Phishing Victims Fight Back
Tips for Turning the Tables on Scam Artists
One midwestern credit union (which prefers to remain anonymous), with nearly $200 million in assets and more than 30,000 members, has been phished four times -- the most recent in 2006, with three of those incidents occurring within a 90-day period.
In the first three cases, the credit union received copies of the emails from its members and even non-members, asking why the institution would send email to them requesting card and account information. The phishing emails were similar to those pervasive spams mimicking eBay, PayPal, and many banks from outside the region.
In these cases, the perpetrators found an opening on an innocent's computer and used the email client to send emails to State University students and staff, purporting to be from the credit union. They copied the credit union's home banking entry page, adding additional boxes for credit card numbers, CVV codes, PINs, and expiration dates. The emails originated in Seattle, Washington and Montevideo, Uruguay. The URL of the credit union's copied site was located at a university in Poland in one case. The others were in Seattle, WA and Taoyuan City, Taiwan.
The credit union was able to take these down by researching the WHOIS data (a database that tracks the name and address of the domain owner) from Network Solutions and contacting the host and ISPs. The credit union says it received great help from everyone. Its longest delay occurred when the university in Poland was on a week-long break, and no one was available to resolve the issue.
The credit union's fourth phish was resolved with help from staff at Purdue Employees Federal Credit Union. They contacted the credit union, as the attack began at Purdue EFCU and also had targeted their own brand. Purdue's advance warning and monitoring were able to bring down the attack before any damage occurred. They found that the phish was being done by teenagers in Romania. The credit union says it now uses multifactor authentication to assist in identifying fraudulent sites.
You've Been Phished, Now What?
So what do you do if your financial institution's brand is phished? Your institution should have an incident response plan already in place, but here are some phishing-specific steps to review and add to your plan.
Communicate to your customers. The sooner the better. Put an announcement message on your website's front page. And if you can, send an email to all of your customers, telling them about the phishing attack. Give the facts, as much as you can, and tell them what you're doing to stop it. Let them know to contact your institution when they receive any suspicious email or phone call purporting to be from your institution.
Contact law enforcement, both local and federal authorities. The credit union that had been phished four times says sending an email to the FBI's www.ic3.gov alert doesn't garner much attention. They say that filing a report with the www.ic3.gov site will result in "no help and no response." The case file number they give simply states that they have too many complaints, and the data will be forwarded to the appropriate agency. A call to your local FBI office is also advisable. Alerting the Anti-Phishing Working Group should also be considered. A call to your institution's regulatory body is also in order, and is mandatory if customer account data is breached.
Find out who owns the URL. Use the Network Solution's www.netsol.com site to determine the owner and notify them of the attack. Sometimes they don't know their site is a phish hosting site. It may be a compromised web server that has been hacked by the phishers, or a registered domain name on an ISP such as Yahoo or Google. If you do contact the owner, ask them to take down the server or block the outgoing messages. Involve your legal department on this portion to ensure compliance with your request. Find the ISP that the IP address belongs to and ask them to block the address and tell them why you're requesting it.
Get a copy of the original email sent to people, and if possible save the headers from the email. This can show the email server that sent the email, it's usually not the case as phishers will obfuscate the address or misconfigure the server but it still will provide ammo if you catch the phishers.
Go to the phishing site, but go carefully. Use a non-institutional computer if possible because of the possibility of malware being on the site that will inject viruses and other nasty downloads onto the machine. Once you're on the site, take time to document what is there by making a screen shot of every page on the site. Copy the source code from every page for later forensic use in a law enforcement investigation.
Determine how the emails were sent, if they were broadly sent to a wide number of users or if the email was a targeted attack (spear phishing) against specific customers or even employees of your institution. If it is found out to be a spear phishing attack, this means the phishers may have a list of customer emails or employee emails.
Flood the phishing site with fake data because this may slow down its ability to collect data from unsuspecting users.
If your institution isn't able or has the manpower to pull off the above steps, it's time to call in a professional information security firm that specializes in phishing site takedowns. Monitoring services, if afforded, also offer protection from a phishing expedition netting a big catch of your customers.