September 19, 2012
Catching the Phishes.
I’m not completely sure why, but somehow since the invention of the Internet, there has always existed a stereotypical attitude towards all things WWW. That attitude sees the net as little more than a toy, while the viruses that come with it are put down to mere playing about at best, and just hooliganism at worst. However, the reality is quite something else – especially lately.
Remember Cascade and other similar viruses? Ah, so naïve and innocent compared to what was to come… Fast forward a couple of decades and the bad guys started stealing data, Trojanizing computers for zombie networks to perform distributed attacks, and milking bank accounts. And today we’ve arrived at attacks on industrial, infrastructural and military systems. Some toy!
We need to get away from such a stereotype ASAP. Faulty impressions give cybercrime a romantic aura, which in turn attracts the younger generations of would-be cybergeeks-come-cybercriminals – who can’t seem to grasp the seriousness of their “fun” or understand how many years they could face in jail.
Then there’s another stereotype: that computer crime pays, and the perpetrators don’t get caught. Romanticism! Ok, it’s true that several years ago in many countries computer crime was in fact not all that often prosecuted; however, now that situation has changed: the law enforcement bodies have both the experience and know-how required, have made great strides in terms of cyber-criminalistics (cyber-CSI stuff), and have established good working relations with professionals, all leading them to now being able to solve one hi-tech crime after another.
We are always ready to assist national and international law enforcement agencies if they request it. I think the development of such cooperation is crucial for the successful fight against cybercrime – as security companies are the ones that possess the necessary knowledge.
Now, let me give you an illustrative example of how it works in Russia.
Just recently, Russia’s Ministry of Internal Affairs (MVD) and the Center for Information Security of the Federal Security Service (FSB), with the expert assistance of Kaspersky Lab’s Cybercrime Investigation Unit (CIU), brought to a successful conclusion a criminal case regarding phishing. The culprits were identified and sentenced, justice prevailed, and one more nail was hammered into the coffin of romantic imaginings about cybercrime. I hope.
The case would have been a run-of-the-mill “typical” one if not for one circumstance: It was the first phishing case in Russia whose investigation ran to completion. Before it was unrealistic to expect to get such a case to court while, at best, it was only possible to ever catch the lower level “runners” of the responsible criminal hierarchy.
The story began in the spring of 2010 as a classic phishing scenario:
A couple of St. Petersburgers purchased on the cybercriminal underground a Qhost-type Trojan malware. They proceeded to infect a number of computers and used the Trojan to redirect victims to a fake site. There, the victims revealed unwittingly the access codes to their Internet-accessed bank accounts. The cyber-criminals then had complete access to the accounts, and cashed in big time. Until they got caught.
What’s curious is that the bad guys were able to get around two-factor authentication and SMS text notifications – and in various ways.
For example, a call supposedly from a bank was made to the victims during which a text code was asked to be entered “to cancel an erroneous transfer.” For some of the affected banks the criminals created dedicated fields on the fake site for entering data from a table of varying codes; the codes were asked for several times (referring to mistakes in the previous entering), and in this way several valid codes for further operations were obtained.
The investigation revealed that more than 170 individuals all around Russia became victims in the scam, with losses close to 13 million rubles (nearly half a million dollars).
The above is the official story. Now, let’s have a look at what really happened.
The story is one without precedent. Before, it was reckoned that in Russia it was impossible to file criminal charges relating to phishing. The good guys had no experience and no specialized knowledge, and found it tough just working out where to start in investigating phishing.
Thankfully, it was decided something needed to be done to change all that, and that’s where we came in. We were asked to conduct the expert examination and write-up all our analysis. The banking community provided all the necessary data for the investigation and was involved at all stages, while the Center for Information Security of the FSB conducted the investigation, giving the case to the best detective. It worked! A criminal case was opened, and a team from the Investigative Committee of the MVD was put together.
However, to initiate a case is not the same as closing it (satisfactorily). For the majority of cybercrime investigations in Russia normally fall apart due to a lack of specific skills on the part of the good guys. But in this particular cyber-sting the detectives completed a two-month special cyber-security training and we and the banking community assisted them at all stages as much as we could.
What is also necessary in a case like this is “staying on” the case until it gets to court. But this is where the biggest mistake of all is normally made – detectives are left without support, the investigation fizzles out, and the case comes apart at the seams. This time everything was different: our CIU crew was always on hand – there were numerous business trips, thousands of pages of technical analysis of the investigation and constant interaction.
Though it was rather long-winded, the case was at least brought to a successful close. And though the bad guys received suspended sentences and fines only, the case was significant because it set a precedent (phishing crime cases must and should be taken through to the end), and also because of how the detectives gained experience and know-how with our and the banks’ help. And what better message could be sent to the computer underground and the upcoming younger generations than to stop engaging in dangerous, damaging, illegal stuff? Clearly they should make better use of their minds, using it on productive, positive and harmless pursuits.