Lawsuit seeks to pry information from banks on account breaches

Computerworld - Anti-spam company Unspam Technologies Inc. filed a lawsuit on Wednesday aimed, in a somewhat roundabout way, at forcing banks to divulge any information they might have about hacking activities affecting their customer accounts.

The lawsuit, filed in U.S. Federal District Court for the Eastern District of Virginia, invokes the CAN-SPAM Act in seeking compensatory and punitive damages against unnamed "John Does" responsible for "stealing money from U.S. businesses [using malware.]"

The 11-page complaint alleged that cyber-thieves are stealing millions of dollars from U.S. bank accounts every month via virus infected e-mail spam.

It says users who opened such spam messages are getting infected with keystroke logging programs that allow remote attackers to obtain that users banking credentials, break into their accounts and transfer money out of the country via illegal Automated Clearing House (ACH) transactions the complaint alleged.

Despite the large scale nature of such thefts, it is often very difficult to track down the perpetrators of such fraud because of the limited availability of information said Jon Praed, attorney for Unspam and founding partner of the Internet Law Group.

To identify those behind such crimes, more information needs to be made available on the techniques being employed by the criminals, the servers and botnets being used to launch attacks and the accounts and the destinations to which stolen money is transferred, Praed said.

Too often though banks whose customers are victimized by such fraud don't divulge any information on how exactly an account might have been compromised, where the money was transferred and how it was then "walked out" of the country, Praed said.

"That information is important and could lead us to the identities of the bad guys," Praed said.

Such information could also help other companies better defend themselves and their customers against similar theft, he said. "Right now, each bank that has been victimized knows what it knows and the victims know what they know."

"IT vendors may have a broader view of the problem but it is not clear they are sharing any information," he said.

Bringing a John Doe lawsuit is one way of trying to get at the information, Praed said. As part of the effort to unmask the identities of the Does in the lawsuit, Praed said he hopes to be able to convince banks to disclose information -- or force them to, if needed.

"Through discovery in our effort to identify the bad guys, we will be able to issue subpoenas if necessary to victims and witnesses asking then what they saw and what they did. There is no reason why we should have to compel them to tell us via subpoenas," if they are willing to do so voluntarily, he added.

"We are trying to gather the information in order to find a chokepoint," for stopping the attacks, he said. If the information showed that fraud was made possible because the banks were only using single-factor authentication, for instance, then the obvious way of mitigating the threat would be to strengthen authentication, Praed said.

It is unclear how successful such a strategy will be. But Praed said he has used similar John Doe lawsuits on behalf of Internet Service Providers (ISPs) to shake the loose the identities of spammers in the past.

The lawsuit comes at a time when concerns are high over a piece of malware called the Clampi Trojan, which has been enabling cyber criminals to do precisely the sort of thefts that Praed mentions in the lawsuit.

The Trojan program is believed to have infected over 1 million PCs, and is being used by cyber-crooks to steal large amounts of money and financial information from consumers logging on to their bank and other sites.

The malware can infect a PC in several ways. One method is by duping a user into opening an e-mailed file attachment containing the malicious code. Once on a machine, the Trojan monitors Web sessions and captures a user's log in credentials whenever that users logs into to one of 4,500 sites.

Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.