Phish Phighter Battles

Just when you thought it was safe to click …

Bill Zahren

The days when a bored teenager would hatch a virus in his basement – just to prove he could – and start the epidemic using a 3.5-inch floppy are long gone.

Even spyware – with its Big-Brother-like, harassing approach to get you to buy things – seems to have waned in the face of fury from consumers and Congress.

In some ways, those were the good old days. Things were more simple and straightforward. Today’s cyber criminals have mutated and adapted and become more virulent than ever, says one of the country’s leading cyber crime fighters. Driven by the prospects of billions in ill-gotten gains, today’s digital grifters are colluding and collaborating to come up with ever-more exotic and uncannily legit-looking schemes to steal your money and leave you to deal with the fiscal and reputation carnage of identity theft.

Welcome to Paul Laudanski’s world. Every day for the last five and a half years Paul Laudanski has plunged into an online knife fight with some people you hope to never meet. Paul and his wife, Robin, are the founders and operators of CastleCops.com, a site dedicated to leading a legion of volunteer “good guys” in fighting online scams.

Since throwing his efforts into the online battle full time, the Laudanskis have become allies with scores of government crime fighters and like-minded volunteers. Today Paul may be among the foremost experts in the world of online scams.

The “bad guys” certainly know who Laudanski is, and they aren’t pleased to make his acquaintance. Elements from the digital dark side repeatedly invest thousands of bot-infected computers in laying siege to CastleCops.com, including the mother of distributed denial-of-service (DDoS) attacks in September. With help from friends and a brave hosting company, CastleCops has stayed up, turning back the frequent onslaughts.

Why does Laudanski attract the ire of online criminals? Because he regularly helps put a kink in the mighty river of cash created by illicit online activities. This isn’t some guy stealing your ATM PIN to buy a fifth of Wild Turkey and some smokes. The stakes are astronomical; some estimate cyber crimes cost consumers and businesses more than $100 billion a year. The more money at stake, the more viciously criminal elements fight any threats to the cash flow, hence the aggressive attacks on Castle Cops.

With billion-dollar carrots dangling before them, brilliant minds are hard at work at mutating malware and creating converged and blended approaches to stay one step ahead of security companies and filtering software. Like legitimate businesses with huge profit motives, criminals have harnessed innovation, imagination and creativity to pillage bank accounts and destroy credit ratings around the world.

“It’s all converged and blended together,” Laudanski says. As an illustration, he outlines one example of a sophisticated, multi-player phishing scheme:

Step 1: Gaining access to a super-secure online forum where criminals offer a huge array of services, you contact a bot master and lease his network for $150 to $200 a day.

Step 2: The bot master sends a back-channel signal to order legions of infected “zombie” computers to send out a spam email (totally unbeknownst to the computer’s owners). The spam makes a convincing argument for the recipients to visit a phishing site that is designed to look exactly like the real Web site for Brand X bank.

Step 3: Hire another bot master who agrees to run a “fast-flux phish.” That’s a phishing site that looks exactly like the legitimate Brand X site but moves from host computer to host computer every 60 seconds, making it super-difficult to trace.

Step 4: Steal a domain name from a registrar anywhere in the world that makes it hard for good guys to get that registrar to shut things down by reclaiming the name.

Step 5: Have the information that people unwittingly enter (those fooled by the phish) delivered to a drop email address at some free ISP.

Step 6: Gather the stolen info and go back to the carder forum to sell the information to the highest bidder or start using the stolen credit card numbers for merchandise. You can also send money from the stolen cards to yourself using some online payment service.

Step 7: If you need intermediaries to turn digital information into real cash, recruit some “mules” using too-good-to-be-true email job offers. Just send out 1,000 emails offering $3000 a day for two hours’ work. Get the suckers or cash-desperate who respond to accept deposits into their bank accounts or online bill-paying accounts and send you checks. By the time the authorities track down the mule, you’re long gone leaving him or her to deal with the liability.

Laudanski says phishing schemes have become elaborate and incredibly realistic. “Some high-ranking security people have fallen for phish,” he said. “Everyone can fall for these if you are caught at the right time. You know how they have those infomercials on at two or three in the morning? If you saw that at noon you’d never buy it but because you saw it at three in the morning and you’re tired and not thinking you say, ‘Let me go ahead and buy it.’ Same thing can happen with phish when you aren’t thinking or distracted or tired or whatever.”

Castle Cops battles phish by first encouraging people to report suspected phish on to its site. Once a suspected phishing URL is reported to Castle Cops and a volunteer “handler” verifies it’s a phish, then they begin to dig.

They trace the phish to the server and alert anyone connected (almost always unwittingly) to the phish. That includes the brand being used to entice people to respond to the phish, the server host, the domain name registrar and more. The coordinated response from all involved can quickly kill the phish threat and therefore limit its damage. Finally, evidence is preserved for law enforcement authorities.

Laudanski’s group would like to get into more proactive programs that make it more difficult to conduct a phishing scam, but budgets are slim. “We’re always looking for funding,” Laudanski said. (Donations are gratefully accepted on CastleCops.com.)

Laudanski said there are a “growing number of threats and schemes” and a growing array of perpetrators who range from “script kiddies” who obtain malware and then mutate it for their own purposes to “organized criminal elements which operate in a professional fashion.”

Another reason the digital dark side doesn’t like Laudanski is that he shines a public awareness light on the problem and builds coalitions to fight back. Since founding Castle Cops, Laudanski has recruited more than 50 partners including domain registrars, Internet service providers, software companies, even the giant computer security firms and law enforcement agencies. He remains an active evangelist for ways business and consumers can fight online crime.

“Much like the criminals work together, the good guys have to work together,” said Laudanski. He said the huge majority of Internet Service Providers and domain name registrars and others, once they’re convinced of the public service spirit of groups like Castle Cops, are eager to join the effort.

Castle Cops also conducts training academies for volunteers to learn to help people clean out infected computers and use other security tools. They also have “incident report and termination teams” that respond to phishing, spam, malware attacks and Web server incidents.

So, after nearly 6 years carrying on the battle on a shoestring budget, are the white hats having any success? “I’m encouraged,” he said. “There may be people out there who disagree with me, but I’m encouraged.” Visitors to CastleCops.com are more pessimistic. A poll there shows 44% of 1209 respondents thought the bad guys were winning the online war. Another 29% called it a stalemate while 27% said the good guys were winning.

The ultimate solution probably comes down to a huge upswing in public awareness. “No matter what the good guys and the bad guys are doing out there it ultimately comes down to the consumers’ decisions as to whether or not they are going to use these tools to help protect themselves and whether they visit the phishing site or not and whether they open the attachment from someone they don’t know,” Laudanski says.

“When you get an email that says ‘go to your bank site’ you’ve got to have common sense and think about it. Don’t go on your computer at three o’clock in the morning. It’s not an infomercial. Go on your computer when you have your wherewithal and use your common sense and think twice about what you’re going to do.”

Stop Responding to Threats.
Prevent Them.

Want to get monthly tips & tricks?

Subscribe to our newsletter to get cybersecurity tips & tricks and stay up to date with the constantly evolving world of cybersecurity.

Related Articles