Researcher Describes How The Phishing Economy Works - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
One-to-One
News
7/29/2005
06:33 PM
50%
50%

Researcher Describes How The Phishing Economy Works

Phishers use Internet chat to communicate with each other and buy and sell victims' financial information.

The economics of phishing is free market theories in action -- pure supply and demand -- a researcher said Friday in explaining his recently-released paper about the inner workings of Internet scammers.

"Phishing economies are self-organized merchants and consumers governed only by the laws of supply and demand," said Christopher Abad, a research scientist with Cloudmark, a San Francisco-based spam filtering service provider.

Abad probed the inner workings of phishers by analyzing hundreds of thousands of messages collected from 13 key phishing-related chat rooms and several thousand compromised computers used to run bots as well as host the bogus Web sites that phishers use to trick users into divulging confidential data, such as bank and credit card account information.

Phishers rely on the same chat infrastructure that spawned large numbers of denial-of-service (DoS) attacks years earlier, said Abad, because it was familiar to those inclined to phish for profit and they knew they could harness its power with automated bot programs to handle chores.

While chat is the way that phishers communicate and cooperate, bring newcomers into the fold, and sell the information they acquire, it's not possible to stop the thieves there, said Abad.

"That would be a fruitless task because there are so many areas for them to migrate to. It's the same problem as defeating a computer virus; unless you do a thorough job of stamping it out and preventing its infrastructure from rebuilding, you never quite get rid of it."

Abad's analysis of the chat side of phishing also invalidated the theory of some analysts that there are organized gangs, perhaps composed of organized crime elements, that have a top-to-bottom, soup-to-nuts control over all aspects of a phishing campaign.

"Phishers are very loosely-affiliated people," he said. "That's the nature of the system. I tried to validate those claims [of gangs] which are usually just second- or third-hand accounts. The Shadowcrew, for instance, wasn't really a centrally-organized ring like some people thought. It's just a bulletin board system that a number of phishing participants used to communicate with each other."

Nor are those who collect the information the ones who end up cashing in on the data. "They're two entirely separate groups," Abad said. "One is the consumer of the other."

Those who reap the harvest, so to speak, of phishing and other identity thievery, buy information in bulk, sometimes for as little as 50 cents per record, other times for as much as $100, then encode magnetic cards that can be used to pull money out of bank or credit card accounts at ATMs.

"That's a very direct path toward getting money," said Abad, "and much less time-consuming than, say, targeting PayPal or eBay."

"Cashers," as Abad labels them, take a split of the money they pull out -- as much as 70 percent -- then send the remainder to the credential supplier, the phisher who obtained the account information. The money is often wired over Western Union, said Abad, to the phisher, because it's available internationally and there's "relative anonymity for the pick-up party."

Cashers specialize in working certain banks and even working certain account number groups at a bank. It's all about what banks they've managed to crack ATM codes for.

During the time he spent analyzing phishing, Abad went on, he noticed that some banks were being hit harder than others. "It's no surprise that Washington Mutual, Key Bank, and various other institutions are at the top of the phishers' lists," he said. "The tracking algorithms for these institutions are easily obtained from within the phishing economy, while Bank of America, a huge financial institution, is nearly off phishers' radar because its encoding algorithm is very hard to obtain or crack.

Since he started, banks such as Washington Mutual have beefed up their encoding algorithms, and have seen phishing damages drop dramatically.

In fact, phishers are starting to wean themselves off banks because the targets have been substantially hardened, making them tougher to milk for cash. Instead, they're returning to "soft financial" targets like eBay and PayPal, services and sites that were at the top of the hit list a year or more ago.

"Banks were able to correct their problem with phishers," said Abad, "but now clearly the phishers are going after other vectors and targets." Money transfer services are also a developing target for phishers, he added.

"The ubiquity of the technology necessary to phish -- from chat rooms and mass mailing of e-mail to compromised host machines -- means that it's impossible to stamp out," said Abad.

The only solution, he thinks, is for everyone to have a solid anti-spam defense in place.

"We're stopping basically everything [that's spam]" said Abad. "We're stopping about everything that we can. I don't see anti-spam getting much better. The problem is deployment. More people need to be using it. If there's only 2 percent of the population using an anti-spam solution, that means 98 percent can be victims.

"Phishers are exploiting the average joe," he concluded.

And until the average joe gets the message, phishers will laugh all the way to the bank.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Commentary
Why It's Nice to Know What Can Go Wrong with AI
James M. Connolly, Editorial Director, InformationWeek and Network Computing,  11/11/2019
Slideshows
Top-Paying U.S. Cities for Data Scientists and Data Analysts
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/5/2019
Slideshows
10 Strategic Technology Trends for 2020
Jessica Davis, Senior Editor, Enterprise Apps,  11/1/2019
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll