SecureWorks Takes Down Nine Phishing Scams in Three Months

SecureWorks Warns Financial Institutions: Beware Sophisticated Phishing/Hacking Tactics

SecureWorks Takes Down Nine Phishing Scams in Three Months

SecureWorks Warns Financial Institutions: Beware Sophisticated Phishing/Hacking Tactics

ATLANTA, GA, November 30, 2005 - SecureWorks announced today that it has taken down another phishing scam. This latest event marks the ninth phishing event in the past three months that SecureWorks has shut down on behalf of its banking clients. SecureWorks, named as a “Market Leader” among Pure Managed Security Service Providers (PMSSPs) by Yankee Group, is the largest managed security provider in the financial market providing security to over 1100 banks and credit unions nationwide. (Learn more about SecureWorks Anti-phishing Services.)

“In the past three months, SecureWorks has seen nine of its smaller US banking clients phished,” said Jon Ramsey, SecureWorks CTO. “The rate at which smaller financial institutions are being phished is increasing substantially, as are the techniques being used by phishers.” In the most recent scam, the phishers used a combination of phishing and hacking to launch their attack, according to Ramsey. Specifically, they implemented botnets and dynamic DNS to host the phishing sites. The phishers hacked vulnerable computers and used them as platforms to host the sites, and they use compromised desktops to send the emails.

“On Nov. 14th, one of our banking clients alerted our Secure Operations Center that someone was trying to obtain sensitive client information through a phishing scam,” stated Ramsey. “Our security analysts immediately began investigating the malicious email being sent to the bank’s customers, and after decoding the email found that the phisher was using various types of redirect methods to obscure the true phishing site.” After further investigation, SecureWorks’ noticed that the phisher had transferred authority of the domain name to another DNS server. It was compromised and was acting as a poisoned DNS Server.

Through this poisoned DNS server, SecureWorks found nine different compromised host servers sitting in Russia, Japan, Belgium, Germany, US, etc. They were the fallback host servers, whereby the phisher could host the replacement phishing sites (as others got taken down). Being that there were nine host servers, SecureWorks suspected the phishers were probably using a botnet to control the compromised servers. SecureWorks was also able to trace the desktop and found that a compromised DSL account in Poland was being used to send out the phishing emails.

SecureWorks has relationships with US CERT, as well with many of the foreign CERT Teams and many of the Incident Response Teams located within the world’s largest ISPs. Using these connections, SecureWorks was able to get the desktop in Poland and the compromised servers in Belgium, Japan, Russia, Germany, and the US taken down in 24 hours. SecureWorks also filed a report with the registrar’s office resulting in the malicious domains being taken down. SecureWorks also contacted the SANS Internet Storm Center providing them with all the information they had uncovered.

“This latest incident marks the first time that SecureWorks has seen phishers use a combination of phishing and hacking against our smaller financial institutions,” said Ramsey. “The fact that the phishers/hackers are using more sophisticated techniques such as botnets and dynamic DNS to host the phishing sites (which certainly takes more work on the part of the phisher/hacker to implement) raises the level of play considerably for these smaller banks and credit unions. Using these techniques, phishers can target dozens of small financial institutions at one time and send out thousands of malicious emails simultaneously. And unfortunately, the phishers know that the smaller banks and credit unions don’t have the knowledge, personnel and resources in-house to bring down such a sophisticated attack. Financial institutions, of all sizes, need to be constantly on lookout for these phishing scams. If they don’t have the resources in-house to deal with them, they need to have an experienced IT security provider as a backup-- who can quickly and effectively take down the scam.”

SecureWorks provides emergency phishing takedown services to clients and prospects. If a financial institution suspects that they are being phished, they can call SecureWorks 24 hours a day, seven days a week at 1-888-277-9355 for immediate assistance.

About SecureWorks

SecureWorks, a Managed Security Service company, protects corporate networks, servers, and email environments. SecureWorks is the only service that prevents network intrusions at the perimeter, firewall and host levels; monitors client networks 24x7x365; provides ongoing vulnerability assessments; and protects email from spam and viruses while automatically encrypting email to protect confidential information. SecureWorks serves over 1,200 enterprise customers, including banks, utilities, credit unions, and hospitals. SecureWorks recently ranked 79th on the Inc. 500 list of fastest growing private companies in the country. For more information, visit www.secureworks.com.

# # #

Media contacts

Elizabeth W. Clarke
SecureWorks
404-486-4492