RSA

Find the Motive

Uri Rivner

In detective stories, one of the last things that the detective finds is the motive. Find the motive, and the whole plot is unveiled. I think the same applies to fighting fraud. When developing solutions against fraud, it's important to discover the motive, the root, the invisible reason behind the visible behavior of the fraudsters. Find the motive, and you're halfway to solving the crime.

To illustrate this point, I'd like to talk about the evolution of anti-phishing services. Phishing wasn't the first type of fraud hitting online financial institutions; some keyloggers were already in use before phishing became a mainstream crime. The first reports of wide-scale email fraud came from Australia and Brazil, soon spreading to more lucrative targets - the US and the UK - and in late 2003 it became clear that the global financial industry was facing a new menace.

First to introduce "anti-phishing solutions" were anti-spam and brand monitoring companies. Anti-spam providers offered alert services based on scanning spam emails and finding specific keywords such as 'online banking', 'password', and the name of the targeted bank. Brand monitoring companies, who were already working with banks to fight unauthorized use of their logos and brand names, offered to extend the service to phishing and provide early detection of attacks. There's an interesting point to mention in this context: in the brand monitoring business, detection is vital. No-one is likely to call customer service in a panicked voice to report brand abuse, like people do when seeing a phishing email; the misuse can stick around for weeks or even months before a chance discovery - if you're lucky. So from a brand monitoring company's perspective, detection is everything.

The benefit of fast detection, of course, is that the bank will know about a phishing attack as soon as the emails are sent, and this minimizes the 'window of opportunity' for the bank's unsuspecting customers to hand over their credentials to the bad guys. In these early days, however, the market did not offer any better solutions, so banks hit by phishing were happy to try these "anti-phishing solutions".

Here's an example. ABC Bank, an imaginary financial institution, is a new target for phishers:

The bank had no attacks, then experienced its first phishing attack (people in the IT Security department didn't sleep that night, you can be sure of that), and in the following months there were more and more attacks. At that point the bank felt ready to try a 'fast detection' solution.

The result was something like this:

Fast detection of the phishing attack didn't make a dent in the phishing wave. Here's why:

According to the Anti Phishing Working Group, the average lifetime of an attack is 5.3 days.
That's 127 hours. The lifetime consists of two phases: detection time and shut-down time. First you need to be aware of the attack, then you need to shut it down. In most phishing attacks, vigilant and Internet-savvy users call the bank's customer service and say there's something very phishy going on. Or they'll send an email to the bank's abuse box. If the bank has the correct procedures in place, the IT Security team will learn about a phishing attack shortly after these alerts. From speaking to banks that we work with, the average detection time span, therefore, is 4 hours. So even if you deploy the best detection system this side of the galaxy, you'll only carve a few hours off the attack's lifetime. From an average of 5.3 days you can go down to 5. This won't bother the fraudsters at all: the attack will be live long enough for any potential victim to deliver his credentials to the spoofed site.

Don't get me wrong: detection has its merits. It's good to know about the attack before people
call your customer service; you can control and contain the situation better. But effective antiphishing strategies are all about depriving the fraudsters of profit or increasing their efforts and risks. If there's no profit in attacking your FI (financial institution), they'll start attacking another FI. Since early detection doesn't really change anything, there is no resulting change in profit or risk, and hence no driver for fraudsters to take their business elsewhere.

So this wasn't "it". Banks who contracted alert-providers sensed that something was missing…that they didn't actually get a valuable service… and that their real problem is this: how can we shut down the attacks faster?

People find some reason to believe.

By Uriel Maimon

I happened to listen to Bruce Springsteen’s song "Reason to believe" and it got me thinking about the RSA Consumer group’s latest consumer confidence survey. In case you haven’t read it, here are the highlights:

91% of respondents answered that they feel banks should use some kind of stronger authentication than basic and static user names-and-passwords for online banking.
82% of account-holders expressed that, as a direct result of scams such as phishing, they are less likely to respond to an e-mail from their bank.
82% of account-holders would like their banks to monitor online banking sessions for signs of irregular activity or behavior - similar to the way that credit card transactions are monitored today
51% would like their bank to contact them when something suspicious is detected
While many financial institutions have begun moves to deploy stronger authentication over the past year, only
39% of account-holders are aware of it
52% are today "less likely" to sign-up for or use online banking (than they were before)

Wow. What this says to me is that consumers are worried, and they’re starting to lose their trust in the online channel as a safe haven for their financial transactions. The fact that consumers don’t believe in the Internet is all the more scary when you consider that these are the people who DO fall for phishing attacks.

Sitting here listening to “The Boss” telling us, “How at the end of every hard earned day, people find some reason to believe,” I thought of some key points that could increase consumer confidence in the online channel (and I would know this, because I have a checking account, which makes me an expert on the subject):

1. Justice needs to be seen, not only done. Financial institutions are getting better and better at reducing fraud losses from compromised credentials and identity theft. Unfortunately the damage done by the exposure of the institutions’ customers to attacks – and the publicity surrounding such attacks – do long-term damage to the perceived security that consumers feel. What’s important to remember is that the technological details don’t matter – consumers who do not understand the implications of SSL are not going to understand what was involved in an attack, and what control (if any) the financial institution had in preventing it. That’s why financial institutions need to take confidence-building steps to encourage confidence in the brand, and this can be done simply by making security a visible-yet-unobtrusive part of the customer’s online experience (and also through high-profile prosecutions of fraudsters, etc.)

2. Don’t put all your eggs in one basket. Let’s assume that you live in a neighborhood that’s suddenly been afflicted with a plague of burglaries. You do the smart thing, and you upgrade the locks on your door, or even the door itself. Once this has been done, it still doesn’t mean that you feel secure enough to leave your wife’s gems on the kitchen counter, or your birth certificate on the dining room table. Chances are you will also put bars on the windows, get a safe, a safety deposit box at the bank, or at least a locked drawer. The same thing can be said for online banking: Strong authentication at login is important and useful in deterring fraud – but it is far from a one-stop solution to online fraud. There are financial Trojan (Crimeware) variants out there already that wait for successful authentication and perform fraudulent transactions after the fact. A financial institution therefore has to adopt complementary measures and have multiple defense mechanisms, like transaction monitoring with authentication, fraud monitoring and intelligence reports, transaction re-authentication using out-of-band credentials and shutdown services. It also helps if these layers are integrated; for example inputting “bait” accounts into Phishing attacks and then tracking these accounts using transaction monitoring can identify legitimate accounts that were compromised by the same fraudster, and can generate a list of known fraudster IP addresses.

3. Don’t trust your customers The best security is one that does not count on the human mind, which is sadly ill-equipped for information security. There was recently a paper published by Rachna Dhamija from Harvard University, on the subject of why phishing works: Once you’ve read that you can understand why SSL as a protocol fails to live up to its task. The problem isn’t technological; SSL is very good both in terms of authentication & privacy, as well as defending against advanced attacks such as manin-the-middle. No, the problem with SSL is that it relies on the consumer being able to understand its mechanism and to look for visual cues. Despite years of attempts at education and various usability enhancements many customers still fail to look for these visual cues and do not understand the implications of Internet security. In fact – as we have seen with our research – customer education can be a doubleedged sword and is something of a fine art: when done well through the use of simple and consistent messages, it can increase confidence (good); but when it isn’t handled sensitively, it can become counter-productive and make end-users wary of using the medium at all (bad). With that in mind, it makes sense for organizations to have two parallel focuses: first, use customer education solely as a means of instilling confidence; second, use back-end security technologies that do not rely solely on the end-user’s input at all as the best form of fraud prevention.

4. Be prepared, and don’t forget damage control: The timing of online attacks can rarely be anticipated, and it would be wise for financial institutions to prepare for the eventuality of an online attack in advance (or in case of an institution that’s already been widely-attacked, a high profile attack). Regardless of the cause of an attack, financial institutions must also consider to what their customers are likely to *attribute* the attack: for example, if a financial institution has recently launched a new service, the fraud may have nothing to do with the service but – because the timelines relates – it is possible that consumers will think the two are linked. So be prepared: use phishing shutdown services in order to quickly mitigate damage from new phishing sites, and have confident answers at the ready when these attacks take place. Phishing shutdown services will alert you to the existence of attacks, and shut them down cleanly and efficiently – allowing you to offer a strong statement regarding your mitigation efforts and proof that you were prepared in advance. The battle for consumer confidence is not a lost cause (which is an entirely different song). Financial institutions can take these steps and others to reassure consumers that they can be secure in their online banking and trading environments. If my mother can manage to convince me that I won’t die alone, then I’m sure we can give consumers some reason to believe.

Pets, Weddings, and Identity Theft

By Ari Juels

It's difficult to fathom how a list of the 20 most popular dog names could have evolved into a potential tool for identity theft. Such, however, is an oddity sprung upon us by the challenges of online password management.

When you register for an account on the Web site of a financial institution (or other secured site) today, you are often required to register answers to a series of personal questions, sometimes referred to as "life questions." These questions—familiar to many of us—support a form of emergency authentication. When you lose or forget your password, the Web site prompts you to answer one or more of the life questions you have registered.

Here are some (reworded) examples drawn from several popular sites:
1. What was the name of your first pet?
2. What was the make of your first car?
3. What was is your best friend's first name?
4. What is your mother's maiden name?
5. In what city were you married?
6. What is the first name of your maternal grandmother?
7. What is your favorite hobby?
8. What was your high school mascot?
9. What is your birth date?

A security system is only as strong as its weakest link. The security of online accounts depends critically on the quality of their life questions. So how hard is it for an identity thief to circumvent password protections by feigning a lost password and targeting a Web site's life questions?

There are a number of ways to characterize the security of a particular life question. Two key measures are:
1. The difficulty of guessing the answer based on general knowledge
2. The difficulty of learning the answer by mining public data-repositories.

Guessing: Consider the question "What was the make of your first car?' Until 1998, Ford Motor Company controlled a market share of more than 25% in the United States. Thus, an attacker in the U.S. who guesses the answer "Ford" can score high odds of success—roughly 1 in 4. Similar in nature is the question "What is your best friend's first name?' At first blush, this may seem an excellent security question, based as it is on information largely unavailable to strangers. 1990 U.S. Census data, though, reveal that if your best friend is male, there is nearly a 10% chance that he’s named James (Jim), John, or Robert (Bob or Rob)—the three
most common given names. (Women’s names are slightly more diverse.)

Many sites lock down accounts after several failed login attempts. Thus it may seem that life questions guessable with relatively small odds—say, 1%, if not 10%—offer sufficient protection. Identity thieves, though, need not confine their attacks to a particular account. They can sweep through many thousands. Even small odds of successful guessing offer limited defense against such en bloc attacks.

Mining: "What is your mother's maiden name?" is a universally popular security question. Researchers at Indiana University studying public data in the state of Texas as an example, though, were able to learn the answer for over four million people, about 20% of the state's population. In the same vein, clues to the question "In what city were you married?" abound in public data repositories for marriage licenses and wedding notices. Online genealogical databases can help uncover the names of parents and grandparents.

Aggravating such vulnerabilities is Internet users' growing penchant for publishing personal information. Among students recently studied at Carnegie Mellon University, for example, a large majority posted private information on a (CMU-restricted, but illustrative) socialnetworking site. This information included birthdays, high schools, and hobbies, facts bearing directly on the sample life questions listed above.

The security vulnerabilities of password systems are well documented. People often chose their passwords poorly, and happily divulge them to strangers in exchange for frivolities like chocolate and gift certificates. Life questions, though, have received scant scrutiny from the security community, despite rapid proliferation across the Internet. Many are no doubt weaker than passwords. Life questions could well emerge as a significant weak link in our online infrastructure.

So what do I do when I'm asked the name of my first pet? Despite his unusual name, I posthumously rechristen him with a jumble of numbers and letters that looks very much, in fact, like a strong password. I register this string of random characters as my answer, while silently offering up my apologies to Archimedes the hamster.

Phishing Supply Chain--Part 1 of 2

Uri Rivner

I was in Helsinki some weeks ago to talk about phishing at an IT security conference, and after presenting a slide that shows the 'supply chain' of phishing, one of the attendees asked if I would describe phishing as organized crime. My answer was that it wasn't anything of the sort. It might look like an international version of good old organized crime, and it's certainly not the one-man-hacker-show it used to be a few years ago, but there's nothing orchestrated about phishing or, for the matter, online financial fraud.

One way to describe the current environment of phishing is a supply chain (see image).

Email collection is self explanatory: someone has to harvest the Internet for email addresses to which a fraudulent email--the first step in any phishing attack--is distributed. Some harvesting techniques involve the use of automatic tools that surf the Net and look for new email addresses, for example in forums and user groups. Other techniques are more sinister: anything from hacking into databases to stealing email addresses directly from your Outlook. The result is a CD full of email addresses that anyone can buy for a few dollars so they can launch a shady spam campaign or, in our case, a malicious phishing attack. So if you're a phisher, that's the first thing you need.

The next thing you need is a place to host your phishing attack. Some fraudsters will approach an ISP, pay with a bogus credit card and store the attack on the ISP's server, but this is considered a Stone-Age mode of operation. Today's fraudsters generally prefer the more traceless, cheap and trustworthy infrastructure of botnets. You're probably all aware of these huge networks of hijacked (or 'zombie') computers, centrally-controlled by an operator who rents them to criminal elements, who in turn use them to conceal their own identities (useful in eCommerce fraud) or to host denial-of-service or phishing attacks. The botnets prey on PCs that are not well-protected, well-patched and well-monitored. So it probably won't come as surprise if I tell you that 60% of phishing attacks originate from a hijacked computer whose owner is completely unaware that his PC is being used to attack a major financial institution. The PC may work slower than usual, but hey, my computer always works slower than usual so it isn't a reliable indicator, is it?

So now you've got the email list, and a place to host your attack. Now you need to develop the actual attack website and email. You don't really know how to do that? Well, there are sites that provide full descriptions, code samples and documentation that you can peruse at your convenience. Never wrote HTML code? No worries, mate. How about downloading a phishing kit from one of the dozens of websites, forums and chat rooms dedicated to the Dark Art of online fraud? A phishing kit is quite useful: it's a Phishing for Dummies application. It already comes with several templates attacking some favorite targets; you just need to configure it, feed it with an email list (which you already have), and store it in your chosen host (provided by your favorite botnet operator). Of course, if you're attacking a new target using a foreign language, you might need to work a bit harder, but most phishing is done using widelydistributed kits.

These components of the supply chain are the basic building blocks of any successful phishing attack. Each of them grew into a thriving industry of anonymous suppliers and buyers using non-traceable payment mechanisms. Just as with eBay, you don't really know who you're buying from or selling to, but the system generally works...

Stay tuned for Part 2 of Uri Rivner's Phishing Supply Chain!

Phishing Supply Chain--Part 2 of 2

Uri Rivner

The two final links in the chain are the most important ones. Strangely enough, you see two groups here: international phishers and local criminals. The distinction is extremely important, and understanding the dynamics of these groups is crucial for building effective defense mechanisms against phishing.

A few years ago, phishers were both collecting the data and then using it to attack the financial institution. Today there's a clear separation between the people who conduct phishing and collect customers' credentials, and the people who use the stolen credentials to take money out of the respective accounts.

Through monitoring forums and chat rooms used by online fraudsters, we've come to realize that most online fraudsters do not conduct domestic fraud. They have no real understanding of the local financial market's structure, defences and processes; their role in the online fraud supply chain is to collect credentials and user data via phishing, pharming, Trojans or other means; and sell these credentials to local crime rings that operate inside the country and have a method of 'cashing' the credentials. In many cases the local crime ring will post a demand for certain financial institutions' credentials in a fraud forum or chat room, and the phishers will attack these targets in order to meet the demand. The main areas of demand are stolen debit/credit cards for conducting eCommerce fraud, and stolen credentials for conducting online banking fraud.

Many fraudsters, and this includes phishers, are therefore completely agnostic to the specific target they attack. They can attack any financial institution in any country; they often attack multiple targets across several countries within the course of the same day. Later on they test the credentials they have collected, and either sell them to the local crime rings or enter a 'shared revenue' partnership with these criminals.

The whole communication is done in fraud forums or chat rooms. To illustrate a typical transaction, think of the following posting chain in a fraud forum:

And here you have a transaction. Supply meats demand, and the phishing cycle completes. The supply chain is in fact more complex than this simplistic model, and there are some 'niche markets' and more intricate collaborations and structures, but the bottom line is clear: phishing is not organized crime. There is no one mastermind behind it all, no godfather pulling the strings. I think it can be much better described as an ecological system that sprang to life, shaped by market forces and natural selection, within the course of only a few years. It's now a vibrant environment, with lots of specialized roles and symbiotic relationships between various types of criminals. If there's one thing that makes this "machine" drive forward, it is this: there’s simply enough money for everyone. Why is all of this important? Why do we need to know how fraudsters think, and how they interact with each other? I guess the answer is obvious – know thy enemy. It will help you cope with it.

Risk-Based Authentication

Uri Rivner

I have a small secret to share with you: most online transactions are virtually risk-free. This may seem like a rather obvious statement. I mean, take your own online banking activities. You either use a computer that you've used in the past, or log in from your office IP proxy, or you're just sending some money to the gas company. There's very little risk involved.

In fact, we now know that 97% to 99% of online financial transactions have a low level of risk. Yet despite the obviousness of this observation, the common wisdom in the online security arena was--until recently--to always use the security solution that would defend against the 'worst case scenario'; all users had to pass the same level of security in order to defend against 1% of high-risk transactions. The question was always "what level of security do I need for this application," and not "what level of security do I need for this transaction."

About two years ago, a new concept emerged: risk-based authentication. RBA breaks security into 'atomic' elements, and treats every transaction according to its own specific level of risk. So, instead of using blanket security for the entire user base, it allows you to choose the right level of security for each activity, based on the risk of that specific activity. If 99% of logins, or money transfer activities, or online stock trades, are quite safe, regular security is enough for them. But the 1% of activities that are risky should trigger an additional challenge.

"Wait a minute," some of you may say, "There must be a catch here. Security measures are deployed evenly for all users because you don't KNOW in advance which users or activities are risky. How would you identify the 1% of transactions that you need to pinpoint?"

Good question!
And indeed, the first hurdle RBA technology needs to pass is the accuracy of its risk prediction. Spotting the high-risk transactions is not a trivial task. You need to process each online login, new payee, bill payment and money transfer activity in real time, and give an
accurate risk score. The risk engine should take into account multiple parameters such as the IP address, geo location, device profile, historic behavior of the user, and the specifics of the current transaction. Since online fraud patterns evolve rapidly, the engine should deploy automatic pattern recognition and self-learning capabilities, in order to quickly find new patterns. There are additional crucial ingredients, but hey, we don't want to make fraudsters' lives easier by laying out our defense blueprints for all to see...!

How accurate does the system need to be? Well, pretty accurate. We often use the 80/20 rule; applied here it may say something like: let us spot the 20% of transactions that have 80% of fraud. But challenging 20% of users isn't good enough. The more users you challenge, the greater the impact you have on the overall usability of the service. A good RBA deployment reaches a challenge rate of 1%-3% of transactions, in order to spot 70%-80% of the fraud.

Note that we're not talking about an air-tight security. The other 97%-99% of transaction still pose a certain level of risk, and if the bank s suffering fraud, then it will be reduced by 70%- 80% but not go away completely. You can catch more fraud by increasing the challenge rate, of course.

The second technological hurdle is the additional challenge for high-risk transactions. It must involve something that users already have, since you don't know in advance which user is going to be subject to additional security. A good example will be a phone: every customer has a mobile, office number or home number through which they can be contacted for extra verification. Or, it can be something the user already knows, such as a secret question that is collected from the user for future use. The solution must be very user friendly and a lot of experience is needed in order to make it actually work with good results. You want the authentication to be secure enough to filter the fraudsters out, but convenient enough so most genuine customers can easily pass it. Not everyone will. There are false positives with any
given technology, but there are also ways to minimize these issues by applying usability best practices and fine-tuning the authentication process. A good RBA system can have false positives as low as 0.1%-0.3%: i.e., genuine customers who couldn't complete the activity.
That's pretty low. Consider the most commonly-used authentication method: username and password. How many times have you forgotten your password for online banking?

The bottom line is this: risk-based authentication works behind-the-scenes to spot the high-risk transactions, and apply the right level of security for the specific level of risk. It allows the financial institution to manage online risk; to decide what risk the business is willing to take, and what risk it isn't willing to take, for every online activity. Since most users are not challenged, it provides a good balance between security and usability: maximum usability for the vast majority of users, and a little more effort for a small amount of users.

RBA's main advantage is that it works behind-the-scenes and has a minimal impact on users. It provides an almost transparent layer of security that protects customers without requiring them to change the way they authenticate themselves, unless the perceived risk is high. It can be further enhanced if deployed in tandem with more visible authentication technologies: something you can see (e.g. site-to-user authentication) or touch (e.g. one-time-password-based Digital Security ID authentication).

Which brings me to a final note: the future of consumer security in the financial industry is in building an adaptive, dynamic and multi-layered defense. Risk-based authentication certainly emerges as a major brick in that adaptive authentication wall, and – along with additional layers – can give fraudsters a headache while keeping genuine customers safe and happy.

Security and Usability

By Uri Rivner

Terminal 4 at Heathrow was packed like a box of sardines...This was quite odd - normally this late in the evening the place is half-deserted, but now it was full of people looking utterly annoyed. Probably some heavy flight delays, I told myself and went to look at the Departures monitor, but it looked pretty normal. It must be the check-in system, then. A computer glitch, or maybe a staff strike. But it wasn't either of these: when I had edged my way through the crowd to get to the check-in area, the desks were relatively free and I was quickly face-to-face with the friendly British Airways check-in clerk. "A bit busy today, isn't it?" I asked, pointing at the human mass behind me. "It's the new security procedures. Haven't you got our notice?" said the clerk.

Flashback...
My email box was flooded as usual - I'm still waiting for someone to invent an anti-email technology - and I scanned the inbox looking for those easy emails that I can quickly read and delete. Like this 'important message' email from British Airways, advising me that due to new security procedures at London Heathrow, I should arrive at the airport four hours prior to any flight I'm taking. Bah! Four hours. You've got to be kidding me. I dismissed the obviously hysterical recommendation, discarding the email and moving on to the next one.

Back at Heathrow...
Rrrrrright. So it wasn't flight delays, and it wasn't a computer glitch or a staff strike. It was a new security procedure. What kind of new security procedure can produce THIS? I looked around me. It was completely mad. I didn't even know where the line started. The annoyed look on people's faces was beginning to change to sheer desperation. Some of the passengers were really edgy, and from time to time you could hear heated arguments with airport staff – a very rare thing in Britain. I noticed people in yellow jackets handing passengers nylon bags. What on earth were these for? After about an hour of moving along a snail-paced human snake, I got the answer. The nylon bags were for laptops, which had to be removed from their cases. This is quite common in airports, but was never the practice in Heathrow. Half an hour later I finally got a glimpse of the security stations. The metal detectors were beeping constantly, and people were removing their belts and watches, and some – probably accustomed to US security measures – even took off their shoes. Not that any of it helped; the detectors' thresholds were set to such low levels, that they beeped nervously each and every time. The security staff themselves looked agitated, which didn't really help improve the situation.

Why am I telling you all of this?
Because I think it's a good example of the relationship between security and usability. In this case, the increase in airport security had an immediate, very visible impact on usability. This balance of security and usability is something financial institutions struggle with whenever implementing a new authentication system for their online service.

It's a bit different in the enterprise world. Not many people will quit their job because IT installed a new firewall that pops up all the time, driving them mad, or because their company migrated to a new VPN which is much less friendly than the old one. But consumers who want to access an online financial service have very low thresholds when it comes to usability. They want to be secure, but they don't want to be bothered with security. If they encounter something they don't like or understand, they'll call customer service or, to a lesser extent, switch to a more user-friendly site.

The security industry didn't really think about all of that until quite recently. For decades the industry has been looking at creative ways of making things more air-tight. We've been developing more secure authentication methods in order to counter a growing arsenal of threats. But in the online consumer authentication market, usability is in many cases of greater importance than security. It's true that some people like to see changes in the bank's security procedures and will appreciate it if the financial institution handed them authentication devices or came up with another visible security measures. But other customers don't really care about all of that; they demand security from the bank, but all they really want is to access their account, pay bills and transfer money without any delay or additional challenge.

On the other hand, we have to protect these customers, even if they don't want to help us help themselves. So we need to do something, but it has to provide a good balance of security, usability and (obviously) cost – since in many cases we're talking about millions of customers. One way to achieve such a balance emerged recently: it's called Risk Based Authentication...

The Creativity of the Other Side

Uri Rivner

In this post I'd like to discuss three seemingly unconnected events that are not directly related to the normal theme of this blog – financial fraud. They do, however, have something in common: they demonstrate the ingenuity of the "other side" in devising plots to fool state-of-the-art technologies. If you like, you can see them as small glimpses into the future of online threats; early signs of the yet-to-come. I'll say no more about that, and just describe the three events and let you ponder their significance.

Fooling spam filters

A few weeks ago I got a very peculiar email from an unknown sender. It was just a plain text email, containing the following lines:

"In the meanwhile the barrels were left afloat while the elves of the raft and the boatmen went to feast in Lake-town. They would have been surprised, if they could have seen what happened"

Being a Tolkien fan I quickly recognized the lines from the Hobbit. It was clearly spam, but unlike other spam messages, the text wasn't random, and there was no link to a website trying to sell new ways to please my better half or interest me in an amazing, yet unheard-of, stock. A few of my colleagues got similar messages, and together we tried to analyze the email. After careful examination we concluded that there wasn't anything sinister hidden in the code. One of my colleagues thought it might be a way to verify the validity of your email. I wasn't too sure about that.

Well, the mystery may have been solved for us. The Wall Street Journal [subscription only website] reported a flood of spam emails bearing similar characteristics: they all include lines of text from popular literature. One theory mentioned in the article was that the purpose of these emails was to fool state-of-the-art spam filters by "un-training" them; i.e. by making them count such incidents as harmless, so when later on some real spam content is interwoven into the text, the filter's threshold may already be too high to notice it. This theory may be wrong, but it does strike a true note. Sending spam emails for the purpose of confusing the filters, rather than for the purpose of mass-marketing, makes sense and if that's what was behind the recent wave, it's quite a creative idea.

Fooling the auction model of trust
Everyone who takes part in an online auction is familiar with that sense of uneasiness when you're about to place an offer. Is the seller really genuine? If you're just buying a used DVD the stakes are not very high, but how about a $1000 coveted ticket to a major sports event? Successful auction sites have built a model of trust. Once you buy an item, you can rank the seller; so if the ticket you got isn’t the genuine article, or if you paid but never received any goods, you can exact revenge of sorts by posting a negative review and affect the seller's trust-ranking. The same applies for sellers: if they send the goods but get zilch, they can post an appropriate condemnation and help ensure that future sellers won’t be duped. There are escrow services that can be used. A $1000 deal can be secured by paying an escrow service $30-$50; they'll check that the money is sent by the buyer and the goods are sent by the seller. But most transactions at auction sites never use escrow services, and if you read good reviews and see a high trust ranking for a certain seller, you may think an escrow service is unnecessary even if the transaction value is high.

The bottom line is this: frequent buyers and sellers, who put their money/goods where their mouse-click is, establish their own credibility. And that's exactly what fraudsters are after. Gaining access to a high-credibility account in an auction site has some distinct advantages. As a result, companies such as eBay started to strengthen the controls, making it more difficult to access and take over existing accounts. But eCriminals have creative minds. According to security firm Fortinet, a new automated scam trend has emerged. The automated scam begins with the creation of synthetic user accounts. These fake users, probably using a rented botnet PC, search the auction site for extremely low value "buy it now" digital goods items such as eBooks or wallpapers, and place a purchase. Most sellers of such items have an automated script that emails the item to the buyer and also posts a standard feedback comment on the buyer's profile at the auction site. The fake user then automatically responds with a standard feedback comment on the seller's profile. With enough automated purchases, the fraudster can quickly establish a highly-trusted fake account. Then the real fun begins: these high-credibility accounts can be used by fraudsters to buy real goods without paying.

If you think that's brilliant, think of a second generation attack where the goods are then sold to other synthetic accounts, who will post an automated "this is a good guy" note in the seller’s account. Within a couple of days, a virtual network of buyers and sellers can create power accounts. One hijacked PC will talk to another, and soon the fraudster can control an army of zombie auction-site accounts that he can deploy to sell fake items and buy without paying.

Fooling anti-automation filters
One of the best practices to fight web automation is using CAPTCHA [Completely Automated Public Turing test to tell Computers and Humans Apart]. Most large web portals use a CAPTCHA during registration, in order to foil automated enrolment using a botnet. Regular CAPTCHAs show an image that contains some number or digits. The characters are distorted, masked, twisted or color-overlaid in a way that is supposed to allow human beings to read the content, but stop an automated tool. There's a security vs. usability issue here: the more you distort and mask the letters, the better you are protected from advanced text recognition algorithms, but the less user-friendly the customer experience is. For example, see this CAPTCHA which is pretty standard:

I can read the first two characters easily: "A", "2". The third is a bit more difficult, but most people will recognize a "p". But what’s the next character? Is it a '1'? Or a '7'? A more advanced CAPTCHA got the nickname "The Kitten CAPTCHA": this CAPTCHA shows a pictogram of, say, a kitten, and asks the user to say if the image shows a kitten, a rat or a hippo.

There are many OCR (optical character recognition) algorithms that can break specific CAPTCHAs, and it's becoming a small arms race, which is why I took my hat off and applauded the ingenuity of fraudsters when I encountered the peculiar incidence below.

A few months ago I saw a phishing attack against a large bank in Europe. Unlike other attacks, when you clicked on the URL the page that opened didn't ask for any personal details, but rather presented a CAPTCHA that you had to solve. Once you solved it, an error was presented. After investigating this odd attack we reached a shocking revelation. This was a man-in-themiddle-CAPTCHA-solving attack.

It works like this:

The fraudster uses a standard phishing email to direct a user into a spoofed website that resembles ABC Bank’s website.
The attacker starts an automated registration process at XYZ Mail. The site presents a CAPTCHA, which the attacker grabs and - in real time - presents it to the user who just entered the ABC Bank spoofed website.
The user, thinking that ABC Bank wants him to pass a CAPTCHA, solves it.
The solution is sent to XYZ Mail so the automated registration can complete.

Yes, you got it right. The fraudster found a creative way to bypass CAPTCHAs by turning us, law-abiding Internet users, into CAPTCHA solving automatons. Using this technique, even CAPTCHAs that are totally immune to OCR algorithms can be cracked by using unsuspecting human beings as free CAPTCHA-solving labor. Send enough emails, and you can automate a large number of fake registrations, fooling any anti-automation CAPTCHA the attacked site throws at you.

Scary?

Indeed.

As I said, there’s no real connection between these incidents. They all, however, point to a
single truth: We ain’t seen nothing yet.

Universal Man-in-the-Middle Phishing Kit – why is this even news?

Uriel Maimon

In the past month I was part of the team at RSA that researched the universal man-in-themiddle (MITM) phishing kit that recently gathered quite a bit of attention in various publications. In the phishing world there are various roles: there are the "nice" people who
operate the phishing kits; there are the shady characters who translate these hard earned credentials into money; and there are the people who write the phishing sites, or kits. In between there is commerce, just like in any successful industry (and who wouldn't call the
fraud industry successful?)

This particular kit is the epitome of this kind of exchange. Once purchased, this kit will allow you to put up a site targeting any institution you wish (hence the universal part), using a snazzy web-GUI. The newly-created site will simply relay the request to the actual site (sort of like an HTTP proxy would), retrieve the site pages, translate all the links to point to the phishing site and display it to the user. So in essence the user (or victim) is really talking to the real institution, except that any information he/she submits (such as credit card information, credentials, social security number, which episodes of Scrubs had the best janitor bits) is conveniently siphoned off to the fraudster's email address.

I was sitting recently with a few friends of mine (who happen to be tragically hip) from the IT security industry (you'd think that a guy who is cool like Fonzie, such as yours truly, would have a few friends _outside_ the IT security industry) and they had some choice comments about this latest piece of research:

"Dude! Why is this even news?! MITM attacks have been around for ages?!"
"Wasn't there an Amazon.com MITM attack reported a while back?"
"Wasn't there a man-in-the-middle attack against Citibank ages ago?"
"Or one targeting eBay?"
"Dude! Those pants totally don't go with those shoes!" (No URL for that one, fortunately.)
To this I replied: "uhh, so uhh yeah, but uhh..." (What can I say? I can't argue with my friends. They're so hip they can't see their own feet).

But what I should have said goes something like this: Those MITM attacks all had something in common. They either tried to surpass new login authentication capabilities, or tried to make the site look more credible and get the victim to type in his credentials despite any doubts or suspicion he/it/she has (when the site reacts consistently to invalid credentials, some people are convinced that this is the real deal). As such they really didn't alter the economy of the situation: Mr. Fraudster still has to go out and buy this custom built Phishing Kit for several hundred dollars, which will only work against one financial institution. If anything changes on that institution's site, the phishing kit is worthless and a new one will have to be written. This is actually very significant since buying the phishing kit is one of the few actual expenses with real money that the fraudster will have to pay for. The rest (domain registration, hosting, etc) is usually handled with stolen credit cards, so this is one of the real bottlenecks to the fraudster's operation. Even if the fraudster develops his own phishing code he would still need to spend the time and energy to write this type of kit for every institution he wants to target (and time = money).

What makes this latest kit special is less the "man-in-the-middle" bit, and more the "universal" bit. Now Mr. Fraudster pays a one time investment ($1000 for the universal kit instead of the ~$200 that a regular kit would cost. A “standard” MITM kit would cost more.), and he can target as many institutions as often as he wants to. He no longer has any set limit on his scalability. And as a side bonus he gets the most believable sophisticated site current phishing technology has to offer, plus any other information that the user might feed in to the site, which he wasn't specifically looking for.

When we went back to the fraudster forums to see what the fraudsters' reaction was to our publication of this attack, there was little reaction. The reactions we found were mixed: some fraudsters were asking where they could download the kit (information that was not volunteered...), while others commented along the lines of, "this isn't anything new, curl scams have been around for a while." (Curl is the HTTP client library that is often used within the PHP scripting language to write MITM attacks.). They were probably referring to the older, nonuniversal MITM described above.

Huh. Maybe those guys should hang out with my friends.

10year