Lawsuit seeks to pry information from banks on account breaches

Information needed to go after those behind massive frauds, lawyer says

Anti-spam company Unspam Technologies Inc. filed a lawsuit on Wednesday aimed, in a somewhat roundabout way, at forcing banks to divulge any information they might have about hacking activities affecting their customer accounts.

The lawsuit, filed in U.S. Federal District Court for the Eastern District of Virginia, invokes the CAN-SPAM Act in seeking compensatory and punitive damages against unnamed "John Does" responsible for "stealing money from U.S. businesses [using malware.]"

The 11-page complaint alleged that cyber-thieves are stealing millions of dollars from U.S. bank accounts every month via virus infected e-mail spam.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Anti-spam company Unspam Technologies Inc. filed a lawsuit on Wednesday aimed, in a somewhat roundabout way, at forcing banks to divulge any information they might have about hacking activities affecting their customer accounts.

The lawsuit, filed in U.S. Federal District Court for the Eastern District of Virginia, invokes the CAN-SPAM Act in seeking compensatory and punitive damages against unnamed "John Does" responsible for "stealing money from U.S. businesses [using malware.]"

The 11-page complaint alleged that cyber-thieves are stealing millions of dollars from U.S. bank accounts every month via virus infected e-mail spam.

It says users who opened such spam messages are getting infected with keystroke logging programs that allow remote attackers to obtain that users banking credentials, break into their accounts and transfer money out of the country via illegal Automated Clearing House (ACH) transactions the complaint alleged.

Despite the large scale nature of such thefts, it is often very difficult to track down the perpetrators of such fraud because of the limited availability of information said Jon Praed, attorney for Unspam and founding partner of the Internet Law Group.

To identify those behind such crimes, more information needs to be made available on the techniques being employed by the criminals, the servers and botnets being used to launch attacks and the accounts and the destinations to which stolen money is transferred, Praed said.

Too often though banks whose customers are victimized by such fraud don't divulge any information on how exactly an account might have been compromised, where the money was transferred and how it was then "walked out" of the country, Praed said.

"That information is important and could lead us to the identities of the bad guys," Praed said.

Such information could also help other companies better defend themselves and their customers against similar theft, he said. "Right now, each bank that has been victimized knows what it knows and the victims know what they know."

"IT vendors may have a broader view of the problem but it is not clear they are sharing any information," he said.

Bringing a John Doe lawsuit is one way of trying to get at the information, Praed said. As part of the effort to unmask the identities of the Does in the lawsuit, Praed said he hopes to be able to convince banks to disclose information -- or force them to, if needed.

"Through discovery in our effort to identify the bad guys, we will be able to issue subpoenas if necessary to victims and witnesses asking then what they saw and what they did. There is no reason why we should have to compel them to tell us via subpoenas," if they are willing to do so voluntarily, he added.

"We are trying to gather the information in order to find a chokepoint," for stopping the attacks, he said. If the information showed that fraud was made possible because the banks were only using single-factor authentication, for instance, then the obvious way of mitigating the threat would be to strengthen authentication, Praed said.

For more enterprise computing news, visit Computerworld. Story copyright Computerworld, Inc.