PASADENA, Calif. – Wescom Credit Union members who took a fraudulent path to what they thought was their credit union's Web site got a friendly warning recently: a vivid red-and-black skull and crossbones instead of the CU's logo in prominent display.

That was the work of Wescom's own tech-savvy staff and the CU's phish-fighting partner, MarkMonitor. They put that graphic up for the several hours or so it took to take down the fake Internet site that would-be crooks had set up overseas to use to lure in members and get access to their accounts, and hopefully their money, too.

“It's our way of fighting back until we can get those guys shut down,” says John Best, director of technology and development for $3.3 billion Wescom. “MarkMonitor is amazing. They have figured out ways to dilute these fraudulent Web sites by filling them up with bad information until the ISPs can shut them down,” a task that can take a while with hosts 12 time zones away.

Wescom is one of the first users of San Francisco-based MarkMonitor's Phishing Readiness and Response Solution, a program aimed at credit unions and other community-based financial institutions that don't have the resources to fight online fraud on their own.

“The phishing phenomenon has moved to credit unions in a big way,” says Chuck Drake, a former Corillian executive who's now senior vice president of fraud solutions at MarkMonitor.

“Credit unions are really very vulnerable to this,” he says. Attacks against credit unions have increased 845% in the past six months and they now are the target of about 12% of phish, Drake says. MarkMonitor is in a position to know, he adds. “You're probably familiar with the Anti-Phishing Working Group, the trade association that monitors all phishing activity. Well, they use our data.” Working from a 7/24 operations center in Washington, D.C., MarkMonitor analyzes more than 12 million suspect feeds a day from the four top Internet “spines” that handle more than 80% of the e-mails reaching in-boxes each day, Drake says, and using that data shuts down 2,500 to 3,500 phish sites a month. The human touch is needed, too. “We speak 22 languages at our center, since we have to work with ISPs and officials around the world. The name of the game for fraudsters is keeping a site up and running for as long as you can,” Best says. “The industry average is about 5.5 days once detected. We can often do it in less than 90 minutes.” MarkMonitor currently has about 25 financial institutions signed up for its Phishing Readiness and Response Solution, including about 10 credit unions. The readiness part of it is the early warning system, which focuses on detection of registration of suspicious domain names and investigation of all the records of other sites that confirmed phishers own. The response side includes site validation and then working with ISPs and domain registers to shut down fraudulent operations. “We also have a growing blacklist. Our relationship with all the top ISPs helps us effectively block a lot of new and future attacks,” Drake says. “That relationship is what makes us different.” MarkMonitor's prevention, alert and response services start at about $20,000 and run as an application service provider (ASP), “so you're not paying for enterprise software up front and you don't have to operate it. We do everything,” Drake says. That “everything” includes fighting back in pro-active ways that Best at Wescom particularly admires. “It's great. Anytime anyone registers a domain anywhere with `Wescom' in the name, we hear about it and get ready. “And I've seen them dilute a phishing attack by sending it thousands of fake PIN and account numbers, and there's no way those guys can sort through them and find the good ones. And by then, they've been shut down anyway.” Best says he's aware of only two or three attacks against Wescom and that there were no member financial losses. “Of course, from what I hear, members often don't want to own up to what happened when they do fall for it. They might be embarrassed or something, I don't really know,” he says. “I do know that these attacks are getting more and more sophisticated in terms of using code and BIN numbers in ways that our forensics have to keep getting better to handle, but I feel like we're doing that with MarkMonitor and our other security suppliers,” Best says. But, he notes, even the cruder phish attacks still succeed, and he wonders sometimes if they aren't even intentionally unsophisticated. “I think sometimes, seriously, that it's a game to these fraudsters. They're very creative and they're not dumb. Sometimes I think I can just see them, sitting overseas somewhere telling each other in their chatrooms, `Hey, we misspelled four words and we still got 300 fools to fall for this.' ” -

[email protected]