I, Pamela Moore, declare as follows: 1. I am the Senior Vice President, Administrative Services and Chief Financial Officer of The Electronic Payments Association (“NACHA”). I make this declaration in support of Plaintiffs’ Application For An Emergency Temporary Restraining Order And Order To Show Cause Re Preliminary Injunction. I make this declaration of my own personal knowledge and, if called as a witness, I could and would testify competently to the truth of the matters set forth herein. 2. In my role at NACHA, I have worked with forensic investigators supporting NACHA and have conducted an assessment regarding the financial and business impact of the phishing e-mails falsely purporting to be from or associated with NACHA and tied to the Zeus Botnets. The Zeus Botnets have caused, and continue to cause, extreme damage to NACHA and its members, which, if allowed to continue, will be compounded as the case proceeds. NACHA AND THE ACH NETWORK 3. NACHA is a non-profit association which manages the development, administration, and governance of the ACH Network, the backbone for the electronic movement of money and data. NACHA represents more than 10,000 financial institutions via 17 regional payments associations and direct membership. In 2011, over 16.2 billion ACH payments were processed between financial institutions on behalf of their customers, via an ACH operator. As many as 145 million Americans use Direct Deposit via ACH to receive their pay or government benefits. As administrator of the ACH Network, NACHA’s primary function is to write the rules for the ACH Network and it does not technically operate the ACH Network infrastructure. INJURY TO NACHA CAUSED BY THE ZEUS BOTNETS 4. Since November of 2009, under cover of emails that falsely purport to be from or associated with NACHA, the defendants have orchestrated a pernicious, growing and costly phishing scam (“Account Takeover Scam”) that has touched or affected millions of people, and countless computers and networks around the globe. 2 5. I have reviewed the Declaration of Mark Debenham, which sets forth facts establishing that the emails in the Account Takeover Scam, which misuse NACHA’s name and trademarks, are designed to infect victims’ computers with malicious software referred to as the Infected Tier and to make those computers part of one or more botnets, known as the Zeus Botnets. Once infected and part of the Zeus Botnets, the defendants use the malicious software to steal the victims’ account credentials and to steal funds from the victims’ accounts. The Declaration of Mark Debenham also sets forth facts that the defendants in this case are responsible for the Account Takeover Scam and the Zeus Botnets. 6. Despite the best efforts of NACHA to mitigate the devastating effects of this phishing scam, the Account Takeover Scam has grown at a dramatic and alarming pace since February 2011, and continues to rapidly grow and evolve in ways that cannot be sufficiently addressed by NACHA or the Account Takeover Scam’s victims without aggressive intervention. A. An Overview – from Phishing Email to Botnet to Stolen Information 7. Although technical aspects of the Account Takeover Scam continue to rapidly and cunningly evolve, each new attack begins with an unsolicited email which falsely purports to be from NACHA, or in some way associated with NACHA or the ACH transactions for which NACHA sets standards. Recipients duped into clicking a falsified link embedded in a scam email are then connected to a series of malicious servers, the purpose of which is to download malicious software (often called “malware”) onto the victim’s computer. Once downloaded, that malware hijacks the victim’s computer and makes it part of the Zeus Botnets. The defendants may then steal banking and other information via, for example, keystroke logging software and thereby are able to “takeover” the accounts for fraudulent reasons. 8. Over time, the Account Takeover Scam has expertly evolved, including the methods of implementation (e.g., from offering false .pdf files to drive-by-download), delivery (from php file to .jar file), obfuscation and payload (e.g., from Zeus botnet, to Zeus variant to Blackhole rootkit). Based upon the work of forensic investigators supporting NACHA, and upon information and belief, technical aspects of the Account Takeover Scam are outlined in detail 3 below. B. The Immense Scale of the Attacks: Hundreds of Millions of Emails 9. Although the attacks began on a relatively small scale sometime in November of 2009, by February 2011 they had begun to increase substantially. In August of 2011, the number of attacks started to skyrocket on an unprecedented scale, and have continued on a worryingly steep upward trajectory ever since. Although monthly averages for Account Takeover Scam emails are in the hundred million range, those emails spiked as high as 167 million phishing emails in a single twenty-four hour period during August 2011. By contrast to this enormous volume of Account Takeover Scam emails, NACHA’s normal volume for authentic outbound e- mail messages is only 1,500 emails per day. 10. NACHA is able to estimate and track the scale of the email phishing component of the Account Takeover Scam because, naturally, it is the mail exchange (MX) authority for the “nacha.org” domain. As a result, all spam for that domain gets bounced back to NACHA’s servers, including emails that spoof nacha.org emails. In addition, NACHA uses various other sources and metrics to estimate the number of Account Takeover Scam phishing emails, including security policies and reports from security and spam vendors. 11. For example, in the week from September 12, 2011 through September 19, 2011, over 19 million emails purporting to be from the “nacha.org” domain name were sent from over 217,000 servers. In fact, there is only one authentic NACHA server for e-mails, illustrating the scale of the fraud. Attached as Exhibit A is a true and correct copy of a report by Agari Data, Inc., formerly known as Authentication Metrics, Inc. demonstrating these facts. Notably, because the report only tracks emails purporting to be from “nacha.org,” and not from any of the many other domain names used by the defendants to trick Account Takeover Scam victims, such as “nachas.org,” the report necessarily underestimates the actual number of Account Takeover Scam emails. 12. Attached as Exhibit B are true and correct copies of reports from Agari Data, Inc., formerly known as Authentication Metrics, Inc. These reports, from September through 4 November of 2011, show the number of malicious Account Takeover Scam e-mails sent from various IP addresses during that period. The reports typically show at least one IP address sending over three hundred thousand emails. In addition to the strain which such high numbers of phishing emails place on NACHA, the speed of the Internet, third party mail servers and the like, it is important to focus on the fact that a certain percentage of the intended targets actually open those emails and, hence, become malware victims whose financial and other personal information are put at risk. Assuming one percent of the twenty million or so phishing messages from the week starting September 12, 2011 were successfully delivered through spam filters (i.e., 200,000) and that a mere one percent of those who received the Account Takeover Scam e-mails after their spam filters failed them opened the emails and clicked on the link (i.e., 2,000), this estimate results in two thousand infections during a single week. 13. Starting in February 2011, NACHA began to combat these Account Takeover Scam attacks by asking service providers to take down URLs used in association with the Account Takeover Scam. As shown below in Figure 1, the number of those requests grew rapidly in 2011. For example, in November of 2011 alone, NACHA requested that 555 suspected sites be shut down. Given that the number of requests in July 2011 was 10, this amounts to an astronomical 5,550% increase in requests in a four month period. 5 14. As illustrated in Figure 2, by November 2011 NACHA was requesting takedowns of an average of more than 18 URLs every day. 15. The evolution of the Account Takeover Scam and actions taken by NACHA as tracked by NACHA’s customer service calls and inquiries to [email protected] is reflected in a true and correct report attached as Exhibit C. A true and correct copy of a detailed log with all take downs initiated by NACHA in 2011 is attached as Exhibit D. 16. NACHA maintains an e-mail address in which consumers and businesses can forward potential spam e-mails at [email protected]. These reports are used for analysis of attacks against NACHA and for forensics and for reporting malicious URLs in the hope of receiving voluntary assistance by domain registries and registrars. However, these voluntary efforts are not sufficient to disrupt the attacks, as informal assistance regarding malicious URLs are piecemeal and cannot be coordinated across the entirety of the malicious infrastructure. The scale of the Account Takeover Scam attacks is beyond the ability of NACHA to deal with them alone. The assistance of the Court is desperately needed to dismantle large portions of the infrastructure in a coordinated manner. 17. NACHA is extremely concerned that the notoriety of the Account Takeover Scam may soon inspire other criminals to engage in copycat or similar tactics to obtain consumer information, hence further complicating NACHA’s battle against the existing perpetrators. The 2011 Account Takeover Scam was publicly reported in a February 25, 2011 article which 6 discussed the fact that “ACH Transaction Rejected” emails were linked to the Zeus botnet.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages163 Page
-
File Size-