Honeypots with a Sting

You can use honeypots in new ways, including to catch credit card-using thieves.

Have you considered using a honeypot on your network? You can use honeypots in many ways, and new uses are still unfolding in the information security landscape. One company, CardCops.com, established a honeypot not to catch network intruders but to catch perpetrators of fraud.

Credit card information theft is a significant problem on the Internet, but CardCops.com has taken the offensive to nab those who would steal credit card information and use it to perpetrate fraud. CardCops.com founders Dan Clements and Mike Brown often had to spend part of their day chasing fraudulent Web-based ad impressions at their company, Ads360.com. The fraudulent ad impressions came from unscrupulous individuals who established Web sites, subscribed to various ad placement networks, then generated fake ad impressions by using automated software—often placing ads on unsuspecting victims' cracked systems. The ad impressions then generated revenue for the perpetrators.

Clements and Brown noticed that those who generate fake ad impressions are often the same people who steal credit card information. They started CardCops.com to curb Internet credit card fraud. CardCops.com intends to catch criminals in the act of stealing credit card information and fraudulently using stolen credit card information.

To set their short-lived trap, the company established a fake operation as laptop vendor Laptops4now.com, complete with an e-commerce Web site that served as the honeypot. The company then posted alluring messages to various chat channels, which credit card information thieves are known to frequent. The messages lured perpetrators by stating that Laptops4now.com would ship laptop orders anywhere. CardCops.com then systematically gathered forensic information as the orders came in and promptly turned the data over to the US Secret Service for investigation.

Card thieves often use stolen cards to buy new laptops, which they then trade or sell. Thieves usually give shipping addresses to locations that they use as drop locations and from which they collect the goods and relay them to other points, sometimes overseas. They hope that by using foreign drop points, they can cover their tracks and make their actual identity and location more difficult to discover.

CardCops.com turned on its fake Laptops4now.com Web site at 5:00 P.M. Pacific Standard Time on Wednesday, May 29, 2002. By 5:00 A.M. the next morning, the company had snared five criminals in its trap. In that 12-hour time period, Laptops4now.com received 16 overseas orders for new laptops (totaling more than $27,000), all ordered with stolen credit card information and all to be shipped to US drop locations. The orders came from foreign IP addresses and had US locations as shipping addresses, according to Patrick Granahan, CTO of CardCops.com. After CarCops.com emailed the United Parcel Service (UPS) tracking numbers to those customers, four of five reordered Friday night. "The greed had set in," Granahan noted. As of Tuesday, June 11, the Laptops4now.com site had attracted more than 37 fraudulent laptop orders.

CardCops.com hired a third-party security agency, Secure Net Labs, to track the online orders from the fake Laptops4now.com e-commerce site, and the overall operation has succeeded. The results verify how quickly thieves can attack reputable merchants with fraudulent orders, according to Keath Nupuf of Secure Net Labs. "Foreign \[IP addresses\], email addresses, drop addresses, and site scan origins were all captured as part of the project," Nupuf explained. The data has been turned over to law enforcement. "We have received the data and are investigating," said Don Masters, US Secret Service Agent based in Los Angeles. CardCops.com hopes the data will lead to the identity and arrest of global intruders and credit card information thieves. I'll keep you posted.

In a recent interview, I learned that CardCops.com had just finished its second honeypot sting operation. The company established an Apache Web site that presented a fake Microsoft IIS Web server bug that supposedly exposed a file containing bogus credit card information. The company designed the trap to snare intruders who tried to steal that credit card data. The operation succeeded in catching thieves in the act of stealing the bogus data file. The company said that ideas for further sting operations are in the works.

Another less recent endeavor also stretches the notion of honeypots. In January, the Securities and Exchange Commission (SEC) posted a press release to lure investors to the Web site of McWhortle Enterprises, a fictitious company about to make its initial public offering (IPO) in the stock market. The company's nonexistent product, the Bio-Hazard Detector, was a protection device that played on public fears of terrorist attacks. The device claimed to detect "microscopic levels of hazardous bio-organisms ... even the finest-milled, weapons-grade biohazards from 50 feet, long before the risk of inhalation or cutaneous (skin) infection, by testing for the distinctive surface leptins (neurotransmitters)." The company sought to raise millions of dollars and promised investors 400 percent gains in just 3 months.

However, when visitors reached the fake McWhortle Web site, they were led to a warning page that said, "If you responded to an investment idea like this ... you could get scammed!" The SEC, the Federal Trade Commission (FTC), the North American Securities Administrators Association (NASAA), and the National Association of Securities Dealers (NASD) sponsored the operation, which was designed to make online investors more cautious to prevent online investment fraud from succeeding.

Honeypots can trap all kinds of users, including blatant criminals, curiosity-driven intruders, and members of the public who want to make a fast buck. Honeypots don't have to be expensive or comprehensive. As the preceding stories demonstrate, you can develop honeypots that are simple, temporary, and highly targeted. When you consider your honeypot design, take time to be creatively convincing.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.