Fighting fraud by baiting phishers

RSA Security's newly acquired Cyota overwhelms phishing sites with fake usernames, passwords and credit card info.
Written by Munir Kotadia, Contributor

RSA Security's Cyota division is helping fight phishing attacks by giving the online fraudsters what they want: a lot of usernames, passwords, online-banking credentials and credit card numbers.

Phishing occurs when cybercriminals set up fraudulent copies of a genuine Web site--usually of a financial institution--and try to lure customers of that organization into visiting the site and entering their login credentials and other personal details.

Unfortunately for the phishers, one of the techniques Cyota is using to help protect its banking customers is to pump such fraudulent Web sites with so many fake entries that the genuine details are harder to find, according to Naftali Bennett, senior vice president of consumer solutions at RSA and co-founder of Cyota, which was acquired by the security giant late last year.

"The technique is called dilution: We generate a list of bogus credentials and feed the Web site with false usernames, passwords and credit card numbers. The fraudster may have obtained 30 genuine credentials out of 300--we are trying to make it less worthwhile and more risky for the fraudster," Bennett told ZDNet Australia on Thursday.

Dilution is just one of many weapons used by Cyota to help fight against fraud.

According to Bennett, RSA Cyota runs a command center that scans about 1.5 billion e-mails a day looking for new phishing attacks. When an attack is discovered, the company contacts the relevant ISPs to shut the phishing site down.

"The main thing we do is shut down the Web site. It may be hosted from 12 different locations--China, Seoul and Lithuania--but we get a real-time translator, contact the local ISP, and tell them we are calling from the bank; please shut it down," he said.

Having repeated this process about 15,000 times, Bennett claims that his company is getting rather good at it: "On average, the duration of a phishing site is about 6.5 days. With RSA Cyota, it is 5.5 hours--we really shorten the window of opportunity."

The information gathered by RSA Cyota will also be used by Microsoft in IE 7, the next version of its Internet Explorer browser. IE 7 will use Cyota's database of known phishing IP addresses to block access to fraudulent Web sites.

"We have cut a deal with Microsoft, AOL and other ISPs. Within minutes of discovering a phishing attack, we send Microsoft the IP address of the spoofed Web site. If, by mistake, you click on a (phishing) link, you will see a message telling you (that) you can't enter the Web site because it is a fraudulent one," Bennett added.

The technology gained by RSA when it acquired Cyota is also being used to provide banks with a risk-based authentication system that provides an "invisible" second layer of security.

The profiling system seems to be favored by banks for their mass market, low-value customers because it does not require relatively expensive tokens, which have for many years been employed by large banks to protect high-value customers and transactions.

Editorial standards