ID Theft Ring Uses Spyware -- Mary Beth Guard

ID Theft Ring Uses Spyware
by Mary Beth Guard, Executive Editor

What's your estimate of how many of your institution's customers have installed anti-spyware on their computers? If you estimated anything higher than 10-15%, your nickname's probably Pollyanna. In truth, a terrifyingly high percentage of computers are not protected against the spyware threat and as a data cache uncovered last weekend by Sunbelt Software shows, accounts are at risk as a result -- and that could spell losses for your institution unless you take measures to protect against them.

How scary is this?
Think for a minute about the computer(s) you use. Ponder what you've typed over the last week. Imagine that a hidden program on your machine was capturing keystrokes and browser window titles, eagerly awaiting certain trigger words that would indicate you're visiting a popular auction site, a financial institution, online casino, or a person-to-person payment provider. Without being detected by either a software or hardware firewall (it even turns off the Windows XP firewall!) the malicious software quietly captures user names, passwords, data from the Windows clipboard, information in the Internet Explorer Protected Storage area, chat sessions, and more. It stops access to a variety of anti-virus programs.
Clearwater, Florida-based SunBelt Software, Inc. uncovered a massive identity theft ring that is apparently using spyware to compromise infected user's machines when the user unwittingly visits a Web site carrying the malware with a trojan keylogger that harvests sensitive personal information, saves it as a highly organized .txt file, and sends it to a remote server where the data can be exploited by the thieves. It's like a data warehouse for would-be hackers. The company has chronicled its findings in the Sunbelt Blog. In the blog, company president Alex Eckelberry reveals:

• The trojan will generally go undetected by the average user, even if using a hardware or software firewall;
  
• The trojan was designed to block access to various anti-virus company sites;
  
• The trojan is a new variant of a familiy of existing trojans generally known as Dumaru or Nibu;
  
• A free detection and removal tool is in the works from Sunbelt (but wasn't out as of the time this article went to press). (Check your anti-virus software companies to see if they have one by now. The free trial of Sunbelt's consumer version of its Counterspy program will scan for it and remediate the keylogger.
  
• They've named it Srv.SSA-KeyLogger. Other companies could possibly call it something else.
  

Obviously, you could be at risk as an individual and want to be certain your own computers (and those within your institution) haven't been infected and are properly protected against ongoing risk. For financial institutions, however, the far bigger threat lies in compromised customer machines and/or data, not just from this particular exploit, but from similar keyloggers, as well as phishing scams and pharming schemes. When your customer's information has been stolen, what measures can you use to detect that subsequent online activity is coming from an impostor? One way is through IP geolocation.

BOL spoke to Gary Jackson, Senior Vice President of Operations for Quova, Inc. about how IP geolocation can help. "When a bad guy enters a branch with a mask on, he's easy to spot. Online, you can't see a mask," says Jackson. You can't stop identity theft, but with Quova's real-time IP geolocation, it's possible to know the geographic location of website visitors and spot possible anomalies that could indicate fraud.

When a computer is connected to the Internet, it has an IP (Internet Protocol) address. The IP address might be associated with a particular company domain, a particular Internet service provider, or even an Internet service of some type that purports to allow its users to mask their own IP addresses and thus surf anonymously. If you know the IP address used for a particular session by a customer, you could attempt to do a reverse IP lookup to try to determine where the session originated. The data that is available to most of us for such look-up purposes is spotty at best. Registry information is just 30% of the picture and there are currently about 1.5 billion publicly routable IP addresses, according to Jackson.

Fairly large blocks of IP addresses are allocated, and Quova typically uses an equivalent of a man-day per IP block to research them. Let's say Comcast, for example, registers thousands of IP addresses at once, then re-allocates those IP addresses geographially. Quova tracks and traces those types of re-allocations. It also invests a lot of time in tracking anonymizers so that anonymizer IP addresses are properly labeled as such. Quova uses an equivalent of a man-day per IP block researching the addresses. An individual bank doing a reverse IP look-up wouldn't have the capability.

IP geolocation can be used in two contexts: for real-time determinations of whether there appears to be a potential fraudulent log-in or session use; and after-the-fact, as a forensic analysis tool. Quova provides the database and services around the database. They can even supply the rules around the database. You can learn the patterns of your customers, in terms of their online banking sessions, and detect potentially suspicious activity. If your customer from Kansas logs on with an IP address from an eastern bloc country, you may have a problem! Quova spends a lot of time educating its customers about what an IP address is. To get the kind of coverage and the level of information (about 22 pieces of discrete information), it takes a company like this.

Jackson says there are multiple places you need to be checking during the online banking session. You can't just check someone at the "front door"; you also need to be checking at every department door. In other words, it's important to check IP geolocation information at the point of log in, but because of session capture programs that are designed to linger in the background until all the authentication has been performed, then kick in and attempt to off on a tangent during that session and do something like execute a wire tranfer, you have to be monitoring the IP address throughout a session. You need to know if the IP address has changed, whether the domain name from which the request arrived is the same as it was five minutes ago.

What you're trying to determine is whether the customer is coming from somewhere that makes sense in light of what you know about the customer. If not, the bank can have "rules" in place that allow for particular reactions. For example, if the IP geolocation information falls outside certain known parameters for the customer, a message could appear on the screen saying "We're sorry. We cannot accommodate your transaction at this time. Please call customer service."

B Another alternative is to allow the session when an anomaly is potentially detected, but limit the types of transactions that can be performed. For example, the bank could allow record viewing, but block bill pay or wire transfer.

One institution, with the cooperation of the FBI, is luring would-be thieves into a honeypot and allow them access to what appears to be a customer's account but is, in fact, fake. That allows the bank's forensic experts and/or the FBI to do real-time analysis.

There's an enormous range of possibilities for responses to a geolocation red flag. As Jackson notes, for example, on a brokerage account there is usually a 24-hour period for settlement, so it may be sufficient to generate a report to be handed to a supervisor on an hourly basis. One bank, on the other hand, has the equivalent of a NASA-type console with real-time monitoring, flashing lights, and investigators that go right to work.

Jackson stresses that geolocation is not perfect. You cannot depend on any one technology. A combination of technologies is the best protection. Geolocation has been extremely effective in the e-commerce space and it has the advantage of being non-invasive, requiring no interaction from the end user, and it adds a layer of protection that would be hard to get from any other source.

Right now, someone's entering in a user name and password to log in to an online account at your institution. If you haven't put measures in place to help you determine whether it's really your customer or not, it's time to investigate your options for doing so as the spyware threat looms larger and more serious.