Researcher Describes How The Phishing Economy Works

Phishers use Internet chat to communicate with each other and buy and sell victims' financial information.
The economics of phishing is free market theories in action -- pure supply and demand -- a researcher said Friday in explaining his recently-released paper about the inner workings of Internet scammers.

"Phishing economies are self-organized merchants and consumers governed only by the laws of supply and demand," said Christopher Abad, a research scientist with Cloudmark, a San Francisco-based spam filtering service provider.

Abad probed the inner workings of phishers by analyzing hundreds of thousands of messages collected from 13 key phishing-related chat rooms and several thousand compromised computers used to run bots as well as host the bogus Web sites that phishers use to trick users into divulging confidential data, such as bank and credit card account information.

Phishers rely on the same chat infrastructure that spawned large numbers of denial-of-service (DoS) attacks years earlier, said Abad, because it was familiar to those inclined to phish for profit and they knew they could harness its power with automated bot programs to handle chores.

While chat is the way that phishers communicate and cooperate, bring newcomers into the fold, and sell the information they acquire, it's not possible to stop the thieves there, said Abad.

"That would be a fruitless task because there are so many areas for them to migrate to. It's the same problem as defeating a computer virus; unless you do a thorough job of stamping it out and preventing its infrastructure from rebuilding, you never quite get rid of it."

Abad's analysis of the chat side of phishing also invalidated the theory of some analysts that there are organized gangs, perhaps composed of organized crime elements, that have a top-to-bottom, soup-to-nuts control over all aspects of a phishing campaign.

"Phishers are very loosely-affiliated people," he said. "That's the nature of the system. I tried to validate those claims [of gangs] which are usually just second- or third-hand accounts. The Shadowcrew, for instance, wasn't really a centrally-organized ring like some people thought. It's just a bulletin board system that a number of phishing participants used to communicate with each other."

Nor are those who collect the information the ones who end up cashing in on the data. "They're two entirely separate groups," Abad said. "One is the consumer of the other."

Those who reap the harvest, so to speak, of phishing and other identity thievery, buy information in bulk, sometimes for as little as 50 cents per record, other times for as much as $100, then encode magnetic cards that can be used to pull money out of bank or credit card accounts at ATMs.

"That's a very direct path toward getting money," said Abad, "and much less time-consuming than, say, targeting PayPal or eBay."

"Cashers," as Abad labels them, take a split of the money they pull out -- as much as 70 percent -- then send the remainder to the credential supplier, the phisher who obtained the account information. The money is often wired over Western Union, said Abad, to the phisher, because it's available internationally and there's "relative anonymity for the pick-up party."

Cashers specialize in working certain banks and even working certain account number groups at a bank. It's all about what banks they've managed to crack ATM codes for.

During the time he spent analyzing phishing, Abad went on, he noticed that some banks were being hit harder than others. "It's no surprise that Washington Mutual, Key Bank, and various other institutions are at the top of the phishers' lists," he said. "The tracking algorithms for these institutions are easily obtained from within the phishing economy, while Bank of America, a huge financial institution, is nearly off phishers' radar because its encoding algorithm is very hard to obtain or crack.

Since he started, banks such as Washington Mutual have beefed up their encoding algorithms, and have seen phishing damages drop dramatically.

In fact, phishers are starting to wean themselves off banks because the targets have been substantially hardened, making them tougher to milk for cash. Instead, they're returning to "soft financial" targets like eBay and PayPal, services and sites that were at the top of the hit list a year or more ago.

"Banks were able to correct their problem with phishers," said Abad, "but now clearly the phishers are going after other vectors and targets." Money transfer services are also a developing target for phishers, he added.

"The ubiquity of the technology necessary to phish -- from chat rooms and mass mailing of e-mail to compromised host machines -- means that it's impossible to stamp out," said Abad.

The only solution, he thinks, is for everyone to have a solid anti-spam defense in place.

"We're stopping basically everything [that's spam]" said Abad. "We're stopping about everything that we can. I don't see anti-spam getting much better. The problem is deployment. More people need to be using it. If there's only 2 percent of the population using an anti-spam solution, that means 98 percent can be victims.

"Phishers are exploiting the average joe," he concluded.

And until the average joe gets the message, phishers will laugh all the way to the bank.