Fighting Fraud by Baiting Phishers
By Munir Kotadia, ZDNet Australia
RSA Security's Cyota division is helping fight phishing attacks by
giving the online fraudsters what they want: a lot of usernames,
passwords, online-banking credentials and credit card numbers.
Phishing occurs when cybercriminals set up fraudulent copies of a
genuine Web site -- usually of a financial institution -- and try to
lure customers of that organization into visiting the site and
entering their login credentials and other personal details.
Unfortunately for the phishers, one of the techniques Cyota is using
to help protect its banking customers is to pump such fraudulent Web
sites with so many fake entries that the genuine details are harder to
find, according to Naftali Bennett, senior vice president of consumer
solutions at RSA and co-founder of Cyota, which was acquired by the
security giant late last year.
"The technique is called dilution: We generate a list of bogus
credentials and feed the Web site with false usernames, passwords and
credit card numbers. The fraudster may have obtained 30 genuine
credentials out of 300 -- we are trying to make it less worthwhile and
more risky for the fraudster," Bennett told ZDNet Australia on
Dilution is just one of many weapons used by Cyota to help fight
According to Bennett, RSA Cyota runs a command center that scans about
1.5 billion e-mails a day looking for new phishing attacks. When an
attack is discovered, the company contacts the relevant ISPs to shut
the phishing site down.
"The main thing we do is shut down the Web site. It may be hosted from
12 different locations -- China, Seoul and Lithuania -- but we get a
real-time translator, contact the local ISP, and tell them we are
calling from the bank; please shut it down," he said.
Having repeated this process about 15,000 times, Bennett claims that
his company is getting rather good at it: "On average, the duration of
a phishing site is about 6.5 days. With RSA Cyota, it is 5.5 hours --
we really shorten the window of opportunity."
The information gathered by RSA Cyota will also be used by Microsoft
in IE 7, the next version of its Internet Explorer browser. IE 7 will
use Cyota's database of known phishing IP addresses to block access to
fraudulent Web sites.
"We have cut a deal with Microsoft, AOL and other ISPs. Within minutes
of discovering a phishing attack, we send Microsoft the IP address of
the spoofed Web site. If, by mistake, you click on a (phishing) link,
you will see a message telling you (that) you can't enter the Web site
because it is a fraudulent one," Bennett added.
The technology gained by RSA when it acquired Cyota is also being used
to provide banks with a risk-based authentication system that provides
an "invisible" second layer of security.
The profiling system seems to be favored by banks for their mass
market, low-value customers because it does not require relatively
expensive tokens, which have for many years been employed by large
banks to protect high-value customers and transactions.
NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra/more-news.html . Hundreds of new
articles daily. And, discuss this and other topics in our forum at
For more headlines and news reports, please check out:
[TELECOM Digest Editor's Note: This is an old, old trick, but still it
works pretty well. I did the same thing quite a number of years ago,
when I was helping someone with a BBS which was absolutely a fraud-hive
(but he wanted to get rid of it all, however the hackers kept calling up
his phone line.) I helped him put a 'backdoor' thing in his code, and
pointed it to a bogus file of alleged 'credit card numbers' and
'telephone calling card numbers'. Then I took a big, giant, humongous
core file which was labled 'mother of all cores' and stuck it in
there. (What had happened earlier was something I was working on, I
forget what, had dumped core -- a few million bytes of it -- that's
why I kept it and called it 'mother of all cores'). I gave it an
innocent looking name and buried it all inside that directory, which
I labled 'warez'. Then I put a 'secret password' on that file, and a
real elaborate looking scheme one had to bust through to get into the
so-called 'warez' and 'credit card numbers'.
We then went onto the 'hackers BBS' (under a phalse name) and I put up
a real tempting looking honey pot for them: "Hey, Doodz! There is a
whole load of fresh calling card numbers on the First Choice system
ANdover 3-0001." The message I left told them 'the secret word' to
break out of the BBS program and get to the shell; (actually a quite
restricted rshell) and the password at that level to log in, and the
'file name' to look for. That night there were at least a dozen guys
over there snooping around. We sat there all evening watching them
call in, break out to the shell, and download that hellish looking
file (which at 300-1200 baud download took them a couple hours easily.)
Then, the next morning I abolished the back door out of the BBS
program and eliminated the r-shell account entirely. That gave them
something to play around with for a few hours, all of them
enthusiastic with high hopes, I imagine. PAT]