Researcher Describes How The Phishing Economy Works - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
One-to-One
News
7/29/2005
06:33 PM
50%
50%

Researcher Describes How The Phishing Economy Works

Phishers use Internet chat to communicate with each other and buy and sell victims' financial information.

The economics of phishing is free market theories in action -- pure supply and demand -- a researcher said Friday in explaining his recently-released paper about the inner workings of Internet scammers.

"Phishing economies are self-organized merchants and consumers governed only by the laws of supply and demand," said Christopher Abad, a research scientist with Cloudmark, a San Francisco-based spam filtering service provider.

Abad probed the inner workings of phishers by analyzing hundreds of thousands of messages collected from 13 key phishing-related chat rooms and several thousand compromised computers used to run bots as well as host the bogus Web sites that phishers use to trick users into divulging confidential data, such as bank and credit card account information.

Phishers rely on the same chat infrastructure that spawned large numbers of denial-of-service (DoS) attacks years earlier, said Abad, because it was familiar to those inclined to phish for profit and they knew they could harness its power with automated bot programs to handle chores.

While chat is the way that phishers communicate and cooperate, bring newcomers into the fold, and sell the information they acquire, it's not possible to stop the thieves there, said Abad.

"That would be a fruitless task because there are so many areas for them to migrate to. It's the same problem as defeating a computer virus; unless you do a thorough job of stamping it out and preventing its infrastructure from rebuilding, you never quite get rid of it."

Abad's analysis of the chat side of phishing also invalidated the theory of some analysts that there are organized gangs, perhaps composed of organized crime elements, that have a top-to-bottom, soup-to-nuts control over all aspects of a phishing campaign.

"Phishers are very loosely-affiliated people," he said. "That's the nature of the system. I tried to validate those claims [of gangs] which are usually just second- or third-hand accounts. The Shadowcrew, for instance, wasn't really a centrally-organized ring like some people thought. It's just a bulletin board system that a number of phishing participants used to communicate with each other."

Nor are those who collect the information the ones who end up cashing in on the data. "They're two entirely separate groups," Abad said. "One is the consumer of the other."

Those who reap the harvest, so to speak, of phishing and other identity thievery, buy information in bulk, sometimes for as little as 50 cents per record, other times for as much as $100, then encode magnetic cards that can be used to pull money out of bank or credit card accounts at ATMs.

"That's a very direct path toward getting money," said Abad, "and much less time-consuming than, say, targeting PayPal or eBay."

"Cashers," as Abad labels them, take a split of the money they pull out -- as much as 70 percent -- then send the remainder to the credential supplier, the phisher who obtained the account information. The money is often wired over Western Union, said Abad, to the phisher, because it's available internationally and there's "relative anonymity for the pick-up party."

Cashers specialize in working certain banks and even working certain account number groups at a bank. It's all about what banks they've managed to crack ATM codes for.

During the time he spent analyzing phishing, Abad went on, he noticed that some banks were being hit harder than others. "It's no surprise that Washington Mutual, Key Bank, and various other institutions are at the top of the phishers' lists," he said. "The tracking algorithms for these institutions are easily obtained from within the phishing economy, while Bank of America, a huge financial institution, is nearly off phishers' radar because its encoding algorithm is very hard to obtain or crack.

Since he started, banks such as Washington Mutual have beefed up their encoding algorithms, and have seen phishing damages drop dramatically.

In fact, phishers are starting to wean themselves off banks because the targets have been substantially hardened, making them tougher to milk for cash. Instead, they're returning to "soft financial" targets like eBay and PayPal, services and sites that were at the top of the hit list a year or more ago.

"Banks were able to correct their problem with phishers," said Abad, "but now clearly the phishers are going after other vectors and targets." Money transfer services are also a developing target for phishers, he added.

"The ubiquity of the technology necessary to phish -- from chat rooms and mass mailing of e-mail to compromised host machines -- means that it's impossible to stamp out," said Abad.

The only solution, he thinks, is for everyone to have a solid anti-spam defense in place.

"We're stopping basically everything [that's spam]" said Abad. "We're stopping about everything that we can. I don't see anti-spam getting much better. The problem is deployment. More people need to be using it. If there's only 2 percent of the population using an anti-spam solution, that means 98 percent can be victims.

"Phishers are exploiting the average joe," he concluded.

And until the average joe gets the message, phishers will laugh all the way to the bank.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
News
The State of Chatbots: Pandemic Edition
Jessica Davis, Senior Editor, Enterprise Apps,  9/10/2020
Commentary
Deloitte on Cloud, the Edge, and Enterprise Expectations
Joao-Pierre S. Ruth, Senior Writer,  9/14/2020
Slideshows
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
Register for InformationWeek Newsletters
Video
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll