March 19, 2012

Phishing Expeditions Help Clients

Brendan Kearney  /  Post & Courier

Local company seeks out malicious emails, sites

John LaCour's work email inbox is all spam and scams – on purpose. He deals with them so you don't have to.

"Most people don't want spam," LaCour said last week. "We actually vacuum up as much as we can."

LaCour and his Charleston-based company, PhishLabs, survey, investigate and root out malicious emails and websites. They collect millions of URLs every hour, thanks to their own "spampots" (think honeypot for spam) and Internet and email service providers who ship them a nearly endless supply of the electronic treachery, and then set about destroying it and identifying the people and techniques behind it.

"We're one of the few businesses whose goal is to put itself out of business," LaCour said. "But unfortunately, I think we're safe from that happening."

That's because the more the world moves online, developing dependencies on email, text messages and other Internet communication, the more cyber criminals will be there to victimize the unsavvy.

Depending on how good your spam filter is, you've likely encountered the sort of messages and websites PhishLabs combats.

There are several variations on the scam, and imaginative new iterations seem to surface all the time. But the unifying theme is tricking people into unsuspectingly giving away their money or offering up bank or other account information that leads to theft.


LaCour's company is named after one popular scheme called phishing wherein the crook creates a real-looking but fake email from a bank, airline, auction website or anywhere the user has an account and value behind a password. The victim then typically clicks on a link that takes him to a similar spoof website where he enters his personal information, which is collected by the cyber criminal and used for illicit gains.

"I think people have a natural tendency to want to be trustful and helpful," LaCour said. "And I think in some cases, some of the scams use an element of fear, saying, 'If you don't do this, you're not going to be able to access your account, you're not going to be able to access your money.' "

But LaCour, 42, still is surprised the extent to which people fall prey. "You have to wonder why the alarm bells don't go off for some of these folks," he said.

LaCour, who grew up in Baton Rouge, La., got his start in Internet security in the San Francisco Bay Area in the late 1990s. He worked at several companies developing firewalls, anti-spyware and anti-phishing products before striking out on his own in fall 2008 from brand protection firm MarkMonitor.

"I decided to leave because I noticed that ... phishing was becoming more and more pervasive, computer viruses that steal online banking information were continuing to grow in volume and the solutions that were on the market at the time were not especially effective in managing these problems," LaCour said.

He was leading a remote team of five from his condominium in Washington a little more than a year later when his wife, a Charleston native, landed a job at Blackbaud. The LaCours moved to the Holy City, and PhishLabs came, too.

LaCour moved into a small, nondescript office in the Flagship business incubator downtown almost four months ago. And that's where the low-key, jeans-wearing CEO and three other guys were hunched over computers on a recent afternoon, reviewing spam.

Discretion required

While its work may indirectly benefit the entire web community, PhishLabs gets paid by national and regional banks, credit unions and e-commerce companies. In addition to the money losses attributable to fraud, phishing erodes customer trust, LaCour explained. He didn't want to reveal any clients – that would admit they have a problem.

LaCour also is discreet about where his professional nemeses ply their trade. Nigeria, for example, has a reputation for advance-fee schemes, also known as 419 fraud after the corresponding section of the criminal code in Africa's most populous country. But LaCour will only say the scams generally originate in Western Africa and Eastern Europe.

"The common denominators are where there's Internet access, there's not a lot of opportunity for legitimate jobs and there's some level of technical education that's available to these people," he said. "Law enforcement in these places do what they can with the resources that they have sometimes."

As part of PhishLabs' investigation function, LaCour has helped American law enforcement, typically the FBI's "cyber squad," with the intractable issue. Asked if any of those cases have become public, LaCour paused.

"Not yet," he said. "Not that I can talk about."

He said he doesn't want to compromise any ongoing investigation or "paint a bull's-eye on our back" for hackers to launch retaliatory attacks on PhishLabs. LaCour did offer an example of an investigation that demonstrated how global, organized and persistent the scourge of Internet scams is.

The ruse involved a "job" offer wherein the "employee" would accept checks on behalf of the "employer" and then send some portion of that money along. The check was phony, but the victim wouldn't realize that until he had wired thousands of dollars of his own money away. In addition to playing along, PhishLabs did some research.

"And when we looked into how the email accounts were being created, the scammers had hired people in Third World countries whose job was to complete the CAPTCHAs over and over all day long," he said. CAPTCHAs are distorted images of letters that online ticket buyers often are required to type in to confirm they are human and not a bot.

LaCour said there were message boards where criminals sought out people for this work and where others, generally in South Asia, offered to do the work. The rate? Seventy cents per 1,000 codes entered.

LaCour cautioned web denizens against convincing themselves they're the lucky recipients of a great offer. As the saying goes, if it sounds too good to be true, it probably is. "I would change that to say, 'It definitely is,'" he added.

Lofty goal

But no one's immune from a well-executed scam. LaCour himself has nearly taken the bait on more than one occasion. "As I've contemplated typing in the information, it kind of hit me," he said. "Some of them can be very convincing."

Others make grammar and spelling errors that might make the recipient smile. LaCour said he's seen some requesting a "father's maiden name."

"You have to have a sense of humor about it or else it'll make you depressed," he said.

PhishLabs' recent growth also keeps LaCour happy. The company now rakes in seven-figure annual revenues and has 25 employees and contractors in five states and four continents to enable 24/7 monitoring and incident response around the world. It is looking to hire more people in Charleston this year. "I think in five years from now, I'd hope to be $100 million in revenue," LaCour said.

Such a lofty goal will require many hours in the office and on the computer, but LaCour also makes time for hobbies, such as wine-tasting and, well, a popular pastime involving baits and hooks on lines.

"I enjoy trying to catch redfish on occasion," he said.

John LaCour, founder and CEO of PhishLabs.

At a glance

Name: John LaCour.

Age: 42.

From: Baton Rouge, La.

Residence: Charleston.

Family: Married to Catherine LaCour.

Education: Studied computer science and business at Louisiana State University and Northwestern University.

**Work experience: **Director of product management, MarkMonitor; director of product management, RedSeal Systems; security services group manager, Zone Labs, Inc.; product manager, NetScreen Technologies; business development engineer, Pilot Network Services Inc.; technical support manager, US Robotics.