Phishing : The Real Picture

Almost gone are the days when banks were robbed by a bunch of mean looking guys with ram trucks, balaclavas, guns, and get-away cars, holding staff and innocent customers hostage.

Prospective robbers now face armed security guards, anti-ram protection, bullet-free glass, tainted money, silent alarms, exploding dye packs, SWAT teams, helicopters with infra-red search tools, movement triggered GPS units – all designed specifically to keep crooks from stealing banks’ and customers’ money.

Under the old order big-shot criminals robbed banks, while muggers robbed customers. Now the big-shots have discovered there is no need to rob the bank at all: they can rob customers “digitally”, both individually and en masse.

When almost no-one is able to do anything to stop these fraudulent attacks, we have a serious problem. The crime is called phishing. It is the near perfect Internet bank robbing heist, and at present, alarmingly, there is a very limited chance of the crooks being caught. I want to focus on one phishing gang, who are now among the world’s most active and successful criminals: we at the global security watchdog E-Secure-IT have dubbed them the “Rocky Gang”.

The record to date suggests that no legal or law enforcement agency can stop these cyber criminals attacking bank customers. Worse, banks are threatened and blackmailed if they try to stop fake criminal websites impersonating them, and in return, the criminals render real banking websites inaccessible.

The experience of an Australian Bank in October last year demonstrates how far the Rocky Gang seem to have financial institutions at their mercy.

Stung by a series of phishing attacks from this particularly virulent group, the bank attempted to take out their enemies by remotely disabling their on-line activities.

Rocky’s answer was a massive on-line flood of data, a fully orchestrated Distributed Denial of Service (DDoS) campaign, deliberately engineered to disable the bank’s Internet operations. Business was savagely disrupted for three days.

This DDoS attack probably cost the Australian bank many times its phishing losses and further damaged a reputation already tarnished earlier in the year by a scam email campaign claiming the bank was going to the wall.

And the phishers are continuing their attacks on this and many other banks, hammering millions of banking customers, damaging the whole global concept of online banking and causing £-billions of damage.

Since September 2005 the Rocky Gang has transformed opportunistic phishing attempts from amateurish emails full of spelling mistakes, which used to yell out their fakeness, into a well-oiled, professional machine.

There is a lot of confusion and misunderstanding in the IT-Security world about the Rocky Gang’s phishing attacks. Some believe there is a so-called “Rocky Phishing Kit” for sale on the internet for any party interested in making money by launching phishing attacks. E-Secure-IT don’t believe this is so, and over the months hard evidence has been compiled that multiple attacks are performed by only this one group alone.

An highly organised criminal gang, operating out of Russia, the Rocky Gang’s takings in 2006 are estimated at more than US$150 million. Although the names of the actual leaders are known and their methods read like a signature, western legal and law enforcement bodies are hamstrung, just like British ppolice who are being thwarted in their attempts to pursue the murderers of poisoned ex-KGB man Alexander Valterovich Litvinenko. Arresting citizens of the Russian Federation is impossible because of the Russian Constitution.

Rocky’s chosen banking hunting grounds are fertile and global. They run a full-time operation with at least twelve staff, rolling out a minimum of three concurrent phishing attacks a week and sending out millions and millions of scam emails pretending to be from real banks.

Since January 2006 they have attacked banking customers of (but not limited to): APO Bank , Alliance and Leicester, ANZ, Banorte, Barclays, BNZ, ByBank, Cahoot, CaixaPenedes, cc-bank, Citibank, Commbank , Commerzbank, Commonwealth Bank, CPNL, Credem Creval, Deutsche Bank, Dresdner Bank, Fifth Third Bank, Fineco, Gruppo Carige, Halifax, HSBC, Hypovereigns Bank , Lloyds TSB, Macquarie Bank, MBNA Europe, NAB-National Australia Bank, Nationwide Building Society, NCUA , NWOLB, Postbank , RasBank, RBS Digital, Royal Bank of Scotland, Santander, ScotiaBank, Suncorp Internet Banking, UniCredit, Volksbank, and the Westpac Corporation.

The Rocky Gang makes use of huge botnets, perhaps some of the largest in the world, switching servers and targets like we change our socks, only more often. A botnet consists of a mass of individual PC’s, invaded by “Trojans” which give the criminals remote control and enable them to group the PC’s and use them as servers to issue millions of scam emails.

To give you a feel of the gang’s power and reach, in August 2006 Rocky targeted NatWest and the Bank of Scotland in the UK. According to BlackSpider Technologies, a huge botnet of 20,000 “herded” PC’s sent out 8.1 million emails within 24 hours.

Fluent in many languages, including English, German, French, Spanish and Italian, the Rocky Gang constructs totally convincing emails and websites. Their phishing texts are contained in picture formats, embedded in the phishing email to evade spam-catching software: the phishing email also contains a text in the same colour as the background but whited-out, with various nonsense paragraphs copied from books. These words are indecipherable to the human eye, but computers “read” them without registering the colour difference and judge the messages not to be spam.

But the grace-note of Rocky’s modus operandi – the link in the chain which enables them to convert their harvested data into hard cash and evade capture – is the gang’s development and grooming of Money Mules as a way to launder money.

The typically susceptible mule is, say, a single mother with a couple of youngsters, surviving on benefits and using a PC and internet connection to aid her children’s education and to keep herself up to speed with the outside world and in touch with friends and relations.

One day she opens her inbox and finds this:

Exciting Job Offer:

- You don’t need any experience

- You don’t need to make any advance payments

- This job won’t take much of your time.

Your range of duties will include:

Receiving payments for the ordered stocks and bonds from the Global Austrian Syndicate clients (private individuals) to your bank account; and withdrawing the funds and transferring them further to our brokers in one of the countries where the desirable stocks and bonds should be bought. The transfer should be done by the means of Western Union or Money Gram services to fasten the process of the delivery of the funds. Your SALARY is 8% commission out of every deposit that you receive to your bank account

That’s just one example of millions of suckering emails in circulation. Sham company names used in attempts to recruit money mules include Athens Financial Group, Norden United, EcoLife, Swiss Invest, Trigon Austria, Austrian Syndicate, River Partners, Tollis, UK Modulus Invest Co , AMC Solutions Inc, and Norway Consulting.

And for the single mother, strapped for cash, it looks safe and it sounds simple. What’s to lose?

The answer is, everything: ignorant Mules receive stolen money directly into their bank accounts, unaware that it’s been siphoned from a phishing victim’s funds; the mules send their own (or their bank’s) money to the phishing gang, using services like Western Union, MoneyGram or PayPal. The stolen money, easily traced by the police force that follows it, is then a problem for the Money Mule, and not the phishing gang.

What can banks do? Their losses are probably at the rate of a couple of millions per attack, although E-Secure-IT knows of cases where $535,000 was stolen from a single account.

Banks are notoriously tight-lipped and reluctant to cooperate or exchange information with their competitors. So each bank is an island when it comes to IT-security incidents, and they tend to do nothing beyond reimbursing victims. That’s one reason why the Rocky Gang gets away with daylight – and moonlight – robbery.

Not one IT-Security Company, national or institutional Computer Emergency Response Team (CERT), legal body or government department in the world has been able to stop the “Rocky” phishing attacks. Not one Law Enforcement Agency in the world has been able to nail them down. So the Rocky Gang and the me-too imitators who are springing up continue, unchallenged, to zero-in on ever more bank customers, to blackmail banks, and to lure unsuspecting low-income earners to enrol, unwittingly, as their money mules.

Just how reluctant the banks are to get involved in prevention is underlined by the experience of a group of UK computer scientists who invented software which would seek out phishing sites while they were under construction and destroy them before they had a chance to operate.

“We went to every bank in the UK,” one of the scientists recalled. “All the Heads of IT were incredibly enthusiastic. However, all the Legal Heads vetoed the idea, because they said banks stood a much higher chance of being sued by customers if they tried and failed to stop a phishing attack than if they did nothing and were ‘taken by surprise’.

“The truth is simply that on-line banking is an incredibly insecure way of doing business.”

Having invested billions of pounds in on-line services in order to shut branches, reduce headcounts, and boost profits, banks are believed to be reluctant to disclose the true cost of phishing, not least for fear of precipitating a massive consumer backlash at a time when more than half a million UK customers a year are already turning away from Internet banking.

But E-Secure-IT believes that Internet criminals in the first half of 2006 alone robbed British banks and their customers of at least £310-million – over 13-times more than the £22.5-million figure recently published by APACS, the UK payments trade association.

The huge probable extent of the fraud emerges from an analysis of APACS’ own statistics – which show that “phishing” attacks increased by a staggering 1471 per cent in the UK during 2006 – collated with data from the United States.

In the USA, where obligations on banks to publish accurate information are more stringent, average 2006 losses expressed per head of population are placed at $4.82. The British banks’ total fraud figure of £22.5-million yields per capita losses of only $0.70, which we at E-Secure-IT reckon must be a considerable understatement.

Meanwhile in the USA, where financial losses from phishing frauds in 2006 are reported to be over $2.8-billion, there are mounting calls for intervention.

“Financial companies have until now avoided taking on phishers in a serious way, because it’s cheaper and simpler to pay the costs of fraud,” says U.S. technology guru Bruce Schneier. “That’s unacceptable, because consumers who fall prey to these scams pay a price that goes beyond financial losses in inconvenience, stress and, in some cases, blots on their credit reports which are hard to eradicate.”

So what can be done?

Public education hasn’t worked; despite repeated warning from the banks – despite, in the case of some ISP’s, daily warnings on-line – people are still falling for phishing scams, which are getting ever more sophisticated.

Better and more secure authentication may be one possible answer: most banks whose customers are the phishers’ quarry still use an old fashioned "User ID/ Password" system of authentication.

In comparison, most Dutch banks now deploy one-time password generators – physical calculator-style machines. However, the phishers are already testing new fraudulent methods to circumvent these security measures, as a recent attack on Citibank customers showed.

Taking out the Money Mules; prospective Money Mules need to be made aware of the risk they are running. Government campaigns should stress that mules will receive stolen money, that they will pay the phishers with their own money, and that banks will demand the stolen money back, helped by local police forces.

However, the same public education problem applies. If banking customers still continue to be lured into email phishing tricks, potential mules will, through the same human flaw, continue to be lured into the criminals’ net by promises of easy cash.

Prevent money conversion opportunities; Although systems like PayPal or E-Gold are increasingly coming into the phishers’ orbit, the most widely used money conversion method is via Western Union or MoneyGram.

Rules around international money transport and conversion have been tightened a little, but companies like Western Union base their businesses on simple global money transport.

Global law needs to be put in place to govern transmissions securely and effectively - but changes in the near future seem very unlikely.

Leave it to the banks? That would only work if backed up by law. It’s the solution proposed by Bruce Schneier, who wants all the responsibility for identity theft to be pushed onto financial institutions. Only then, he argues, will phishing will go away.

“If there’s one general precept of security policy that is universally true,” Schneier says, “it is that security works best when the entity that is in the best position to mitigate the risk is responsible for that risk.

“Making financial institutions responsible for losses due to phishing and identity theft is the only way to deal with the problem. Money to reimburse losses is cheap compared with the expense of redesigning their systems, but anything less won’t work.”

However, at E-Secure-IT we believe the only effective solution will be found through international co-operation between Law Enforcement Agencies (LEAs) and National or Institutional Computer Emergency Response Teams.

Membership of, for instance, FIRST (www.first.org), the international, non-profit Forum of Incident Response and Security Teams now covers the emergency response teams from 180 corporations, government bodies, universities and other institutions across the Americas, Asia, Europe and Oceania.

FIRST is working to complete its global network and draw in law enforcers, with Britain’s Serious Organised Crime Agency (SOCA) among those planning to join. But disparities of approach and policy between LEAs and Computer Emergency Response Teams (CERTs) may be difficult to reconcile.

At FIRST’s 2006 conference, Jeffrey Carpenter of the CERT Co-ordination centre at Carnegie Mellon University pointed out that CERTs focus exclusively on the “what” and “how” of incidents, while Law Enforcers are exercised by the “who” and “why”.

Martijn van der Heide, Security Officer at KPN-Netherlands elaborated: “CERT teams want to solve problems right here, right now, if possible within ten minutes and be done with them. Law enforcers want to take more time to collect evidence, piece things together, and get an arrest. If there is a botnet, we want to take it down immediately. The LEAs might want to leave it for weeks or months to trace the culprits.”

Recognising the urgency of finding a compromise, FIRST has formed a special interest group to provide an arena for LEAs and CERTs to seek common ground, and the subject will get high priority at its annual conference in June this year in Seville, Spain.

IT-Security is a frustrating, re-active business. Experts will concede that they are two or even three years behind in their ability to rise to the technical challenges of the latest attacks.

Phishers grab opportunities because they can. Because the current state of the Internet, legal enforcement, and banking systems let them. Because customers let them. Because ignorant, needy or greedy money mules let them.

The scary thing is that organised criminal cyber-gangs may be meeting right now in some Moscow strip-club, ordering up another magnum of champagne to celebrate last year’s growth and increased turnover, before moving down the agenda and devising new and more sophisticated scams and schemes for 2007.

Hopefully global co-operation between banks, LEAs, global forums and organisations and private IT Security Firms, combined with truly global and persistent awareness campaigns aimed towards the public – both potential victims and mules – may give us some time and breathing space to prepare for “next generation” attacks that will no doubt start to come way before we are ready.

Arjen de Landgraaf is the founder and designer of the Global IT Security Early Warning Risk Management and Business Intelligence service, E-Secure-IT. More information can be found at the E-Secure-IT website, although it most likely will now be DDoSed by the Rocky Phishing Gang. :) In that case you can still contact Arjen personally at arjen.de.landgraaf@gmail.com. Unless Rocky takes Google out too…