Click the comments link on any story to see comments or add your own.
Subscribe to this blog
21 Aug 2009
On Wednesday, Project Honey Pot filed an unusual lawsuit against "John Does stealing money from US businesses through unauthorized electronic transfers made possible by computer viruses transmitted in spam." Their attorney is Jon Praed of the Internet Law Group, who is one of the most experienced anti-spam lawyers around, with whom I have worked in the past.
The goal of this suit is to identify the criminals behind a vast amount of theft through the ACH, the Automated Clearing House that handles direct deposits and electronic payments in the US. The pattern is that the bad guys install malware on the PC of company financial officers, and use it to make ACH transfers to money mules who then wire it out of the country.
Although the primary target of this suit is the crooks, an equally important subsidiary target is banks, who have consistently stonewalled attempts to learn about the extent of the losses the details of the scam, and what the banks are doing to deter it.
Bank stonewalling is not a new problem. Adam Brower wrote about his experience with one of them:
I can supply some perspective from my own experience. I noticed the article today, too, and spent some time nodding my head and clucking over my morning coffee.
For nearly a year, two years ago, I made it my personal mission to convince just one bank to aggressively pursue just one phisher. I did this, by the way, not as a representative of any anti-spam project, but as a citizen. I encountered the expected silence from a majority of the executives with whom I attempted to establish contact. From a very few others, I received polite thanks for my interest, advice to contact LEO, and from two of them, invitations to open accounts!
After months of such wheel-spinning, a door seemed to open. I received a thoughtful reply from a mid-level executive at a major New York-based bank. We exchanged emails for three weeks. After he accepted my very weak bona fides (I am, after all, far from expert in these matters, my sole strengths being doggedness and an occasional way with language) I sent him links to the wealth of investigative data available on the web, samples of phishing spam targeting his institution, background info on the rockphish phishing package Et al., and he lapped it up. I was astounded that so much of this was apparently news to a man in his position. We spoke on the phone three times, each time ending with agreement that the bank's enormous resources could and should be brought to bear against the crooks who were victimizing its customers and costing it unreported millions in losses each year. During the last call, he informed me that he intended to whiteboard, at a coming meeting, the entire body of stuff I had sent him, and to propose forming an internal task force to gather evidence against the malefactors and to contact and interface with LEO. Naif that I was, I was surprised when he hinted that there was institutional reticence when it came to providing reports of compromises to LEO. It's obvious to me now that the last thing in the world a big bank wants announced is the scale of their losses in this context, or the number of intrusions, but he seemed determined to stir the pot.
Subsequently, two weeks passed without a word. Email went unanswered. One day I called the office number on which we had spoken earlier. I was informed that Mr. Doe had left the firm. later, when I tried again, I was told that no-one by that name had ever worked there. Whether our conversations and his (supposed) departure were connected, who knows? Maybe he just decided to take his golden parachute, but it certainly could read like something from a Ludlum novel.
My other sites
© 2005-2020 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.