Commerce continues to embrace the Internet and to become dependent upon it. In banking in particular, deposits, withdrawals, balances, statements, lines of credit, and other financial transactions and instruments are increasingly available via and used over the Internet. Financial institutions that are based on the Internet are even more dependent on it. The organization of the physical retail banking platform in the United States, in fact, has been radically altered over the past 20 years, in large part, assuming a growing proportion of banking transactions would be fulfilled using Internet connectivity between the banking transactional platform and the home (for consumer services) and the office (for business treasury services). Any enterprise that does commerce through the Internet is at risk of financial or identity theft involving the Internet, either directly or through mis-use of its customers' credentials used by fraud perpetrators manipulating online services to complete fraudulent transactions.
Phishing is an example of a problem that such institutions face. Phishing involves stealing a user's identity for purposes of financial gain, usually either by social engineering (luring the customer into submitting online credentials by posing as a trusted business through a counterfeit website) or technical subterfuge (planting software onto a personal computer that will intercept or steal its users on-line credentials and transit them to fraud perpetrators who control the software). Most Internet users are familiar with the annoying electronic mail messages they get claiming to be from a financial institution that needs the user to connect to a web page and supply a missing password or social security number; messages that have the logos and appearance of the financial institution, but which lead to a web page that is not associated with that financial institution. Most people are wary of such messages and do not fall for the trap. But it only takes a small percent to make phishing lucrative for the phisher. In addition to that social engineering approach, technical subterfuge may involve planting spyware on the user's computer via bugs in a web browser or bugs in the user's electronic mail reading program or bugs in the user's operating system or other software; spyware that watches for the user's passwords or other identifying information and reports it back to the phisher. While the amount of actual financial loss from phishing is still low as a proportion of any enterprise's online revenue, any loss from such scams is worrisome.
Damage to reputation is a bigger worry for the targeted enterprises. Already many Internet mail users are wary of believing any mail from financial institutions. This is a problem for those institutions, because they see significant economies of scale in increasing use of the electronic mail and the web for financial transactions. And the reputation damage can extend beyond the Internet: a user who has seen too many phishing messages claiming to be from Bank X may not want to bank at Bank X even through an ATM or teller window. Today, a return to 1970s (pre-ATM and pre-Internet) style banking would cause catastrophic logistical difficulties for the retail banking sector as crowds of customers queued to visit tellers whose numbers had been drastically reduced over the decades. That very squeeze in retail platform service capacity, physically manifest in the retail platform, could easily compound unease already felt in failure of the Internet banking infrastructure and precipitate bank runs or general failure of confidence.
Tracking down phishers is thus a pressing task. A task that law enforcement cannot be expected to do alone, and which it is technically unprepared to complete. Unless the amount stolen in a phishing attack is many thousands of dollars, most law enforcement agencies cannot be expected to take action, because it costs them several thousand dollars just to put an agent on the case. Furthermore, phishers deliberately send phishing mail messages and spyware from compromised computers in different countries from the perpetrator's location, so as to involve multiple countries and multiple law enforcement jurisdictions, thus complicating and very often neutralizing any potential law enforcement actions.
The targeted companies thus need to be proactive and find ways of dealing with phishers or to find enough evidence of aggregate loss or specifically-located illicit activity that law enforcement and collateral victims can take action. For example, if there is sufficient evidence that phishers are using nodes set up for phishing at a specific Internet Service Provider (ISP), often that ISP will take down the phishing node. Or if there is sufficient evidence that a legitimate node has been compromised for phishing, the node's owners, supplied with such evidence, can take action.
Collecting such evidence can be quite difficult, because phishers deliberately falsify evidence such as domain registrations, and they deliberately stage their attacks through multiple layers of nodes in multiple countries so as to make tracing them back difficult and to complicate involving legal actions by going through multiple legal jurisdictions. They often buy access to the nodes they use from third parties known as bot herders, who break into computers in order to compromise them and turn them into so-called zombie PCs or bots, building what they call a bot herd, for sale to miscreants such as phishers. Appropriate evidence must be cross-checked by validation involving multiple sources of information collected over large parts of the Internet. Most targets of phishing do not have the expertise to collect, aggregate, fuse, visualize, analyze, and synthesize such data in order to make decisions and take action based upon it. Internet Service Providers generally do not have the expertise to do this, either, because while they know a great deal about their own networks and about the various Internet mechanisms for registering domain names, netblocks, Autonomous Systems, and other technical infrastructure of the Internet, they do not have experience or expertise in following artifacts through the entire fabric of the Internet beyond their own networks. The problem extends beyond the example of phishing. For example, spammers also often stage their sending of electronic mail messages through servers scattered around the Internet, often buying access to them from the same bot herders that phishers deal with, and such spam servers also often cluster together on the same ISP nodes. Phishing and spamming are thus examples of distributed electronic crime.
There is thus a long-felt need for means of detecting distributed electronic crime node locations and summarizing Internet node data related to distributed electronic crime attacks such as phishing and spamming through a visual medium for the purposes of forensic analysis and remedial and proactive action.