Researcher Describes How The Phishing Economy Works - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

06:33 PM

Researcher Describes How The Phishing Economy Works

Phishers use Internet chat to communicate with each other and buy and sell victims' financial information.

The economics of phishing is free market theories in action -- pure supply and demand -- a researcher said Friday in explaining his recently-released paper about the inner workings of Internet scammers.

"Phishing economies are self-organized merchants and consumers governed only by the laws of supply and demand," said Christopher Abad, a research scientist with Cloudmark, a San Francisco-based spam filtering service provider.

Abad probed the inner workings of phishers by analyzing hundreds of thousands of messages collected from 13 key phishing-related chat rooms and several thousand compromised computers used to run bots as well as host the bogus Web sites that phishers use to trick users into divulging confidential data, such as bank and credit card account information.

Phishers rely on the same chat infrastructure that spawned large numbers of denial-of-service (DoS) attacks years earlier, said Abad, because it was familiar to those inclined to phish for profit and they knew they could harness its power with automated bot programs to handle chores.

While chat is the way that phishers communicate and cooperate, bring newcomers into the fold, and sell the information they acquire, it's not possible to stop the thieves there, said Abad.

"That would be a fruitless task because there are so many areas for them to migrate to. It's the same problem as defeating a computer virus; unless you do a thorough job of stamping it out and preventing its infrastructure from rebuilding, you never quite get rid of it."

Abad's analysis of the chat side of phishing also invalidated the theory of some analysts that there are organized gangs, perhaps composed of organized crime elements, that have a top-to-bottom, soup-to-nuts control over all aspects of a phishing campaign.

"Phishers are very loosely-affiliated people," he said. "That's the nature of the system. I tried to validate those claims [of gangs] which are usually just second- or third-hand accounts. The Shadowcrew, for instance, wasn't really a centrally-organized ring like some people thought. It's just a bulletin board system that a number of phishing participants used to communicate with each other."

Nor are those who collect the information the ones who end up cashing in on the data. "They're two entirely separate groups," Abad said. "One is the consumer of the other."

Those who reap the harvest, so to speak, of phishing and other identity thievery, buy information in bulk, sometimes for as little as 50 cents per record, other times for as much as $100, then encode magnetic cards that can be used to pull money out of bank or credit card accounts at ATMs.

"That's a very direct path toward getting money," said Abad, "and much less time-consuming than, say, targeting PayPal or eBay."

"Cashers," as Abad labels them, take a split of the money they pull out -- as much as 70 percent -- then send the remainder to the credential supplier, the phisher who obtained the account information. The money is often wired over Western Union, said Abad, to the phisher, because it's available internationally and there's "relative anonymity for the pick-up party."

Cashers specialize in working certain banks and even working certain account number groups at a bank. It's all about what banks they've managed to crack ATM codes for.

During the time he spent analyzing phishing, Abad went on, he noticed that some banks were being hit harder than others. "It's no surprise that Washington Mutual, Key Bank, and various other institutions are at the top of the phishers' lists," he said. "The tracking algorithms for these institutions are easily obtained from within the phishing economy, while Bank of America, a huge financial institution, is nearly off phishers' radar because its encoding algorithm is very hard to obtain or crack.

Since he started, banks such as Washington Mutual have beefed up their encoding algorithms, and have seen phishing damages drop dramatically.

In fact, phishers are starting to wean themselves off banks because the targets have been substantially hardened, making them tougher to milk for cash. Instead, they're returning to "soft financial" targets like eBay and PayPal, services and sites that were at the top of the hit list a year or more ago.

"Banks were able to correct their problem with phishers," said Abad, "but now clearly the phishers are going after other vectors and targets." Money transfer services are also a developing target for phishers, he added.

"The ubiquity of the technology necessary to phish -- from chat rooms and mass mailing of e-mail to compromised host machines -- means that it's impossible to stamp out," said Abad.

The only solution, he thinks, is for everyone to have a solid anti-spam defense in place.

"We're stopping basically everything [that's spam]" said Abad. "We're stopping about everything that we can. I don't see anti-spam getting much better. The problem is deployment. More people need to be using it. If there's only 2 percent of the population using an anti-spam solution, that means 98 percent can be victims.

"Phishers are exploiting the average joe," he concluded.

And until the average joe gets the message, phishers will laugh all the way to the bank.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
2021 Outlook: Tackling Cloud Transformation Choices
Joao-Pierre S. Ruth, Senior Writer,  1/4/2021
Enterprise IT Leaders Face Two Paths to AI
Jessica Davis, Senior Editor, Enterprise Apps,  12/23/2020
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll