Startup Malcovery Security has a unique way of looking at phishing attacks. Through deep analysis of phishing spam, Malcovery can often identify the precise person behind waves of attacks. The idea is to take that person out of commission – preferably to put them behind bars – in order to eliminate the source rather than just the symptoms of phishing.
A few weeks ago I sat in the conference room of the small corporate office of Malcovery Security in Birmingham, Ala. Gary Warner, Malcovery’s co-founder and chief technologist, held up his computer for all in the room to see. “Here is a known phisher’s Facebook page. Here’s his picture, and another photo of him playing with his children. Here is his email address and where he works,” Warner calmly stated.
Warner went on to tell us that this particular guy has been attacking banks in Europe with a series of phishing campaigns. “The reason we know it is him is that the email address behind this Facebook page is actually the same email address where login credentials stolen via his phishing campaigns are being mailed to,” said Warner.
It was done 23,000 times in the past year. Malcovery has been able to identify the email addresses of the criminals behind similar attacks. Of course, once law enforcement agencies have identifying information like that, it’s not difficult to dig a little further to get a physical address where they can show up to bust the guy.
While Malcovery experts do work closely with law enforcement agencies around the world to aid in take-downs and arrests, the company’s main services are for companies whose brands are often abused in phishing campaigns, as well as for owners of large networks where hostile phishing emails come in. Your company probably fits at least one of these profiles, so read on to learn how Malcovery is battling phishing attacks in unique ways.
The Anti-Phishing Working Group reports that there are some 700 or so organizations whose brands are repeatedly abused in phishing campaigns. Such schemes are designed to trick end users out of their critical information, such as user ID and password, credit card number, CVV and card expiration date. You know the companies they spoof because you’ve received the phishes: eBay, FedEx, practically every leading bank, the IRS, and so on.
For these victim companies, Malcovery provides an in-depth Phishing Intelligence Report that delivers specific information such as who is running the phishing campaigns against the brand, precisely what their messages look like, and where the purloined credentials are going.
Warner explains his company’s fundamentally different approach to stopping phishing attacks: “Let’s say you operate a major bank, which I’ll call Acme Bank. Acme Bank may have a thousand phishing sites created against it this month. These are fake websites where individual victims are tricked into entering their account information because they think they are on Acme’s real website.” Warner says thousands of people fall for these tactics every week, making it lucrative for phishers to run their campaigns.
Malcovery's tools help to identify those serial offenders who create the most phishing sites against a brand. They recommend applying a disproportional number of resources against the biggest identified source of fraud. “If you are Acme Bank, we think it is more important to identify who has created the greatest number of phishing sites against you and treat them differently than everyone else. If we can identify the guy who is making the most phishing sites and then give you the explicit information you can use to take him down, that would have long-term benefit to you. If he made 30% of all the phishing sites against your brand this month, getting rid of him is a different approach than just trying to take down the sites he creates.”
The Malcovery team uses public and private data feeds, honeypots, spam filters and “abuse boxes” – those email addresses where consumers report suspected phishes – to collect a wide range of spam that contains malicious links. The analysts follow those links and dig into the websites that are used to collect the individual victim’s credentials.
The way most of those sites work is, once victims enter their private info into a web form, the program forwards that data via email to the criminal. Malcovery is able to identify the email address of the criminal behind that attack. “Quite often we are able to tell you exactly who the person is,” says Warner. “Our idea is, if we can identify the criminal, we want to put an effective countermeasure in place to cause him to no longer attack your brand. My favorite effective countermeasure is handcuffs.”
Malcovery is also able to collect the information about the compromised credentials. So for Acme Bank, the bank knows precisely which of its customer accounts may be affected, and it can do things like block file transfers from those accounts, and perhaps change the customer’s credentials to prevent fraud.
Another service Malcovery provides is T3, Today’s Top Threats report. This service is applicable to any organization with a sizeable network. (Malcovery defines size by the number of security professionals the organization has rather than by the number of end users. A company should have a couple of knowledgeable IT security people on staff to really utilize the intelligence provided in T3.)
Malcovery uses the T3 report to document the details of the most malicious email campaigns of the day. The company’s analysts delve into samples of hundreds of thousands of suspected bad emails and watch what happens when they open an attachment or click an embedded link. Phishing campaigns tend to be built from toolkits, so they basically use the same files, subject lines and message content. Malcovery develops indicators of compromise that IT security professionals can use to block messages coming from specific IP addresses or with specific subject lines, or to block outbound traffic going to specific URLs that may be command and control servers. The information is explicit and extremely accurate, and it takes the guesswork out of preventing phishing attacks.
The T3 report comes in two formats. An XML version enables companies to automate implementation of the data to firewalls and other devices. A more in-depth PDF document acts as an incident manager’s guide to all of the details about the day’s most troubling email campaigns. The XML version is issued numerous times a day, while the PDF is issued once daily. Both versions of the report deliver actionable information on the day’s most serious threats.
Malcovery is one of the startup companies to come out of the Computer Forensics lab at the University of Alabama at Birmingham, as well as the Innovation Depot in Birmingham. (See What’s happening in the Silicon Valley of the Southeast will surprise you.)
Linda Musthaler is a Principal Analyst with Essential Solutions Corp. which researches the practical value of information technology and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.