While Microsoft's new initiative to take down Zeus malware-related botnets is being touted as a unique approach to fight financial fraud, some industry experts question its long-term viability.
Operation B71 is a collaborative effort among Microsoft Corp.'s Digital Crimes Unit, the Financial Services - Information Sharing and Analysis Center, NACHA - The Electronic Payments Association, and security vendors Kyrus Tech Inc. and F-Secure. [See Microsoft Leads Zeus Takedown.]
The premise behind the initiative: Microsoft's legal theory that botnets, and the cybercrime rings behind them, should be treated and prosecuted like any organized crime group. And the approach so far has been met with success. Microsoft announced on March 25 that it has seized command and control servers that have been running some of the most damaging variations of Zeus botnets, which propogate malware that can lead to incidents of identity theft, account takeover and, ultimately, financial fraud.
But Gartner fraud analyst Avivah Litan says she's not ready to start congratulating Operation B71 just yet. "I think it's good, but there are always going to be more and new ways criminals use to get in," she says. Relying on a single approach - even a successful one - is a set-up for failure.
A Creative Approach?
Supporters say Microsoft's steps to pursue new legal angles will outweigh potential shortcomings. By leaning on the Racketeer Influenced and Corrupt Organizations Act and the Lanham [Trademark] Act, Microsoft has opened more prosecutory doors.
With RICO, Microsoft and its co-plaintiffs have asked the court to view botnets as being equivalent to organized crime. With Lanham, they're saying when a bank's or organization's website is spoofed, or when phishing e-mails are sent, then the hackers behind the spoofing and phishing have infringed copyright.
"This is Microsoft's infrastructure that the cybercriminals are using," says Greg Garcia, Operation B71 spokesman for FS-ISAC and NACHA. "And they are violating the trademarks of the financial organizations. They are basically forging their trademarks when they send out e-mails that appear to be coming from them, or send them to sites that appear to be the banks' sites."
Coming up with creative ways to fight malware and botnets, and ultimately financial fraud, has its pros and cons.
"There are a lot of different laws on the books," Garcia says. "But RICO refers to access-to-device fraud," something like a password or user ID.
"This is the first time RICO has been invoked, and it's a novel approach," he adds. "Basically, what it's saying is that if a botnet is used for nefarious purposes, it should be considered organized crime."
Need for Oversight
But Litan worries about the potential legal and investigative snafus the Microsoft precedent could create. From an investigative perspective, giving Microsoft so much control could backfire. "I know some people who said they were upset with this, because Microsoft came in and took over, even on crimes and groups other folks had been tracking."
Could having Microsoft at the helm of it all hurt or hinder prosecutory power and investigations in the future? Perhaps, says David Navetta, an IT security attorney who specializes in financial fraud linked to cyberhacks and breaches.
"By taking out servers that are part of a botnet, innocent individuals and companies using that server may be taken out as well," says Navetta. "That is why I think it is important to have some judicial oversight over maneuvers like Operation B71."
Navetta says Operation B71's bright spot is reflected in the cross-sector collaboration with law enforcement and the courts it has created.
"It is encouraging to see," Navetta says.
Power in Numbers?
In part, the encouragement Navetta expresses was fueled by the authority a District Court in eastern New York late last week granted to Microsoft for the seizure and control of servers and systems linked to cybercrimes and botnets. Ultimately, the court sided with claims Microsoft and its co-plaintiffs, which include FS-ISAC and NACHA, made in a civil suit against several cybercrime groups, some of which are identified only by known aliases.
FS-ISAC and NACHA joined Microsoft because of the increasing number of online compromises that often lead to financial fraud.
"The operation is a combination of legal and technical means," Garcia says.
For Microsoft's part, that combination shows promise, says attorney Joe Burton, a legal expert in information security and financial fraud linked to cybercrime and a managing partner at law firm Duane Morris.
RICO is a tool that has allowed Microsoft to consolidate and connect cybercriminals or botnets to servers. By connecting everything, the court has an easier time granting an injunction, and that equals time. "Microsoft wants to decapitate this, and with RICO, they have been successful at doing that," he says.
Getting a temporary restraining order against the cybercriminals is what gives Microsoft's move teeth. But Burton says the hype surrounding Microsoft's successful legal linking of botnets to the RICO Act is a "little overblown."
"I don't know that I think it's a critical tool or a tool that's going to change how things are done," Burton says. "There are more lawsuits that have died on the rocky shores of a RICO charge than have not."
The copyright infringement claims, however, connected to the Lanham Act could be the real win for Microsoft and financial services.
"This copyright theory is that these botnets attack Microsoft's trademark, and that's a good legal angle," Burton says. "Being able to attack a central aspect of the fraud, legally, to me, that's a more significant advancement in the effort to fight these guys than connecting it to RICO."
Regardless of how creative the industry gets, though, experts say Microsoft's approach must be watched carefully. And while the legal precedent the B71 case sets could open doors for prosecutors, Navetta is not anxious to jump to any conclusions about how positive the end result will be.
"Over time, striking the correct balance for these types of activities will be of key importance," Navetta says, "and industry, law enforcement and the legal community should work to develop guidelines and processes related to the disruption of botnets."