04 January 2010 Features

 

Feature: Catch me if you can

David Bannister

The figures speak for themselves: in the first 10 months of 2009, the 260 plus members of CIFAS, the UK's Fraud Prevention Service have recorded over 68,000 people whose identities have been hijacked by identity fraudsters - a surge of almost 37% from the same period in 2008.

In addition, cases of Facility Takeover Fraud (also known as account takeover - where a third party fraudulently gains control of a victim's account - have also increased: by 18% from the same period in 2008.

As the Christmas shopping period got underway, CIFAS was issuing a standard caution to consumers to be careful. What was slightly less standard was that the headline it was touting warned of pickpockets who are after more than wallets - they are stealing identities.

"The festive season traditionally reminds us of the high street threats of thieves and pickpockets stealing our wallets. We must, however, protect ourselves equally from their latter-day counterparts who target our identities," CIFAS communications manager, Richard Hurley, said: "The safety tips used throughout the year to protect our identities are even more crucial now, in order to ensure that the holiday period can be enjoyed without the fear that fraudsters are helping themselves to your identity and finances."

While these ‘Fagin's gangs' target the festive shopper, their online colleagues are deploying ever more sophisticated technical abilities to do the same thing: identity theft and financial crime.

Among their arsenal is the Zeus trojan, which was deployed at the beginning of December in a fake email warning about the H1N1 flu virus. This was just the latest email involving Zeus (also know as Zbot), which has been giving online security experts cause for concern for some time.

There is a certain humour in using an H1N1 alert as the email carrier for Zeus, because it is a computer virus that bears more resemblance than usual to the real-world virus, and its rate of mutation is dramatic. In the first six months of 2008, RSA's Anti-Fraud Command Center detected more than 150 different uses of the Zeus kit, each one infecting on average roughly 4,000 different computers a day. By November this year, some US reports suggested that it was infecting 3.6 million computers a month.

Most of these will be detected shortly after infection by standard anti-virus software - once the AV companies have identified the strain. One of the key features of the code is that each use creates a new binary file, and these files are radically different from each other, making them difficult for anti-virus or security software to detect. Once it is identified, the AV software can deal with it, but by then it may be too late.

Bad though that is, it's not what is special about Zeus, or what really concerns the security experts. It is a very clever bit of coding that can do a lot of things. Most commonly it can gather data as a user enters it into a browser, and send the details to the criminal instigator, but it can also be used to create botnets, where PCs are surreptitiously taken over to be used in spamming or denial of service attacks - or to launch more phishing attacks.

Just to add to the fun, Zeus is actually a virus kit - you can buy it online and add whatever code you want, which lots of people seem to want to do for the sheer hell of it, creating a level of noise that is irritating but not necessarily criminal.

Below that, however, are the organised gangs. It's not like Matthew Broderick in War Games any more. "They have cloud computing in the underworld too," says Michal Blumenstyck-Baverman, RSA Israel's general manager. "Back in 2003 identity theft was a one-off and you had to do a lot of work as a fraudster. Now they are very organised."

She says that RSA currently has 350 major financial institutions as clients, which works out as 450 million credit cards, or 1.3 billion transactions per quarter - 44 million each day. The number that staggers, however, is the amount of fraud that that RSA estimates it has prevented through the AFCC: $1.7 billion in 2008.

Across that, the security has to be transparent to the legitimate consumer. "One size fits all doesn't work in security," says Blumenstyck-Baverman. "It's easy to build a very strong wall, but the usability will be terrible, and banks want to be able to continue to do business; we can't get in the way of that business."

As the fraudsters have become more sophisticated, they are turning to a variety of sources, including social networking sites like FaceBook, to harvest information about potential victims - almost a mirror image of the credit agencies on the legitimate side of the fence. RSA and others (see interview, page xx) are now increasing the amount of information that they are using as part of the verification process to create what they call Knowledge Based Authentication. This will see a new level of dynamically created challenge questions as part of the transaction process: where currently you might be asked your mother's maiden name, in future you will likely see three questions, one of which might or might not be false.

This is part of the response to one of the most dangerous aspects of the approaches like Zeus being used by the fraudsters: phishing scams can sometimes persuade people to send their secret question details to the wrong people, but malware can sit on the machine and harvest it using what RSA dubbed "man-in-the-browser" attacks. This is now one of the most dangerous threats, because it can be done without the knowledge of the customer or the bank.

The principle is quite simple: malware is installed on the victim's machine, either through a malicious attachment on an email or through "drive-by browser" attacks, where the user simply has to view an infected webpage to become infected. These are generally hijacked websites.

The malware is dormant until a set of conditions activate it. Typically this is when a user visits a page such as an online banking service. it can then harvest password and other security information, but even move invidiously, it can inject HTML code to change the appearance of the webpage; you might think that your bank has just added an additional security field, but in fact the malware has done it and you're not telling the bank the name of your first pet, you're telling a criminal gang.

Most versions of the malware actually contain a look-up table of the details of most major banks websites and the appropriate code to manipulate the screen. On a home computer used by two people to manage different bank accounts at different banks, the same piece of malware will capture the whole shooting match. ("Fraudsters tend to work on mass production these days," says Blumenstyck-Baverman.)

Among those in the fight against such gangs - and 50% of the Zeus attacks are reckoned by some experts to be the work of one particular outfit called the Rock Phish, though there is debate about this - is the RSA AFCC.

Like similar operations - Symantec has one in the UK - the centre is a cross between NASA mission control and a cybercafé: rows of mostly silent, mostly young, people looking at computer screens while large wall displays relay information about attacks and resolutions as they happen internationally.

The 24/7 operation employs some 130 people, working in round the clock shifts. Each has two computers: one for connecting to dubious sites, and one connected to the RSA network. These are all thin-client devices, and at the end of each shift the unit is disconnected and reformatted to remove all possibility of contamination of the main systems.

Among the task the AFCC is carrying out for clients is anti-phishing work, which can be spotting where websites have been hijacked and calling the local ISP to alert them. Yaron Shohat, director of RSA's Online Threats Managed Services unit, of which the AFCC is a part, says that the reaction of ISPs varies, but it is not as simple as some countries being less helpful - in many Western countries the ISP will quote civil liberties issues until the cease and desist orders persuade them to co-operate.

"We are very persistent, because we have to be," he says. "We can easily find the ISP, and since we've done it so many times we even sometimes know the cell phone of the manager. We do get refusals - sometimes it's just easy to say no, sometimes they are collaborating with the fraudsters, but any legitimate entity will close down the site eventually. it is more about specific ISPs than about countries: in Western countries there are concerns about privacy laws, but in less-regulated countries the authorities will just flip the switch."

Typically it takes around five hours to have a site shut down, but this is not possible for hijacked sites as they have legitimate activities that need to continue so there has to be some tact and diplomacy.

That the AFCC staff are getting to know the ISP around the world is perhaps not surprising: between 2004 and 2008, they dealt with 120,000 attacks; for 2009 up till November, the number was 225,000 and trending upwards.

Uri Rivner, head of new technologies, identity protection and verification, at RSA, says that this represents a "celestial alignment" of factors. "We have high-grade Trojans like Zeus, infections spreading like wildfire as the internet accelerates propagation, and the state of the economy makes it easier for financial criminals to recruit collaborators."Rivner talks about "The Dark Cloud", a warped version of the real-world commerce. Increasingly, he says, the cybercriminals are coming to resemble a mirror image of a legitimate economy. "Fraudsters have career choices nowadays," he says.