2014 INTERNET COMMERCE CASE STUDY. The Battle Against Phishing and Fraudulent s. 100 S. Ellsworth Ave 4th Floor San Mateo, CA

Transcription

1 2014 INTERNET COMMERCE CASE STUDY The Battle Against Phishing and Fraudulent s 100 S. Ellsworth Ave 4th Floor San Mateo, CA

2 ABOUT AGARI Agari analizes big data from the world s in-boxes to provide a new way of stopping brand abuse and phishing. We proactively prevent any unauthorized purporting to be from your brand from reaching your customers. Our cloud-based solution guarantees rejection of these phishing messages across the Internet to protect your brand, stop phishing, reduce your liability and enhance your consumer trust. AGARI IS TRUSTED BY: The largest bank in the United States The largest Internet Commerce payments processing firm The most admired consumer electronics brand in the world The top three most popular social media sites The third largest global shipping company Pamela Moore - Senior VP Administrative Services and Chief Financial Officer at NACHA, the Electronic Payments Association. Pamela Moore is on the front lines of the battle against phishing and fraudulent s. As Senior Vice President of Administrative Services and CFO at NACHA, the Electronic Payments Association, she endured a massive attack on her organization in NACHA manages the development, administration, and governance of the ACH Network, the backbone for the electronic movement of money and data in the United States. It s a not-for-profit association representing nearly 11,000 financial institutions via 17 regional payments associations and direct membership. So when a sustained and ever evolving phishing attack began in February 2011, with consumers and business 2

3 receiving fraudulent s that appeared to be coming from NACHA, the organization experienced turmoil and sought a way to fight back. The fraudulent s, sent globally, typically made reference to an ACH transfer, payment, or transaction and had a link or attachment that infected a recipient s computer with malicious code when clicked on or opened. Compounding the problem was the fact that the s purported to come from actual NACHA employees and /or departments and even carried a counterfeit NACHA logo along with association s physical mailing address and telephone number. By July 2011, we were starting to see the same servers sending IRS, Federal Reserve and FDIC spam as we were seeing the phishing attacks evolve, Moore told participants during a recent Agari webinar. By September 2011 we were starting to identify polymorphic malware. And by November 2011, we were seeing a bonnet building environment where Dirt Jumper and Zeus variants, such as Gameover, were tied to the current campaign. By then Moore had already engaged Patrick Peterson, CEO and Founder of Agari, to help provide a solution to the problem and concluded that the Trusted Registry serviced by Agari was of great importance to her association and financial institutions around the world. Many consumers already assume that Many consumers already assume that s are genuinely from who they say s are genuinely from who they say they re from, Moore said. There s a lot they re from, Moore said. There s a lot of communication out there regarding of communication out there regarding phishing s. I think there s a report out there that indicated that in 2011, phishing s. I think there s a report 75 percent of the s were phishing out there that indicated that in 2011, s. So that s why this type of 75 percent of the s were phishing solution is so important. s. So that s why this type of We were constantly working with law solution is so important. enforcement, with other experts in the field to try and address what was happening with phishing campaigns. By late December 2011, FS-ISAC and Microsoft reached out to us about being involved in this case that they were developing. In combination with the financial services industry, Microsoft and others, we became involved in this case, which was filed in March of We were able to build a lot of background information and documentation regarding the case that we had been going through in Through Agari and the Trusted Registry we had a lot of information that we were able to include as part of this case because it identified so clearly the number of s that were purporting to be from the NACHA.org domain, and the number of compromised servers they were coming from. Our threat level was very high. In excess of 99 percent of the s that were going out were not from NACHA.org. As a result of the various reports that we received form Agari, it became part of the background documentation to support our claim. 3

4 Because of those efforts, 39 different John Does were identified in a civil lawsuit and two command-and-control servers were seized in March Since the initial seizure of the commandand-control servers and about 25 percent of others, the number of infected computers has been cut in half, Moore said. Additional discovery evidence was filed with the Eastern Court in Brooklyn, New York, in Of the 39 John Does, two defendants are serving time in the United Kingdom. The rest of the information has been turned over to law enforcement and the FBI for additional follow-up, she added. Data from Agari and the Trusted Registry was crucial in the case. We re able to see what top 20 IP addresses are sending out spoof NACHA.org s. Data from Agari and the Trusted Registry was crucial in the case, she explained. We received a number of different reports as a result of the Trusted Registry. We re able to see what top 20 IP addresses are sending out spoof NACHA.org s. We re able to then track the number of s that have been blocked as well as the number of servers that they were coming from. And from that, we were about to identify how high a threat the numb roy s that are going out there were, those that or not NACHA.org versus those that are authentic s. So it was very compelling from a civil lawsuit perspective to see this type of information and the reporting capabilities that were coming out of it. From those reports, we were also able to utilize the information that we were getting for the purposes of partnering with technology vendors to monitor our domains and take down malware sites, because you are receiving those top IP addresses that are sending out that . It would also alert us fairly quickly in terms of what was happening if there was an active SPAM campaign, for example. Moore said that NACHA uses the trusted Registry as part of its overall anti-spam strategies. Many of the folks that were receiving this phishing were consumers. We re a corporate trade association, so our normal type of outreach isn t even to the individuals who were starting to receive these suspicious s. So it was important to use to set up consumer education as well as We re a corporate trade business educational efforts, so that they could be association, so our normal reporting those suspicious s. From there what type of outreach isn t even we were able to do is establish auto-feeds of the information to appropriate organizations, whether to the individuals who were that s law enforcement, other anti-phishing work starting to receive these groups, or our technology vendors who assisted us suspicious s. with that malware take down. 4

5 We also had to expand our outreach to smaller anti-spam and anti-virus vendors too. When you think about why this Trusted Registry Service does relative to the authentication of your domain and of that through the SPF and DKIM, one of the areas that we were finding needed additional help was that small business, mid-size business that may not be utilizing some of these broader Internet service providers that are part of this Trusted Registry Service. As a result of the volume that started coming through in the bounce backs of NACHA.org spoofed s, we had to start outsourcing our spam filtering to high-volume, spam-filtering services and then leverage those analytics. About the Founder Patrick Peterson, CEO and Founder of Agari is a technology visionary, entrepreneur and noted security evangelist. He has held major security and engineering posts for IronPort Systems and Cisco; Pat currently serves as Founder and CEO for Agari, whose platform provides revolutionary visibility and protection from threats. 5