, SecurityFocus 2005-05-20
A small percentage of Web sites illegally set up for phishing scams have been defaced with warnings to potential victims. While illegal, some Internet watchers believe the trend could be beneficial.
On Thursday, Internet monitoring firm Netcraft reported that some users of the company's anti-phishing toolbar followed links to fake financial sites only to find them defaced with anti-phishing messages. While defacements in the past have consisted mainly of sophomoric messages and political diatribe, the recent attacks by Web-site defacers on phishing fraud could actually help warn online users before they become victims, said Paul Mutton, a services developer for Internet monitoring provider Netcraft.
"It is undoubtedly a good thing in that they are helping to protect innocent web users," he said. "On the other hand, it is perhaps unfortunate in that it's probably illegal."
The do-good defacements are still rare incidents, but could gain steam as phishing fraud continues to rise and the online scam artists become more organized and professional, Mutton said.
Phishing, which uses e-mail and fake Web sites to lure users into giving up sensitive and financial information, is a growing threat, according to the Anti-Phishing Working Group. The average number of active phishing sites reported to the group has increased an average of 28 percent per month since July 2004 with 2870 sites discovered in March, the last month for which data is available.
While the March data is down from the preceding month, other indicators suggest the problem is worsening, said Dan Hubbard, senior director of security and technology for Web-filtering firm Websense and one of eight committee members for the APWG.
"Although some of those numbers appear to be flattening, that doesn't mean the problem is getting better," Hubbard said.
The technical prowess of phishing groups has gotten better, according to another report released this week. Criminal groups now attack multiple server types with prebuilt tools for controlling compromised computers and sending out spam, according to an analysis done by the Honeynet Project, which uses heaviliy monitored servers as bait for online attackers to gain insight into the techniques of Internet criminals.
Using two incidents where honeynets -- groups of honeypot servers -- were compromised by phishing groups, the Honeynet Project eavesdropped on criminal organizations' methods. One compromised server in Germany, for example, was quickly loaded with multiple sophisticated Web sites designed to mimic well-known brands. That site had more than 720 victims visit that server's fake Web site in 36 hours, according to the report. (The Honeynet Project caused the Web application to fail so that no user data was compromised.)
The increase in fraud activity has apparently irked some Web defacers.
While Web-site taggers have targeted the criminals behind phishing scams since at least 2003, anecdotal evidence seems to indicate that the number of defacers that have turned their attention to the fake Web sites is increasing. One group, The Lad Wrecking Crew, has regularly defaced a handful of fraudulent Web sites in conjunction with flashmob events held by Artists Against 419, a vigilante group that attempts to flood scammers' bandwidth with data requests.
The groups target so-called 419 scams, a variant of phishing named after the Nigerian law created to combat them. The modern era of phishing is exemplified by e-mails messages from Nigerians posing as business partners trying to move money out of the African country.
Targeting the Web sites created by online fraudsters is still not a common practice, however. Following the release of its anti-phishing toolbar for Internet Explorer five months ago, Netcraft users have reported some 6,600 Web sites that have been part of a phishing scam, but only a few sites have been found to be defaced, Mutton said.
However, with the amount of effort being put into defacing the fraudulent sites, Mutton believes that the practice will continue, and likely become more popular. While some defacers, such as Sickophish, replaced scam sites with the simple message "Warning -- This was a scam site," the more prolific Lad Wrecking Crew has created complex graphics for their Web defacements. A recent example has Star Wars themed graphics and nods to more than 50 other people fighting phishing scams.
"That suggests that these people pursue this 'hobby' because they genuinely want to thwart the efforts of phishers, much as open source software developers strongly feel the need to write quality software for free," Mutton said. "I see no reason why they'd want to suddenly stop; if anything, I'd expect it to grow along with phishing in general."
Defacement activity on the Internet is certainly increasing, jumping 36 percent in 2004 compared to the previous year, said Roberto Preatoni, founder of defacement database and security site Zone-h.org.
Preatoni thinks that more defacements will not necessarily mean that more defacers will be going after fake Web sites. He believes that phishing fraudsters will get better at protecting their compromised Web-site resources, essentially outgunning the less technical defacers.
"Phishers are usually using high skilled hackers to set up machines--therefore, the same cracker might patch the attacked machine in order to keep it online as much as possible," Preatoni said in an e-mail interview.
Complicating the defense of any anti-phishing attack, once a defacer tags a Web site with digital graffiti, it becomes hard to prove that it was a fraudulent site, he added.
Yet, it might be a while before law enforcement puts vigilante defacers in their site, Jennifer Granick, an attorney and executive director for Stanford University's Center for Internet and Society.
It's unlikely that many law enforcement officials will go after Web defacers who are posting warnings to potential victims of phishing fraud. Prosecutors can pick and choose the cases in which they want to invest time, and helping out bank fraudsters is not likely a high priority, Granick said.
"I don't think authorities are going to want to get their name out there for helping fake banks," she said.
However, even a good cause does not make the activity legal, she stressed. There is no exception in the law for good intent.
"The law doesn't have an exception for motive," she said. "If you access a computer without authorization, then you are committing unauthorized access."