Phishing as anti-phishing

Identity theft through phishing has become an extremely lucrative business for many criminal organizations. Among the anti-phishing techniques available, one original strategy is to turn phishing methods against their perpetrators.

2.8 billion dollars. That’s how much was lost (or gained, depending on which side of the fence you’re on) as a result of phishing in 2006, according to the Gartner Group. What’s more, unlike real-world identity theft, phishing is both less costly and involves an innumerable number of potential victims. It’s often enough to create a simple website that completely clones the original and lures the gullible surfer in to steal his or her login details, passwords, credit card number, etc. After that, it’s up to the phisher’s imagination what he or she can do with it.

Standard anti-phishing techniques include user education and awareness, and deactivation of the fraudulent website. The problem is that the servers hosting these sites are mostly located in faraway countries, and more often than not have no legal agreements with the countries of the victims. By the time they’ve found the host and asked for the site to be suspended, the pirates have plenty of time to recover a large number of identities and disappear; and filing a complaint in the country where the fraudulent site is located is extremely difficult, since no reliable information is available on phishers. This form of anti-phishing isn’t very effective, because as soon as one site disappears, another is set up, which can be paid for using the products of the previous site. Anti-phishing also involves the blacklisting of fraudulent e-mails or the implementation of more sophisticated authentication systems, with no really spectacular results. It’s against this backdrop that a highly original approach has emerged: turning the weapon of phishing against its perpetrators.

This direction, which comes from a group of researchers at the University of Bochum, Germany, is designed to make it easier to trace the agents involved in phishing, and to increase the cost and risk of phishing. The first idea in this anti-phishing strategy is to provide phishing sites with a large amount of false data. The first result is to fill phishers’ databases with false information, which means they have to spend more time (and resources) separating the good information from the false.

The second idea is to add a unique fingerprint to this false information, in the same way that banknote numbers are used to trace hold-up money. When the phisher (or, in practice, the person to whom he delivers/sells the data) uses these false identities to access the real service (e.g. a bank account), he will immediately be identified as a phisher and redirected to a honeypot, a virtual system that clones the bank’s real website. The phisher believes he’s on the real site, making real money transfers, while the honeypot takes advantage of the situation to gather information about the network he’s using, as well as other information. Not only does this allow us to identify a phisher (insofar as anyone can be identified on a network like the Internet), but depending on how he uses the identities in his possession, we can also determine his exact function in the chain: is he an intermediary who makes online purchases on behalf of his victims, or a money launderer who transfers money to offshore accounts in a tax haven, or a beneficiary who withdraws money from ATMs using a false card, or receives goods bought online using stolen identities.

Thanks to this anti-phishing technique, we can obtain a precise identification diagram of the criminals’ system and track their operations in real time.