RSA looks to drown phishers in data flood

RSA looks to drown phishers in data flood

Summary: A novel tactic to defeat phishers is being employed by Cyota staff: flooding phishing sites with fake bank details to make the real information harder to find

SHARE:
TOPICS: Security
2

RSA's Cyota division is helping fight phishing attacks by giving the online fraudsters what they want — lots of user names, passwords, online banking credentials and credit card numbers.

Phishing occurs when cybercriminals set up fraudulent copies of a genuine Web site — usually of a financial institution — and try to lure customers of that organisation into visiting the site and entering their login credentials or other personal details.

Unfortunately for the phishers, one of the techniques Cyota is using to help protect its banking customers is to pump such fraudulent Web sites with so many fake entries that the genuine details are harder to find, according to Naftali Bennett, senior vice president of the Consumer Solutions Division at RSA Security and co-founder of Cyota, which was acquired by the security giant late last year.

"The technique is called dilution — we generate a list of bogus credentials and feed the Web site with false usernames, passwords and credit card numbers. The fraudster may have obtained 30 genuine credentials out of 300 — we are trying to make it less worthwhile and more risky for the fraudster," Bennett told ZDNet UK sister site ZDNet Australia on Thursday.

Dilution is just one of many weapons used by Cyota to help fight against fraud.

According to Bennett, RSA Cyota runs a command centre that scans around 1.5 billion emails a day looking for new phishing attacks. When an attack is discovered the company sets about contacting the relevant ISPs and shutting the site down.

"The main thing we do is shut down the Web site. It may be hosted from 12 different locations — China, Seoul and Lithuania — but we get a real time translator, contact the local ISP and tell them we are calling from the bank, please shut it down," he said.

Having repeated this process around 15,000 times, Bennett claims the company is getting rather good at it: "On average the duration of a phishing site is about 6.5 days. With RSA Cyota it is 5.5 hours — we really shorten the window of opportunity."

The information gathered by RSA Cyota will also be used by Microsoft in IE7, the next version of its Internet Explorer browser. IE7 will use Cyota's database of known phishing IP addresses to block access to fraudulent Web sites.

"We have cut a deal with Microsoft, AOL and... ISPs. Within minutes of discovering a phishing attack we send Microsoft the IP address of the spoofed Web site. If by mistake you click on a [phishing] link you will see a message telling you that you can't enter the Web site because it is a fraudulent one," added Bennett.

The technology gained by RSA when it acquired Cyota is also being used to provide banks with a risk-based authentication system that provides an "invisible" second layer of security.

The profiling system seems to be favoured by banks for their mass market low value customers because it does not require relatively expensive tokens, which have for many years been employed by large banks but only to protect high-value customers and transactions.

Topic: Security

Munir Kotadia

About Munir Kotadia

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.

Munir was recognised as Australia's Best Technology Columnist at the 5th Annual Sun Microsystems IT Journalism Awards 2007. In the previous year he was named Best News Journalist at the Consensus IT Writers Awards.

He no longer uses his Commodore 64.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • i have beendoing this for ages with any sites i hav ebeen sent, i hack the site see what data they have stolen and then flood it with my own data so they cant find anything they have obtained. i then inform the bank who was spoofed and they reply telling me it was a spoof website and i should contact them to change my credit card details as i hav ebeen fooled.

    i wish they would read their emails.
    anonymous
  • Quote: "We have cut a deal with Microsoft, AOL and... ISPs. Within minutes of discovering a phishing attack we send Microsoft the IP address of the spoofed Web site. If by mistake you click on a [phishing] link you will see a message telling you that you can't enter the Web site because it is a fraudulent one,"

    How can MS, AOL and .. ISPs block access ? Does this imply that they are filtering destination IPs for all customers' Internet access ? I can't see this as the way to tackle this problem, with many 1,000s of ISP all maintating their own outdated filter lists ?
    anonymous