Phishing In The Channel

Rick Zeman writes "A Washington Post story details the relationships between phishers, IRC, plug-and-play phishing toolkits, and phantom web sites. 'For the past few months we've started to see phishing attacks from subcontractors, people who buy and use ready-made phishing toolkits and e-mail lists,' Orad said. 'It's gotten to the point where you don't need to know anything about spamming or computer programming to pull this off.'"

Urmm...

It's gotten to the point where you don't need to know anything about spamming or computer programming to pull this off.'

So phishing is just as easy as using Windows... Think about it.

Re:IRC?

[Nosf3ratu]

Overstating the obvious is also pointless. You fail it.

Re:Let's implement some ideas

[MikeyVB]

Here in Holland online banking is almost that.

My bank card has a smart card on it, which not only can I use for "instant" money purchases at vending machines and such, but also as a security feature for my online banking.

You get a little device the size of a small calculator that you put the card in, punch in your pin code, and then enter an 8 didget number from the online banking web page (that you get after you sign in with your bank card number). The little gadjet then returns a response code that you use to log in to your online banking.

So for someone to use your online banking, they not only require your pin, but they also have to phyically have your bank card.

Classic Phishing Scam

[AceCaseOR]

Listen to this one then; you open a company called the Arse Tickler's Faggot Fan Club. You take an advert in the back page of some gay mag, advertising the latest in arse-intruding dildos, sell it a bit with, er... I dunno, "does what no other dildo can do until now", latest and greatest in sexual technology. Guaranteed results or money back, all that bollocks. These dills cost twenty-five each; a snip for all the pleasure they are going to give the recipients. They send a cheque to the company name, nothing offensive, er, Bobbie's Bits or something, for twenty-five. You put these in the bank for two weeks and let them clear. Now this is the clever bit. Then you send back the cheques for twenty-five pounds from the real company name, Arse Tickler's Faggot Fan Club, saying sorry, we couldn't get the supply from America, they have sold out. Now you see how many of the people cash those cheques; not a single soul, because who wants his bank manager to know he tickles arses when he is not paying in cheques!

Networks of mindless get-rich-quick folk

[Audigy]

Of course online fraud doesn't end with merely collecting credit card numbers.

Next, a network of illdoers must convert this stolen cash into something much less traceable. They enlist the help of folk running a variety of instant messenging programs.

Why, just this morning I received this gem on ICQ:

268-919-230 (9:13 AM) :
Hi there! where you disappeared?!
268-919-230 (9:13 AM) :
yes, I haven't been here for long, too - was busy working on Alfa Trans
268-919-230 (9:14 AM) :
by the way, I'd recommend you to check it, too. You can find company url in my about info.

The URL in this guy's (bot's) info is http://www.alfa-trans.com which appears to be an elaborate money laundering and courier service masquerading as a legit business. They "hire" "managers" to distribute this stolen stuff around the globe and pay them a percentage of runs completed, or money transferred. Very crafty, and sometimes very appealing to the poor college student who has no balls to apply for a local McJob.

Of course the joke's on the hapless student when the guys in black suits come a'knockin'.

Greed will always prevail, and I feel that it will be impossible to educate everyone about this kind of stuff... after all, as long as one or two suckers buy into every mass mailing, spam will continue, because there's money to be made.

Does anyone know of any type of employment I could pursue involving tracking online fraud? It fascinates me immensely. :)

phishing the phishers

[tsu+doh+nimh]

the story suggests the scammers are just as busy scamming each other. my favorite quote:

Marcus Sachs, a former cyber-security adviser to the White House who now directs the Bethesda, Md.-based SANS Internet Storm Center, said that if the information posted by the IRC channel operators is legitimate, then they are likely working with people on the inside at the major credit card issuers.

But Sachs said he suspects that by "verifying" credit card information posted by other chat room members, those running the IRC channels are more interested in scamming the phishers. "As evil as it all sounds, the people who know what they're doing in this area operate their phishing scams like a business," Sachs said. "They learn from their mistakes, they outsource, they consolidate, and they cut costs by automating things. But most of all, they profit by any means available."

Re:Let's implement some ideas

[Nessak]

Yes, SecureID costs a fair amount now, but I suspect more people then you think would be willing to pay for it. (I would have no problem paying $50/yr to know someone can't steal my CC number or PIN.) Not to mention the price would decrease if millions of Americans had one as opposed to the somewhat limited usage right now. And considering how many millions of dollars banks and credit companies lose to such scams, they might be getting to the point where it is cheaper to issue ScecureIDs (or something similar) then lose the money due to ID thefts.

Inverse correlation with bank robberies

[funkmeister]

I recently had some homeless fellow steal my trash before garbage day. Normally this wouldn't concern me, but one of bags was full of credit card receipts that I was not able to shred because my shredder stopped working. Many merchants here in Canada still print the full credit card number of the receipt, so I thought it would be best if I canceled the card. I called up my bank manager and somehow we got to talking about phishing. She told me that there is an inverse correlation between the frequency of armed bank robberies and incidents of money stolen through successful phishing scams. I googled for some web site with this information, but could not anything. Apparently bank robbers are starting to realize that it is easier to phish than to rob a bank. I think it is going to get much worse before it starts getting better.

Re:Slow Law Enforcement

[Skevin]

I simply gave up and started to take matters into my own hands.

I'm creating minor software package called Dolfin, to combat Phishing scams. It just some basic Python with a MySQL backend, and it works like this: I have a huge list of common first names and a huge list of common last names. When I find a Phishing page, I pull up a random last name, a random first name, and create a random 16-digit Visa Number, complete with a random expiration date... plus any other random data a Phishing form might ask for. An endless loop plugs in this data as fast as the associated machine can handle, which, on my semi-disposable 166MHz Pentium, comes out to twice a second.

What I would love is a means of doing this in a distributed effort/attack. Imagine the look on a Phisher's face when he wakes up one morning and finds out he has to sift through millions of bogus financial records just to find a single legitimate one! If interested write me at s_kevin_5_21@yahoo.com (remove all underscores).

Solomon Kevin Chang