How Criminals Steal Passwords, Bank Websites, and the Internet: An Interview with Rod Rasmussen

[Motherboard]: The Tacoma, WA-based company Internet Identity wasn't meant to be a security outfit. When Rod Rasmussen started it in 1996, he was providing simple enterprise services like email. And then, in 1997, as tends to happen on the internet, someone did something bad: they set up an account posing as an America Online billing representative, and emailed thousands of people with a simple request: to verify your account, could you send us your credit card information?

It was the days of dialup, and on America Online itself, the ruse was already a popular one among wannabe preteen hackers looking for no-cost access to the internet: pose as an AOL employee, ask enough users for their passwords, and rack up accounts you could use, instead of getting your own. It wasn't victimless — users whose passwords were stolen would often lose their accounts. But there was an ideological component: if you thought the internet should be free, this was your way of sticking it to the man.

By aiming for credit card numbers en masse, the attack through IID represented a sick mutation of what would come to be known as phishing, in the phasion of hacker speak. However absurd it sounds, this basic social engineering hack would become the favorite trick of spammers the world over, resulting in billions of dollars worth of theft, and further besmirching the name of the famous stoner band.

Rasmussen caught the attempt as it was happening, noticed that over 300 unsuspecting AOL users had responded with their credit card information, warned them of the scam, and resolved to change his company's course. Now IID is one of the web's leading security companies, focused on things like large-scale phishing and abuse of the domain name system, a tactic that phishers use today to make malicious websites look like legitimate ones. The company’s latest report finds that phishing is up 12-percent year-over-year in the first quarter of 2011. And large-scale now means something as disturbing as a recently detected phishing scheme originating in China that targeted U.S. government officials, Chinese activists, and more.

Rasmussen, who co-chairs the Anti-Phishing Working Group's Internet Policy Committee, knows more than anyone should have to about the awful underworld that's trying to get your personal data, your money, and worse, so we exchanged some emails with him. They were probably woefully under-encrypted.

Why should we be concerned about the rise in phishing?

Phishing can hit anyone, and with serious consequences. In this report, we reported three areas that are of concern. One, that phishing was on the rise in general. Second, that the typical phishing site was active longer, meaning that there’s a better chance of getting caught in the phishers’ nets. Finally we noticed that cyber-criminals were targeting services people may not suspect, like online gaming sites, and thus potential victims may not have their guard up. This last point is particularly relevant given the recent attacks against Sony’s PlayStation Network, which exposed tens of millions of people’s vital data like addresses and passwords.

Who are these phishers, and how is their profile changing? And who tends to get targeted by them most?

There are a wide variety of phishers, from the stereotypical 'lone geek' to criminal syndicates. Most are young males. The changes we’ve seen are those you’d see in any industry or field that is beginning to mature, from individual pioneers to experienced teams working together, even if competitively. Targeting has remained fairly constant — wherever there’s money to be made the phishers will go.

But beyond going directly after access credentials, we’re also seeing targeting of intellectual property, infrastructure like the domain name system, and non-traditional assets like online gaming. We are also seeing small business owners targeted specifically, as phishers have learned how to extract large amounts of money via the Automated Clearing House (ACH) and other business-to-business payment systems.

What happens once one of these lone geeks manages to get someone’s personal or financial information? And what can a victim do, once they realize what’s happened?

Phishers often sell their information to people who specialize in turning those credentials into money. Small-time operations or newer ones tend to try to cash victims out themselves (with some notable exceptions). If a phisher gets an individual’s information, they’ll try to cash out a bank account via fake ATM cards or transfers to another account they control, sell off online gaming assets, buy goods online for reshipment, or use the credentials they got in one place to try to access another service the victim may use since many people use the same login information for multiple services.

If they capture a small business’s banking credentials, they’ll attempt to move large amounts of money via the ACH system — either directly overseas or in payments to 'money mule' accounts (as in the individual case, just at larger scale). The money mule will transfer the money to another bank account, or more frequently, take out the cash and wire it overseas using Western Union or MoneyGram. Some mule networks have even been set-up to physically ship cash out of the country, but that’s pretty rare.

Victims should treat theft of credentials the same whether on-line or off — report it to the companies involved, get new credentials issued, update passwords, watch their credit reports — the same precautions you’d expect if someone stole your wallet.

How is the business of phishing changing? Are phishers so ahead of capture or law enforcement that their tactics have stayed relatively similar over the past few years?

The shift to targeting small business is a new phenomenon. However, newbie phishers still employ 'traditional' phishing methods. There are a number of public-private partnerships that have emerged to combat phishing. But we are seeing criminals adapting to measures employed by law enforcement and security companies as well — it’s a cat-and-mouse game.

Why are so many phishing sites based at or on the .tk domain?

CO.CC is actually a subdomain service, while TK is the country code for the tiny atolls known as Tokelau. In the latter case, this New Zealand territory has leased their delegated top level domain (TLD) to a company that sells or gives away domains under the .TK TLD.

Subdomain services do essentially the same thing, but on a domain name they registered with an 'official' domain registrar — you can think of it as buying a huge piece of unsettled wilderness within a bigger territory and then dividing it up for people to use. We’ve identified hundreds of organizations providing similar services over the years — they are typically used for individuals for blogs, photo sites, personal websites, personal email or other internet content services. These sites offer the consumer a low-to-no cost service and lots of control over an internet presence that you may not get with a traditional domain name.

We’ve seen large amounts of other types of abuse on these and similar services, and they often seem powerless to stop the abuse. This is usually said to be because of low margins (free services tend to have low margins of course) and lack of personnel to combat this abuse up front. We find these arguments to usually be spurious or at least misinformed, as these problems have been solved many times at relatively low-cost for some basic protection, and we even pointed out that a Russian service, had addressed their abuse problems quite well during the same time period. It’s more about will and commitment to reducing abuse than it is about adopting something with exorbitant costs.

What’s the non-phishing threat that we need to be paying attention to?

Well, we’re already paying plenty of attention to malicious software (malware) and botnets (a collection of infected computers), but they are the biggest threats today. Tomorrow’s big threats — and we’re already seeing it — are Internet infrastructure take-overs. If you can’t rob the customers of a bank, just steal the whole darn bank! That’s actually pretty easy to do in the online world since the underpinnings of the Internet itself — specifically the domain name system and routing, like border gateway protocol — aren’t well authenticated or protected.

Sorry, did you say that the underpinnings of the internet are not protected?

They are not well protected, but not completely defenseless. Two of the main protocols that make Internet possible, DNS (domain name system) and BGP (border gateway protocol) have fairly large security holes in them and were not designed at the time of implementation with the kind of adversarial landscape we have in mind today. Nearly all domain names are accessed through registrars that have only simple username/password protection only.

We already know how flawed that model is, especially when social engineering comes into play, and several high-profile hijackings bear that out (CheckFree, Twitter, Baidu, etc). Furthermore, several pieces of the DNS ecosystem are not well hardened to attacks and have seen hacking events that allow for wholesale take-over of domains. These range from single DNS servers to domain registrars to entire domain registries.

BGP has a different set of issues, as it has no authentication mechanisms built in at all today, and is almost entirely a trust-your-neighbors system. If someone advertises that they are routing a chunk of IP space, there are little, if any safeguards in-place to validate that, and those are typically only local to the legitimate holder of IP space. Thus, anyone with access to the BGP routing system (which can be easily obtained) can claim to be almost anyone they want to on the internet, and if done specifically enough, everyone on the Internet will believe them.

There is no built-in authentication at all, so I could advertise that I’m a service or bank or government or whatever, and traffic intended for those destinations will come to me instead of the intended recipient. We saw that last year in a big way, when a Chinese ISP managed to route almost 20-percent of the internet’s routes for several minutes, and it didn’t even slow down a lick.

What do you make of the Obama administration's efforts at cyber-security?

With all the recommendations and language for potential legislation that has just come out it is hard to get too specific. However, having the framework to work with is important to get things done. There has clearly been a lot of good work done in putting these together, but based on the initial feedback, there’s quite a bit more work to do in order to make effective change.

How would you carry out an "Internet infrastructure takeover"?

If I really wanted to wreck things, I’d do some BGP injections for the various time servers out there like network time protocol (NTP) and tell a huge chunk of critical servers out there that rely on precise timing (including stock exchanges, air-traffic controllers, critical infrastructure support, etc.) that it was a far different time than it was — or maybe just off by a bit. If you think about it, if time for any of those pieces of critical infrastructure are off, it could result in the crash of major stock exchanges, a major disruption in air travel, etc. That could generate a little real Y2K kind of chaos that could have some pretty gnarly affects on things.

Some other things you can do with DNS or BGP take-overs: you can intercept requests for major websites and drop malware on tons of computers, get access credentials on a grand scale (people will think they’re logging into their normal site), or intercept all the email for a company, government or other organization. Warning bells will go off on many of these scenarios, but we’re not really well postured to 'fix' these kinds of problems quickly and universally. Most registrars and registries are not staffed 24/7 with folks who can respond to these kinds of DNS take-overs quickly, and if I’m a clever bad guy, I set TTLs (time to live) really high on my bogus entries so they get cached for a long time around the net even after the hijacking is fixed. With BGP, there are literally hundreds of major carriers that would have to respond to a major route-hijacking event, though some of the big ones could probably implement a hack to undercut the bad guys in a major event scenario, but again, we’re not well set-up today to do that.

This article originally appeared on Motherboard. For penetrating technology and science commentary, follow us on Twitter and Facebook, and get our weekly newsletter.