Anti-Phishing in Banking

Background

Hidcot was contacted to investigate a particularly successful and fast-spreading criminal phishing campaign. Targeting a major UK Bank, hackers had engineered a fake login screen to dupe customers into submitting their username and password.

‍

Like most banks, the target in this case always presented customers with a second line of security. A customer would have to select three characters of a memorable word that they had chosen before:

‍

With memorable words typically short, the hackers had programmed their fake website to merely reject any three characters inputted, and ask the customer for a different three characters. In a very simple way the website would then have covered the first six characters of the customer's memorable word, together with their username and password.

So as not to raise the alarm, at various points the fake website would redirect users to the target bank's genuine website. For those persisting in trying to log in, in the end they were told to reset their memorable word and then told to await confirmation by post in a couple of days.

‍

Early Activity

Utilising our experienced security researchers, we were able to identify the codebase being used as a commercial package specifically bought and sold between criminal networks.The ultimate aim of the hackers was - whilst requiring very little skill -  to amass complete customer login details to be sold in bulk for further nefarious purposes.

Upon gaining access to an implementation of one fake website, Hidcot was able to learn how a database was used to record all victim information. In this first instance, we were quickly able to isolate the details of 12 individual victims. Together with this, we held the process-flow of how the fake website functioned together with very precise details surrounding how victims were contacted in the first place.

‍

Going (Much) Further

There are advanced mechanisms around the Internet to keep people safe, fake websites like the ones above are shutdown or at least highlighted as potentially harmful very quickly. It is a fact that a criminal network will only budget for one such website to remain operational for 6 hours or less.

‍

Instead, to achieve their aims, the criminal network would create dozens of fake websites in large batches, seamlessly flipping between them  as in-turn each one becomes detected. To truly disrupt the operation, websites would need to be intercepted prior to them being used or seen by the general public.

At Hidcot we possess technology that allows us to search the internet for specific code or code patterns. This works in a similar way to mainstream search engines however allows us to search for specific code signatures unique to our target. Sometimes this may also involve scanning for stolen digital assets (such as a fake bank website using our client's logo). Once we had deployed our technology and executed further intelligence gathering, what we found left us astonished:

We were able to identify four separate implementations deploying fake websites each using a very slightly different version of the original software following (what is believed to have been) their own customisations. Over the preceding 7 days, over 200 fake websites had been registered. From the ~80% of the fake websites still online, we were able to access the remote database finding on average 5 victims per website. It was at this point we learned that the criminal networks had diversified and had adapted the original software to target another UK Bank with very similar login processes.

‍

Covered Tracks

There are a number of aspects to this work which cannot be publicly disclosed, however as a matter of course effort was made to pass on any identifying information about the perpetrators themselves to the authorities or at least to classify the 'kind of actor' in-play. We learned that the criminals would purchase their domain names and marketing capability using accounts holding personal details of real people but in the majority of cases would opt to transact in Bitcoin. There was a clear overlap between the fulfilment of this crime and those that had gone before it such as a crypto-currency scams together with general buying and selling of data used for ID theft. In the same batches of fake websites we deciphered footprints across the globe which merely indicated the criminal's ability to hide their true location.

‍

The Hidcot Solution

Stopping the criminal activity by identifying the perpetrators was not going to be feasible. However by deploying a number of our Brand Protection tools on an automated basis we were able to get identifying further fake websites going online. This came in two parts, firstly a list of domain names that we due to be transfered to fake websites very soon, and then those that already had. These live lists could then be used to get warnings to the users' browsers quicker. Next in over 80% of occurrences, we were able to collate the details of any customers who had fallen victim to the deception and ensure the Bank could intervene ahead of the details being exploited.

Fraud will always be a game of cat-and-mouse, but one that brings untold stress and misery to the innocent victims. To  create a platform capable of the above and for it to run in an entirely automated way a great deal of infrastructure, in-house software and expertise has been needed. We are passionate about using our technology to safeguard end-customers together with our clients' own reputation. This expertise comes in part from our long-established experience in safeguarding client's digital assets and wider online reputation against theft and impersonation.

‍

‍

‍