Lawsuit demands banks divulge information about hack attacks

Anti-spam company Unspam Technologies Inc. filed a lawsuit on Wednesday aimed, in a somewhat roundabout way, at forcing banks to divulge any information they might have about hacking activities affecting their customer accounts.

The lawsuit, filed in U.S. Federal District Court for the Eastern District of Virginia, invokes the CAN-SPAM Act in seeking compensatory and punitive damages against unnamed “John Does” responsible for “stealing money from U.S. businesses [using malware.]”

Related stories:

Canadians very vulnerable to identity theft, survey shows

E-mail attachment malware soars 800 per cent

The 11-page complaint alleged that cyber-thieves are stealing millions of dollars from U.S. bank accounts every month via virus infected e-mail spam.

It says users who opened such spam messages are getting infected with keystroke logging programs that allow remote attackers to obtain that user s banking credentials, break into their accounts and transfer money out of the country via illegal Automated Clearing House (ACH) transactions the complaint alleged.

Despite the large

scale nature of such thefts, it is often very difficult to track down the perpetrators of such fraud because of the limited availability of information said Jon Praed, attorney for Unspam and founding partner of the Internet Law Group.

To identify those behind such crimes, more information needs to be made available on the techniques being employed by the criminals, the servers and botnets being used to launch attacks and the accounts and the destinations to which stolen money is transferred, Praed said.

Too often though banks whose customers are victimized by such fraud don’t divulge any information on how exactly an account might have been compromised, where the money was transferred and how it was then “walked out” of the country, Praed said.

“That information is important and could lead us to the identities of the bad guys,” Praed said.

Such information could also help other companies better defend themselves and their customers against similar theft, he said. “Right now, each bank that has been victimized knows what it knows and the victims know what they know.”

“IT vendors may have a broader view of the problem but it is not clear they are sharing any information,” he said.

Bringing a John Doe lawsuit is one way of trying to get at the information, Praed said. As part of the effort to unmask the identities of the Does in the lawsuit, Praed said he hopes to be able to convince banks to disclose information — or force them to, if needed.

“Through discovery in our effort to identify the bad guys, we will be able to issue subpoenas if necessary to victims and witnesses asking then what they saw and what they did. There is no reason why we should have to compel them to tell us via subpoenas,” if they are willing to do so voluntarily, he added.

“We are trying to gather the information in order to find a chokepoint,” for stopping the attacks, he said. If the information showed that fraud was made possible because the banks were only using single-factor authentication, for instance, then the obvious way of mitigating the threat would be to strengthen authentication, Praed said.

It is unclear how successful such a strategy will be. But Praed said he has used similar John Doe lawsuits on behalf of Internet Service Providers (ISPs) to shake loose the identities of spammers in the past.

The lawsuit comes at a time when concerns are high over a piece of malware called the Clampi Trojan, which has been enabling cyber criminals to do precisely the sort of thefts that Praed mentions in the lawsuit.

The Trojan program is believed to have infected over 1 million PCs, and is being used by cyber-crooks to steal large amounts of money and financial information from consumers logging on to their bank and other sites.

The malware

can infect a PC in several ways. One method is by duping a user into opening an e-mailed file attachment containing the malicious code. Once on a machine, the Trojan monitors Web sessions and captures a user’s log in credentials whenever that users logs into to one of 4,500 sites.

Source: Computerworld

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs