- Innovation, regulation and research on tap at RSA 2008
- Researchers uncover 100 VoIP vulnerabilities
- Badware not pushing users offline
- Web attacks won't stop
- Most sites still hack-able
- Tips on employee monitoring
- Research: IT security maturing, but misaligned
- Clarke sharply criticizes Bush cyber-security plans
- Conference seeks to bridge risk, research
- Core finds new CEO
December 13, 2007 | Comments: (0)
Don't be a phishing vigilante
If you talk to any law enforcement official about the idea, they'll tell you time and time again that it almost never pays to take the law into your own hands.
Apparently the same rules apply in the world of cyber-crime.
While there have been some funny examples of people who have gone to great lengths to hoodwink phishers and other online fraudsters -- and some people have even turned the pursuit into a full-time hobby, new research shows that playing games with the cyber-thieves just might not be a good idea.
According to experts with Cyveillance, a company hired by large banks, pharmaceutical companies and ISPs to keep an eye out for emerging attacks -- including phishing campaigns, a lot of people seem to think it's fun to click through to fraudulent sites these days to taunt the URL's operators by using their online forms to curse them out.
Rather than providing their personal information, these people find joy in filling in the forms with expletives and other forms of derisive invective.
However, as you might have already guessed, merely by pointing their browsers to the phishing sites, many of these users are getting nailed by drive-by exploits that target holes in the applications, Cyveillance officials said.
"Sometimes we're able to get into the back end databases behind these phishing sites, and it's remarkable how many people click the e-mail, go to the site, and then start filling in the forms with curses and insults against the scammers," said Todd Bransford, vice president of marketing at Cyveillance.
"But, from what we can tell a good percentage of those people are being infected by malware that's being delivered by the sites themselves in the background," he said. "They probably wouldn't think it was that funny at all if they knew what was really going on."
In addition to using blended attacks such as phishing sites that are distribution points for zero day exploits, attackers are also getting savvier about the timing of their campaigns, Bransford said.
For instance, Cyveillance tracked a 300 percent increase in phishing attacks over the Thanksgiving weekend in November, compared to the average number of phishing attacks seen the in the previous week.
According to the company -- which does everything from take down phishing sites for banks to pursue people selling counterfeit drugs for pharmaceuticals -- the uptick in activity is specifically aimed at getting as much mileage out of their threats during the timeframes when those people hired to stop them aren't at work.
As phishers move away from targeting customers of larger companies and focus more of their efforts on smaller credit unions and online retailers, the "weekender" tactic may prove even more efficient, the company maintains, as those diminutive businesses are far less likely to have anyone on call to watch out for attacks.
Bransford said the firm expects to see similar threats carried out over the upcoming holiday season, especially with Christmas falling on Tuesday this year, giving attackers an extended 4-day weekend to spread their nefarious forms of cheer.
Cyveillance said it first noticed the trend this summer over the 4th of July and Labor Day weekends.
"Basically these people know that smaller service providers and banks don't have people working over the weekend, so, there's no one in the office to do anything about the attacks," Bransford said. "This is just another example of how innovative and thoughtful some of the smarter attackers are getting in finding ways to carry out their campaigns; they keep refining their techniques like any good marketers would to go undetected longer and find new ways to victimize people."
And while many different technologies and services have been launched with the aim of filtering-out more phishing-laden spam e-mails further upstream, such as pattern matching tools used by ISPs and other carriers, Cyveillance maintains that phishers are still having a field day by easily circumventing the signature-based formats utilized in most of those applications.
Overall, it would seem that until filtering technologies improve, or end users finally get the message, phishing attacks will continue to catch plenty of suckers.
"We've been dealing with his problem for almost five years now, and its pretty amazing that with all the consumer education programs that are out there the problem only seems to be getting worse," Bransford said. "People just don't seem to be getting it, and I'm not sure what else the industry can do to harden consumers against the problem."
Posted by Matt Hines on December 13, 2007 12:22 PM
RATE THIS ARTICLE:
-
- COMMENTS
Dear Sirs
Interesting article. However I take exception to your notation of those of us who have turned this into a 'full time hobby'.
While Cyveillance and other expert companies are working hard to protect corporations and banks against phising attacks, individuals are left to fend for themselves.
Individuals, that cannot afford the services of such companies, who have been victim's of such attacks seem to have no where to turn for help except to those 'hobby' sites.
While I agree 'playing games with cyber-thieves' may not be a good idea, I also never considered my volunteer work at these 'hobby' sites a game.
These sites, and the volunteers who donate their time to helping others, are fighting the same battle as our commercial counter-parts, the only differences are the customer base, and the fee's charged.
"People just don't seem to be getting it, and I'm not sure what else the industry can do to harden consumers against the problem."
One thing they could do is support our efforts. By helping these 'hobby' sites stay online.
OK, I've been getting some feedback re the link to CastleCops and feel the need to clarify a bit.
I really only included the link to their site because they're the best example of an organized group going about this sort of infiltration and takedown approach to fighting phishing.
To be fair, it is far from a "hobbyist" operation. More like it is made up of real IT sec pros who want to help take out some of the baddies in their free time, which is a really cool effort in general.
The post itself was aimed more at individual consumers who seem to feel that they can frustrate the phishers by filling out their forms with curses and the like, but who are getting infected by drive-bys (as highlighted in the advice/research of Cyveillance).
My intent was not at all to discourage CastleCops or take anything away from what they do, I personally think it is a really admirable and cool thing that they do.. so, I'm pulling the link and apologize to any of the fine people involved with CasteCops, again, my intent was not to detract from or discourage their efforts (or imply that Cyveillance had done so).
Thanks, and sorry for the confusion! (it's good to know people are actually clicking on those links though!)
Rock on CastleCops!
Matt Hines
Posted by: Matt Hines at December 14, 2007 09:56 AMI second Jim's statement about CastleCops being a "full-time hobby". The CastleCops database is the most widely accessible, publicly available, source of information about phishing on the net today, and the PIRT Handlers (people who volunteer their time on the Phishing Incident Reporting and Termination Squad) offer a unique perspective about phishing to both the security research community and the victim brands.
Each bank typically looks at phish only for their brand. Each professional shutdown company has terms of service which prevent them from sharing data between customers, or publishing their results.
A PIRT Handler, by contrast, looks at dozens or even hundreds of different brands each week, and can share a quite unique viewpoint with the banks and law enforcement agents who rely on that viewpoint to help catch criminals.
Other CastleCops volunteers do the same sort of work in anti-spam, anti-spyware, and anti-malware, hunting down the websites that are hosting viruses, and helping hundreds of thousands of home users to remove malware from their home computers.
It might be a "hobby", but its certainly the most important and useful hobby I can imagine. I hope your readers will evaluate whether their own "hobby time" would be more usefully spent on watching television, or helping their fellow citizens on the Internet clean up the neighborhood.
_-_
Gary Warner
Director of Research in Computer Forensics
The University of Alabama at Birmingham
Proud PIRT Handler
While there is some debate as to how many phishing sites are harboring drive by downloads (and how well the retaliators filling out the forms have protected themselves from the possibility), a more important issue is that law enforcement does sometimes gain access to back end databases -- and uses that information to try to mitigate the harm to the victims who have given their personal information on the sites. A lot of fake data just makes that job more difficult.
Posted by: AlphaCentauri at December 14, 2007 11:17 AMThank you for removing the aforementioned link and references. I'd just like to say that in my opinion this article is more of a somewhat windy advertisement for Cyveillance, than news.
Granted, it's important to point out that Phisher Bashing is definitely a foolhardy pursuit, and a stupid way to get infected, but a proper news article would make reference to more than one commercial service.
It also reminds me of the old arguments about which is better, payware or freeware, when both are developed by experts. Security boards which provide free services to take down phishing and malware sites are not vigilantes, since they are working in close cooperation with law enforcement.
Part of the take downs requires the assistance of the police. Whether you pay for it or get it for free, you are using the best services provided by real security experts.
Larry Stevenson
Co-author: Rootkits For Dummies, 2007
Microsoft MVP - Windows Security - 2006 & 2007
| ZERO DAY PODCAST |
| Listen to the latest podcast: |
MP3
•
•
•
Archive
•
![[VoiceIndigo Mobilize - Listen to podcasts on your mobile phone]](http://www.voiceindigo.com/ht/images/mobilize_logo_sm.gif){kind=logo}
|
TOP STORIES
ADDITIONAL RESOURCES
- Remote Access: Maintain Security and Decrease the Burden on IT
- Beyond AntiVirus: Symantec Endpoint Protection
- What Every Enterprise Needs to Know About VDI
- Solution for Open Virtualization Provides Server Consolidation
- Help Simplify Virtualization
- A Guide to Rich Internet Application (RIA) Security
