Between phishers and the deep blue sea

Scams involving fake e-mail and Web sites are increasingly originating overseas, making them harder to trace and block.

Dawn Kawamoto Former Staff writer, CNET News
Dawn Kawamoto covered enterprise security and financial news relating to technology for CNET News.
Dawn Kawamoto
7 min read
Gavin Reid, trying to shut down a phishing Web site, found one thing was making the job that much harder: The attack was coming from India.

Businesses in that country were finishing up for the day when he arrived for work at his U.S.-based employer. That made coordination difficult for Reid, leader of a security incident response team at a Fortune 500 technology company, as he scrambled to fix the problem for a customer.

"By the time we reached the right contact, it was too little, too late," said Reid, who also serves as a project leader for the Forum of Incident Response & Security Teams. "Three days had passed, and with phishing attacks, much of the damage occurs in the first day."


What's new:
When a security attack is launched from overseas, time zones and language barriers make it harder for companies to deal with it. This is becoming more of a problem as hackers target soft spots such as China as a base for attacks.

Bottom line:
While security response bodies and law enforcement agencies are cooperating in the fight, there's still more that can be done to coordinate, experts say.

More stories on this topic

When an attack is launched from overseas, time zones and language barriers can add a layer of complexity to quickly resolving the threat. These hurdles are becoming more of a problem as hackers target industry-identified soft spots such as China and Korea as a base for global attacks. And while security response bodies and law enforcement agencies are cooperating in the fight, there's still more that can be done to coordinate, experts say.

The stakes are high. Companies can find their operations sidelined for days and their reputation tarnished after suffering an onslaught from a worm like Sasser, a denial-of-service attack, or a phishing scam that attempts to steal sensitive information from their customers.

All that translates into a financial loss for companies and organizations in the United States, which last year saw viruses cost them $55 million and denial-of-service attacks $26 million, according to a survey of corporations, government agencies, financial and medical institutions, and universities conducted by the Computer Security Institute and the FBI.

The source of these problems is often a network of "zombies," or compromised PCs that can be controlled remotely and sometimes without their owners' knowledge. Miscreants can create or hire armies of thousands of these PCs and use them to launch massive onslaughts of spam, virus and denial-of-service attacks, for example.

What can companies do?
Here are suggested measures to take as threats move from one region of the world to another.

• Create a computer security incident response team for the company.

• If resources are lacking to create a company CSIRT, designate one person or a group to take responsibility for security efforts.

• Keep security patches and antivirus software up to date.

• Enable the data collection feature on routers to get information on the movement of people on the network. This will let companies trace the origin of intrusions and anomalies.

Source: Forum of Incident Response and Security Teams

China and the United States regularly swap out top billing as the country where the most zombies can be found, according to figures from CipherTrust. Last week, China accounted for 21 percent of new zombies, while the United States had 17 percent and South Korea 6.8 percent, the e-mail security company said.

China and South Korea both have high broadband penetration but minimal use of security software by companies and consumers in those countries, said David Jevans, chairman of the Anti-Phishing Working Group. That makes them a soft spot for those looking to create zombie networks, also known as "botnets."

"There are certain companies that pay a fraction of a penny for every computer that gets loaded with adware. So, for some people, hacking into 4,000 computers to make $200 is not attractive. But in developing nations, $200 is good money," said the Forum of Incident Response & Security Teams' Reid.

Eastern Europe, which has steep unemployment combined with a highly educated IT work force, is one of those breeding grounds for cybercrime, security experts said.

Impact on companies
The effects of such activities weigh greatly on companies, especially financial institutions, which rely on customer confidence. Exchange Bank, a Santa Rosa, Calif.-based community bank, has experienced phishing and pharming attempts, most of which originated overseas, said Bob Gligorea, an information security officer at the company. Both types of attack try to glean passwords and other sensitive personal information from customers by setting up Web sites that pretend to belong to trusted providers.

In an effort to stem such security threats, Exchange Bank has taken several steps, from using intrusion prevention systems, to contracting with Internet Security Systems for managed security services, to outsourcing its electronic banking services. The bank is currently in talks with its electronic banking partner about using technology to test customers' PCs for active viruses and Trojan horses, Gligorea said.

Other methods to fight back are also being tried out. Some companies have taken the stance of blacklisting Internet service providers that they suspect have networks heavy infected with zombies, said Chris Rouland, the chief technology officer at Internet Security Systems.

But the Anti-Phishing Working Group's Jevans noted that it's difficult to get ISPs in some countries to shut down one of their customers.

"China and Korea have been the hardest to have an ISP or domain name registrar take down a site," Jevans said. "There are some registrars in China that don't have a contact number, so you can't even call them."

Given that, the announcement last month that China had joined an international effort to beat spam, the London Action Plan on Spam Enforcement Collaboration, was welcomed as a significant step forward.

The Forum of Incident Response & Security Teams, which serves as a global clearinghouse for incident response teams in corporations, government agencies, universities and organizations, has a number

of suggestions for combating international threats. For example, FIRST advises companies to create a computer security incident response team, or at least dedicate one person to take overall responsibility for protection.

In addition, FIRST's Reid suggested that companies not only keep their security patches and antivirus software up to date, but also enable the data collection feature on their routers, which will allow them to monitor where individuals go on their network and trace back intrusions for anomalies.

Organizations are also urged to join security groups such as FIRST, or a Computer Emergency Readiness Team, to share information on security threats, Reid said. Such trade and international groups are working to bridge the gap in fighting cybersecurity threats on a worldwide basis.

Members of FIRST, for example, share information on specific threats and vectors, as well as addressing security topics and solutions, Reid said. An organization in Sweden might e-mail the forum with a warning that it is noticing a rise in a particular type of hacking method from an ISP, for example, Reid said. And IBM might then add to the e-mail discussion with a notice that it has seen a similar method used but with 50 different ISP addresses.

International rescue
Law enforcement agencies are also working to thwart malicious hackers, but impediments stand in their way.

If Brazil wanted to obtain information on a customer of an ISP overseas, it could rely on international treaties and courts to approve such seizure of information, said Paulo Quintiliano, who heads the Brazilian Federal Police's computer crime unit. But that could take anywhere from six months to two years, he noted.

So two years ago, Quintiliano started a project to speed the investigation and prosecution process of cybercriminals.

"If a Brazilian commits a crime in the U.S., the FBI can send me a log from the ISP. Based on this, I do my own investigation and?ask the ISP to break the secrecy. From this, I can find the criminal (in Brazil)," Quintiliano said. "Rather than wait two years, I can get the information I need in two weeks."

Brazil, where banks have lost $70 million in the past two years to keyloggers, is working with the United States and Spain using this technique, Quintiliano said.

The National Hi-Tech Crime Unit in the United Kingdom works with the FBI, the Secret Service and the U.S. Postal Service on cyberinvestigations, as well as with other countries' cybercrime units, said Felicity Bull, a spokeswoman for the NHTCU. The British organization has cooperated with Russian law enforcement officers on an investigation into an extortion attempt against an online betting company, Bull said. The NHTCU coordinated with the Russian authorities and arrested five people.

"The Internet is a global place, so we can't sit in isolation," Bull said.

Law enforcement agencies, trade groups and companies around the world are trying a multitude of methods to mitigate the problem of attacks coming from abroad. These measures range from automatically filtering out incoming e-mail from certain regions of the world to laying the groundwork for tightening global coordination to fight cyberattacks.

These efforts should add muscle to businesses as they work to tackle threats from overseas. But another factor to take into account is that attacks are becoming more sophisticated and more efficient as organized crime moves into hacking. One security expert said that in the future, it won't be enough to just take on viruses and attacks one at a time.

"You have to solve the motivation for the crime," said Lance Spitzner, president of the HoneyNet Project. "Three years ago, hackers were hacking for the fame. Now, hackers are hacking to get rich. It's not so much a security issue. It's a crime issue now."