The Email Service Provider’s Role in the Battle Against Online Fraud

As anticipated in my first blog post,email service providers play a central role in the battle againstonline fraud. This is because they are often the only organization toown the data needed to support financial institutions and lawenforcement agencies in prosecuting criminals.

Most phishing sites are hosted on compromised Web servers and in thepast, stolen accounts were stored on local log files that phishers usedto save, using rather standard filenames (like “data.log” or “cc.txt,”where “cc” obviously stands for credit card). Web servers withdirectory listings that were enabled together with phishing kitanalysis quickly made this simple technique ineffective, becausefinancial institutions were able to read those files as well.Therefore, they were able to block stolen Internet banking accounts andcredit cards, thus preventing further fraud.

In order to avoid this “problem,” the latest trend seen in phishingkits is sending stolen credentials to email accounts (called“drop-boxes”) created ad hoc – compromised through previous phishingattacks or gathered through password-stealing malware. With thistechnique, phishers can hide stolen credentials much more effectivelyand financial institutions are having a hard time in recovering thatdata quickly enough to block compromised accounts and credit cardsbefore fraud occurs.

The role of the email service provider in this picture seems prettyclear: providing “drop-box” content to financial institutions quicklyenough is a key part of helping to prevent fraudulent activities. Thereis some additional research that shows there’s actually much moreavailable than that: providing additional data, such as the full log ofthe IP addresses that logged into a drop-box is another incrediblesource of information. While the analysis of a single log file usuallydoes not prove particularly valuable, the correlation of data comingfrom different attacks is often enlightening.

Figure 1. Sample phishing analysis

Figure 1 illustrates a typical situation. In this analysis, Symantecconsidered three different attacks that hit a single financialinstitution in a short period of time. Log data provided by Yahoo andGoogle (as per our customer’s request) allowed us to plot all of the IPaddresses that visited the three drop-boxes since the attack wasdiscovered – the presence of common IPs was immediately evident fromthe analysis. The common IPs most likely belonged to the phishers andthat assumption constitutes the starting point for law enforcementagencies to prosecute those criminals.

Web log monitoring of Internet banking front-end servers cansometimes provide similar information. I will provide a detailedoverview of this technique in my next blog post.