Few banks are eager to discuss publicly the steps they are taking to keep out hackers and identity thieves, in part because the scammers can use the information to make future attacks more successful. But some experts say a number of banks have taken a page from the attackers' playbook by using legally questionable techniques to disable public access to fraudulent sites.
Shutting down a phishing Web site can be a time-consuming and expensive task, particularly if the site is based in a foreign country that either lacks anti-hacking laws or stringent enforcement of such laws. The typical fake site stays online for six days before being shut down; in the meantime the company targeted by the scam must battle a public perception that it is powerless to prevent customers from being robbed.
Faced with such uncertainty, experts say some banks will quietly overwhelm the fraud sites with so much data that they can no longer accept information from would-be victims. These banks submit massive amounts of phony personal and financial information to a fraud site to dilute the phisher's database, a technique known as stuffing or poisoning.
But Tom Liston, president and founder of Ingleside, Ill.-based LaBrea Technologies and a volunteer at the SANS Internet Storm Center in Bethesda, Md., said poisoning can result in a de facto "denial-of-service" attack. When launched with the intent to disable a legitimate Web site, such an attack is a federal crime that can carry a penalty of up to 10 years in prison.
"What you find is that these phishing sites are mostly run off of Web servers that have been installed on hijacked home computers, so they can't really take a whole lot of submissions all at once," said Liston, who said he has written and tested his own stuffing program against several fraud sites. "I've seen plenty of evidence that indicates that the banks have taken down sites this way, but most will never admit it or if they do they'll say it was done inadvertently as a result of poisoning."
A number of anti-phishing companies offer the retaliatory service, but few advertise them. One exception is New York City-based Cyota, which specializes in convincing ISPs to quickly disable phishing sites. The average fraud site stays active for roughly six days, but the company claims that most fraud sites targeting its customers last fewer than 5 hours.
Amir Orad, Cyota's vice president of marketing, said his company offers a poisoning service but that it does not condone denial-of-service attacks. Orad said the service is designed to help banks plant dummy account information at phishing sites, which the banks can then use as breadcrumbs leading them back to the people behind the attacks.
Submitting too much fake data at once would only alert the phishers that the bogus information is being offered as a trap, Orad said. He added that Cyota has applied for several patents on its poisoning technology, which ensures that several minutes pass between submissions of dummy account data.
Dan Larkin, unit chief of the FBI's Internet Fraud Compliant Center in Morgantown, W.Va., said he has heard reports of banks disabling sites by knocking them offline, but added that the FBI has no evidence that any such incidents ever occurred.
Liston said he's not surprised. "Who exactly are the phishers going to complain to?"