×

A Lawsuit Tries to Get at Hackers Through the Banks They Attack

A lawsuit filed on Wednesday against some of the most shadowy Internet criminals — gangs based in Eastern Europe that electronically break into business computers, steal banking passwords and transfer themselves money — is being used to pry information from a group that is nearly as reclusive as the hackers: banks whose computers have been compromised.

lock_laptop.jpg

The suit by Unspam Technologies, which organizes volunteers to track down information about spammers and other online rogues, was filed in United States District Court for the Eastern District of Virginia.

The lawyer for Unspam, Jon L. Praed, concedes he is unlikely ever to discover the names of the hackers. But he hopes to get the details of the thefts, the names of victims and other information from the banks that can be used to improve security and possibly identify the hackers.

Mr. Praed, the head of the Internet Law Group, which is based in Arlington, Va., has used the technique successfully on behalf of AOL and Verizon to identify people sending spam to their customers. The same legal method was used by the recording industry to force Internet providers to name customers who were exchanging copyrighted songs.

More recently, Mr. Praed has used these “John Doe suits” — so called because the unnamed defendant is identified only as John Doe — to get information from third parties that can then be passed to law enforcement officials and online security experts and used as the basis for other civil suits.

In 2007, Mr. Praed filed a suit on behalf of Unspam that was aimed at gathering information on illegal Internet pharmacies and the companies that support them. He declined to discuss any actions taken as a result.

The suit filed Wednesday invokes the federal Can-Spam Act because some of the malicious programs that infect corporate computers are sent in the form of attachments to e-mail messages. It is more common these days for computers to become infected when users visit Web sites that have been secretly taken over by hackers and unknowingly download computer code that then controls their computers.

“This lawsuit is intended to provide all those being victimized by this massive criminal enterprise the opportunity to come together to gather the data we need to fix the problem at a systems level,” Mr. Praed said.

Banks, however, may well fight the subpoenas of Mr. Praed.

A number of laws protect the confidentiality of bank customers. Moreover, the banking industry has historically avoided much discussion about fraud cases. Banks argue they do not want to give away the techniques used by criminals or those meant to thwart them. They also want to preserve the confidence of their customers.

“Banks are not the perpetrators of these crimes, and banks are spending tens or hundreds of millions of dollars of industry dollars trying to prevent those acts from taking place,” said Scott H. Frewing, a partner at the Baker & McKenzie law firm, which represents major banks.

“The use of John Doe lawsuits to draw them into a civil litigation fight just raises the cost on the banks in a way that the courts may not sanction.”

The banks also may fight the subpoenas to protect themselves from liability for losses by their corporate customers. While banks generally reimburse money lost by consumers to hackers, they do not cover losses by business accounts. And the most sophisticated hackers have been increasingly trying to focus on getting access to the accounts of big customers with large balances who wire money to other banks.

These days, hackers infect hundreds of thousands of computers with software that monitors their users, waiting for them to log onto a bank account. The nasty program installed on the computers of victims sends their bank IDs and passwords back to the hackers, who use them to log into the bank accounts.

They do not just bother to attack anyone’s account, said Joe Stewart, the director of malware research for SecureWorks, a software company.

“Now that they have a list of users, they will check all of their balances, and hang tight until they find the big fish,” he said.

All of that can be automated, so the hackers are alerted once their computers find they have gained access to the computer of someone who controls a lot of money.

Mr. Praed said that he hoped his John Doe lawsuit would encourage banks to improve their electronic defenses. “Unless we want to go back to putting our money in a mattress, more needs to be done.”