Between phishers and the deep blue sea

Scams involving fake e-mail and Web sites are increasingly originating overseas, making them harder to trace and block.

Gavin Reid, trying to shut down a phishing Web site, found one thing was making the job that much harder: The attack was coming from India.

Businesses in that country were finishing up for the day when he arrived for work at his U.S.-based employer. That made coordination difficult for Reid, leader of a security incident response team at a Fortune 500 technology company, as he scrambled to fix the problem for a customer.

"By the time we reached the right contact, it was too little, too late," said Reid, who also serves as a project leader for the Forum of Incident Response & Security Teams. "Three days had passed, and with phishing attacks, much of the damage occurs in the first day."


What's new:
When a security attack is launched from overseas, time zones and language barriers make it harder for companies to deal with it. This is becoming more of a problem as hackers target soft spots such as China as a base for attacks.

Bottom line:
While security response bodies and law enforcement agencies are cooperating in the fight, there's still more that can be done to coordinate, experts say.

More stories on this topic

When an attack is launched from overseas, time zones and language barriers can add a layer of complexity to quickly resolving the threat. These hurdles are becoming more of a problem as hackers target industry-identified soft spots such as China and Korea as a base for global attacks. And while security response bodies and law enforcement agencies are cooperating in the fight, there's still more that can be done to coordinate, experts say.

The stakes are high. Companies can find their operations sidelined for days and their reputation tarnished after suffering an onslaught from a worm like Sasser, a denial-of-service attack, or a phishing scam that attempts to steal sensitive information from their customers.

All that translates into a financial loss for companies and organizations in the United States, which last year saw viruses cost them $55 million and denial-of-service attacks $26 million, according to a survey of corporations, government agencies, financial and medical institutions, and universities conducted by the Computer Security Institute and the FBI.

The source of these problems is often a network of "zombies," or compromised PCs that can be controlled remotely and sometimes without their owners' knowledge. Miscreants can create or hire armies of thousands of these PCs and use them to launch massive onslaughts of spam, virus and denial-of-service attacks, for example.

What can companies do?
Here are suggested measures to take as threats move from one region of the world to another.

• Create a computer security incident response team for the company.

• If resources are lacking to create a company CSIRT, designate one person or a group to take responsibility for security efforts.

• Keep security patches and antivirus software up to date.

• Enable the data collection feature on routers to get information on the movement of people on the network. This will let companies trace the origin of intrusions and anomalies.

Source: Forum of Incident Response and Security Teams

China and the United States regularly swap out top billing as the country where the most zombies can be found, according to figures from CipherTrust. Last week, China accounted for 21 percent of new zombies, while the United States had 17 percent and South Korea 6.8 percent, the e-mail security company said.

China and South Korea both have high broadband penetration but minimal use of security software by companies and consumers in those countries, said David Jevans, chairman of the Anti-Phishing Working Group. That makes them a soft spot for those looking to create zombie networks, also known as "botnets."

"There are certain companies that pay a fraction of a penny for every computer that gets loaded with adware. So, for some people, hacking into 4,000 computers to make $200 is not attractive. But in developing nations, $200 is good money," said the Forum of Incident Response & Security Teams' Reid.

Eastern Europe, which has steep unemployment combined with a highly educated IT work force, is one of those breeding grounds for cybercrime, security experts said.

Impact on companies
The effects of such activities weigh greatly on companies, especially financial institutions, which rely on customer confidence. Exchange Bank, a Santa Rosa, Calif.-based community bank, has experienced phishing and pharming attempts, most of which originated overseas, said Bob Gligorea, an information security officer at the company. Both types of attack try to glean passwords and other sensitive personal information from customers by setting up Web sites that pretend to belong to trusted providers.

In an effort to stem such security threats, Exchange Bank has taken several steps, from using intrusion prevention systems, to contracting with Internet Security Systems for managed security services, to outsourcing its electronic banking services. The bank is currently in talks with its electronic banking partner about using technology to test customers' PCs for active viruses and Trojan horses, Gligorea said.

Other methods to fight back are also being tried out. Some companies have taken the stance of blacklisting Internet service providers that they suspect have networks heavy infected with zombies, said Chris Rouland, the chief technology officer at Internet Security Systems.

But the Anti-Phishing Working Group's Jevans noted that it's difficult to get ISPs in some countries to shut down one of their customers.

"China and Korea have been the hardest to have an ISP or domain name registrar take down a site," Jevans said. "There are some registrars in China that don't have a contact number, so you can't even call them."

Given that, the announcement last month that China had joined an international effort to beat spam, the London Action Plan on Spam Enforcement Collaboration, was welcomed as a significant step forward.

The Forum of Incident Response & Security Teams, which serves as a global clearinghouse for incident response teams in corporations, government agencies, universities and organizations, has a number

Featured Video