an unusual lawsuit against "John Does stealing money from US businesses through unauthorized electronic transfers made possible by computer viruses transmitted in spam." Their attorney is Jon Praed of the Internet Law Group, who is one of the most experienced anti-spam lawyers around, with whom I have worked in the past.
The goal of this suit is to identify the criminals behind a vast amount of theft through the ACH, the Automated Clearing House that handles direct deposits and electronic payments in the US. The pattern is that the bad guys install malware on the PC of company financial officers, and use it to make ACH transfers to money mules who then wire it out of the country.
Although the primary target of this suit is the crooks, an equally important subsidiary target is banks, who have consistently stonewalled attempts to learn about the extent of the losses the details of the scam, and what the banks are doing to deter it.
Bank stonewalling is not a new problem. Adam Brower wrote about his experience with one of them:
I can supply some perspective from my own experience. I noticed the article today, too, and spent some time nodding my head and clucking over my morning coffee.
For nearly a year, two years ago, I made it my personal mission to convince just one bank to aggressively pursue just one phisher. I did this, by the way, not as a representative of any anti-spam project, but as a citizen. I encountered the expected silence from a majority of the executives with whom I attempted to establish contact. From a very few others, I received polite thanks for my interest, advice to contact LEO, and from two of them, invitations to open accounts!
After months of such wheel-spinning, a door seemed to open. I received a thoughtful reply from a mid-level executive at a major New York-based bank. We exchanged emails for three weeks. After he accepted my very weak bona fides (I am, after all, far from expert in these matters, my sole strengths being doggedness and an occasional way with language) I sent him links to the wealth of investigative data available on the web, samples of phishing spam targeting his institution, background info on the rockphish phishing package Et al., and he lapped it up. I was astounded that so much of this was apparently news to a man in his position. We spoke on the phone three times, each time ending with agreement that the bank's enormous resources could and should be brought to bear against the crooks who were victimizing its customers and costing it unreported millions in losses each year. During the last call, he informed me that he intended to whiteboard, at a coming meeting, the entire body of stuff I had sent him, and to propose forming an internal task force to gather evidence against the malefactors and to contact and interface with LEO. Naif that I was, I was surprised when he hinted that there was institutional reticence when it came to providing reports of compromises to LEO. It's obvious to me now that the last thing in the world a big bank wants announced is the scale of their losses in this context, or the number of intrusions, but he seemed determined to stir the pot.
Subsequently, two weeks passed without a word. Email went unanswered. One day I called the office number on which we had spoken earlier. I was informed that Mr. Doe had left the firm. later, when I tried again, I was told that no-one by that name had ever worked there. Whether our conversations and his (supposed) departure were connected, who knows? Maybe he just decided to take his golden parachute, but it certainly could read like something from a Ludlum novel.
16 Aug 2009
Phishing is when bad guys try to impersonate a trusted organization, so they can steal your credentials. Typically they'll send you a fake e-mail that appears to be from a bank, with a link to a fake website that also looks like the bank. Malware offers another more insidious way to steal your credentials, by running unwanted code on your computer that watches the keystrokes you type, the mouse clicks you make, and the windows that appear on your screen, sends them back to bad guy HQ, and even adds or substitutes its own keystrokes and mouse clicks in a way that you can't easily detect.
I like Verisign's characterization of this kind of malware as an insecure endpoint, the PC which is the endpoint of the conversation with the bank isn't actually under the control of the person who's using it. There's no question that straight phishes and malware are different problems, but they attack the same customers toward the same ends, and a lot of popular security strategies like those keyfob tokens that generate a different random number every minute are equally ineffective against both. There's also some overlap in implementation, e.g. phishes that direct you to a website that downloads malware.
We can usefully distiguish between offline and online attacks. An offline attack steals credentials for use later, while an online attack sits between you and the bank and does bad stuff in a session after you set it up. Offline attacks are deterred by changing the credentials from one session to the next. The keyfob is one expensive way to do it, but there are others. Most of my non-US bank accounts have two passwords where the bank only asks me for three randomly chosen letters of the second password each time I log in. I gather some European banks send their customers a printed list of one-time passwords, and you use one and cross it out each time you log in.
None of these are effective against online attacks, since the bad guys have a proxy that asks you the real questions from the bank and passes back your real answers, setting up a real session The problem is that there's an insecure endpoint, either a malware infected PC on your desk, or the proxy which you think is the bank and the bank thinks is you.
The solution either way is to switch to a secure endpoint. That's why I have suggested a hardware USB confirmation dongle with a screen and YES/NO buttons, where you set up the transaction on the insecure PC but the dongle has an encrypted connection to the bank. so the display on its screen and your push of the YES or NO button are secure. Another possibility is a confirmation phone call to a phone which is physically separate from your PC, where it reads you the transaction, and you press 1 for yes or 2 for no. (Attention Users! Do not use a softphone on your PC for confirmations!)
It seems to me that although the details are different, the fundamental problems and solutions are very similar, so it makes sense to consider them together.
09 Aug 2009
In a discussion about a recent denial of service attack against Twitter, someone asked
Some class of suppliers must be making money off of the weaknesses. Anybody out there have a prescription for the cure?Sure, but you're not going to like it.
04 Aug 2009
My other sites
© 2005-2018 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.