When a start-up company helps take down several major online spam and phish operations, it's time to look at what they are doing right.
During the first quarter of 2013, more than 97 billion spam, phish, and malware-laden emails clogged the Internet every day (Commtouch). The financial fallout is harder to track, but most research has the unwanted email costing Internet users and companies billions of dollars per year.
Wouldn’t it be interesting if we could put these evil doers out of business using information they unknowingly provided themselves? If you agree, you will be happy to know that is exactly what tech start-up Malcovery Security is doing.
Malcovery Security began as a research project at the University of Alabama, Birmingham (UAB) Computer Forensics Research Laboratory, under the auspices of Gary Warner. Because of the project’s success, Warner along with Greg Coticchia and Mike Perez—in partnership with UAB and the Innovation Depot—privatized the research creating Malcovery Security.
Malcovery Security knows its enemy
Malcovery Security provides its customers with “rich actionable intelligence” on spam, phishing, and malware attacks. More importantly, Warner says, “We almost always share details of malware attacks significantly earlier than any major anti-virus vendor is offering protection for the same attack.”
In order to accomplish that, Malcovery Security discovered how to mine incriminating data about the purveyors of spam, phish, and malware from their own email campaigns, and provide authorities with actionable intelligence that could lead to putting the bad guys out of business before their handiwork can do any harm.
Analyzing big data
The approach Malcovery Security developed begins with their obtaining as many spam/phish/malware laden emails as they can. At last count, they have over 700 million suspect emails retained in a customized database. But, that’s nothing special; where Malcovery Security excels is analyzing all those emails to find out the who, what, and where behind the malicious email campaigns.
Looking at the left side of the above flow diagram, you will see the first step is to determine what type of malicious email the sample is. Then the email undergoes further classification using the following criteria:
- What is the spam subject?
- What hostile URLs are advertised?
- What hostile attachments are present?
- What network systems does the malware attack?
- What additional malware loads if the initial package is executed?
Because of the immense number of emails funneling in every day, Malcovery Security has automated the classification process. If the automated tool successfully classifies the email, the sample receives a brand designating it as a spam, phish, or malicious email; and becomes part of the Malcovery Cyber Intelligence and Forensics Threat Database. Warner explains further:
“Currently we auto-classify about 89% of our phishing URLs, which means that within seconds of seeing the URL for the first time, we have fetched, confirmed, and assigned a brand to the URL. URLs which cannot be automatically classified are presented to our Operations Team for human classification.”
Now it’s time to move to the right side of the flow chart and the services offered by Malcovery Security.
I got the impression when visiting Malcovery Security that Warner and his crew were definitely antispam, antiphishing, and most definitely averse to malware-laden email. To explain why I say that, let’s look at the services Malcovery Security offers their customers:
Today’s Top Threats are information packets— each threat is issued a human-readable report and a device-readable file. The human-readable report provides a wealth of information that can be used to educate users and facilitate internal investigations. The device-readable file allows customers to import threat information directly into Unified Threat Management, IDS, firewall, or WebFilter protection devices and services.
PhishIQ is a web-based portal providing the customer a complete history of malicious behavior targeting the customer. Analysts working for the customer can then interact with the portal to reveal abuse patterns, identify commonalities among phish, and possibly obtain information directly related to the criminals behind the campaign.
Phishing Intelligence Report: The Phishing Intelligence Service evaluates the data gathered by PhishIQ to facilitate further analysis including:
- Customer accounts that have visited the cluster can be identified and evaluated to establish a loss figure.
- Customer accounts can be monitored to reveal techniques used by the criminals.
- Custom responses, law enforcement investigation, and cooperation with hosting providers are facilitated.
Phishing Investigative Services are in-depth investigations offered by Malcovery Security, and patterned after Gary Warner’s Seven Phases of a Phishing Investigation curriculum. The seven phases include: spam analysis, phishing website analysis, phishing kit analysis, phishing cluster analysis, compromised server log analysis, affidavits of probable cause for search warrants, and open-source intelligence.
Abuse Box Processing is a service where engineers at Malcovery Security analyze suspect emails received directly from customers, after which Malcovery Security offers advice on how the customer should proceed.
I was curious about the kind of customers who employed Malcovery Security. It seems that a Who’s Who of Internet companies are taking advantage of their services, including Facebook, eBay, Visa, LinkedIn, and IBM.
If a person pays attention to history, it becomes difficult to entertain the idea that it’s possible for the security industry to get ahead of the bad guys. But, Malcovery Security and their proactive tools offer hope that we may eventually get ahead of the curve on at least one type of digital crime.