It is a dark and rainy day in Southern Bulgaria. Two men take seats in front of their computers and begin to key information into the system. And so begins another phishing attack on a U.S. financial institution.
The numbers are quite astounding and the attacks are getting more and more sophisticated. In July 2005 alone there were 14,135 incidents reported to the Anti-Phishing Working Group (www.antiphishing.org). Even thought the recent trend has been downward, this amounts to 456 attacks reported to the APWG each day of the month. Do you know how to report an attack to this group? Right, neither do I, therefore the actual number of attacks is certain to be many times higher than 14,135.
Here are some additional statistics from the APWG:
Over the last six months, from 65 to more than 100 brands were attacked each month. As noted above, in the most recent reported month, 71 different organizations were attacked. The attackers, mostly from outside the United States, are predominately using U.S.-based ISPs to host the pseudo-site. It is astonishing that it is taking an average of nearly six days to recognize an attack is under way, locate the pseudo-site and have the site shut down. With the reach of computers, the Internet and email, a great deal of damage can occur in six days.
Recently a Cornerstone client was the focus of just such an attack. The bank’s staff showed their true GonzoBanker attitudes by quickly identifying the threat and removing it in a short period of time. The result minimized the potential damage to the bank’s reputation and its customers’ assets. On a recent Friday, the Bulgarians began their attack. Following are the details of the attack, how the bank responded, and what it learned.
9:15 AM
A bank customer, after receiving a Phishing email, dialed the bank’s call center to determine if the email was legitimate. He was suspicious of the message due to the many misspellings and poor grammar. After discussing the contents of the message with bank personnel, the caller was informed that the bank never sends emails asking for user ID or password. The caller was asked to expand the email’s message header and forward it to the call center representative.
9:26 AM
Upon receipt of the suspicious email, the call center representative determined it to be a hoax, then contacted his manager and sent the email to him. The manager printed the email and took it to the bank’s CIO to alert him to the attack.
9:30 AM
Several IT staff members were assembled to examine the email and to look at the suspect site. They went to the designated links in the email and discovered the Bulgarians had created a very good copy of their legitimate Web site. Additional staff were contacted and a Computer Security Incident Response Team (CSIRT) was assembled. They began working to help identify the attacker and determine how to respond to the incident.
10:00 AM
Last year, the bank contracted with a computer forensics company to be available for any type of computer fraud incident. The company was contacted, and it immediately assigned a technician to assist bank personnel.
Law enforcement (FBI) was notified of the attack. The immediate response was “someone will call you back.”
10:30 AM
Three different Internet Protocol (IP) addresses were identified by the forensics technician. Each link was pointed to the primary IP address and it then forwarded the request to one of two other addresses. Whoa! The attackers are load balancing to keep throughput at high levels. One of the identified ISPs was located in the Midwest. Bank personnel called the ISP to report the situation. ISP personnel verified the site they were hosting was presenting the bank’s Web pages. They immediately shut down the site. A manager at the ISP also informed the bank that the account had been opened at 7:00 AM that morning and was paid for with a stolen credit card! Logs of all traffic to the pseudo-site were promised to the bank.
11:00
Traffic logs from the first identified site were received and evaluated by bank CSIRT personnel. They determined that 20 individuals had gone to the site and two had given their user IDs and passwords. In addition, they noted that every 30 seconds, exactly on the minute, a message from a Bulgarian-based IP address queried the site and collected any captured information. Apparently an automated service was harvesting information as soon as it was entered into the site.
CSIRT staff noticed in the reported traffic that the email addresses were mostly from a local university. Those not from the university were typically from other colleges or universities across the United States. With this information, it appears that an email list was either purchased or stolen from a student, staff or faculty member of the local university. It was this list that formed the basis of the attack.
By this time, the call center has received over 120 calls concerning the attack. In each case the customer was informed that the message was invalid and the bank never asks for this type of information.
12:00 PM
The alternate ISP in the Southeast has been identified and notified. As with the first ISP, it verified the site was hosting a copy of the bank’s site, then immediately shut down the site. Again, the account had been opened that morning and payment was made with a stolen credit card. From first notice to shut down of both pseudo-sites was only two and a half hours.
1:00 PM
Both hosting sites have now been shut down, but the third IP address was more difficult to identify. The third ISP, in the Western U.S., was notified and asked to shut down its site. This proved to be difficult since the ISP was operating a server owned by its customer. The ISP was unwilling to shut the site down since the customer was using this server to sell sporting goods.
3:00 PM
The FBI calls back and was asked to help get the third ISP site shut down. A number for a Western FBI office was provided. The Western office notified the ISP and had the site immediately shut down. This site was not hosting a pseudo-site; rather it had a Domain Name Server (DNS) that was compromised by the Bulgarians. Changes made to this company’s DNS server allowed legitimate-looking URLs to be passed to the server and routed to the pseudo-sites. For the techies out there, the Bulgarians added Host (A) records to the DNS server to forward the requests.
CSIRT notified the ISP hosting the legitimate site and requested that any traffic from Bulgaria be blocked. The ISP examined the traffic and informed the bank that it was getting traffic from all over Eastern Europe. All traffic originating in Bulgaria was then blocked. A known compromise in Microsoft server software (including the DNS server) can make this possible. Microsoft servers that are current with all updates/patches are not vulnerable to these changes.
General information on phishing is added to the bank’s Web site for its customers. Included is information on how to identify a phishing email. Clear statements are made that the bank will not ask for personal information. Specifics regarding this attack are not disclosed.
7:00 PM
All the work is complete, the CSIRT is disbanded, all staff is released, and the event is over.
How was this bank able to reduce site shut down from an average of 5.9 days to less than two and a half hours? The bank’s ability to respond this quickly minimized the impact on both itself and its customers. In simple terms, the bank recognized the threat as real and took proactive steps to be ready when and if a computer fraud event occurred.
Here are Gonzo’s recommendations for better preparing your bank when it is attacked.
Your bank will eventually be a target. Hopefully you will be as prepared as this bank was when it happens. We recognize this Mid-Western bank as being true GonzoBankers; they’ve got the Right Stuff.
-caf