How the Phishing Biz Works

Carl Bialik from the WSJ writes "Christopher Abad has spent much of the past six months 'stalking the phisher underground,' Lee Gomes writes in the Wall Street Journal. 'The typical phisher, he discovered, isn't a movie-style villain but a Romanian teenager, albeit one who belongs to a social and economic infrastructure that is both remarkably sophisticated and utterly ragtag. If, in the early days, phishing scams were one-person operations, they have since become so complicated that, just as with medicine or law, the labor has become specialized.' For instance, a phisher in Romania who successfully scores account information for someone in the U.S. may go on IRC to seek out a 'casher' to withdraw money from the target's account, and send a cut back to the phisher."

Re:Feh...

[Otter]

If the Harvard Business School types who descended like vultures on the former eastern bloc countries haven't worked so hard to savagely gut the social protection systems that were in place, there would not be so many criminals in those countries nowadays...

Uh, yeah, because under Ceausescu all these Romanian computer owners (with their free communications with the rest of the world) used their luxurious lifestyles for the betterment of the less fortunate...

Re:How it works

[Kithraya]

So those who don't know exactly how their highly-computerized car works should not operate one? Should everyone who doesn't have a medical degree and fully understand the human body avoid medical care? Should everyone who doesn't fully understand the intricacies of their local, regional and national economies not participate in them?

Re:A real person phished

[Otter]

I understand the "How could anyone be stupid enough to fall for this?" response to Nigerian email scams. But phishing? Maybe you don't get the good ones, but it's next to impossible for even a relatively sophisticated user to distinguish them from authentic emails. I deal with phishing by deleting everything purporting to be from EBay or PayPal -- I sure as hell wouldn't trust my ability to safely follow links from any of them.

"What?" shriek the Slashbots, "If hot Brazilian chicks can't view the message HTML, traceroute the links and the redirects and WHOIS the resulting information, they shouldn't be allowed to use computers!" Perhaps, and perhaps me neither, but it doesn't surprise me that people get burned.

Re:They have the public..

[leonardluen]

no, the problem is that when you put a person at a computer their intelligence drops 10 fold. they just seem to lose all common sense when a computer is involved.

for example, if a random stranger walked up to you on the street and said that they were a representative from your bank and said that they must verify your account information otherwise they will have to close down your account, you would tell them to fuck off, walk away, and maybe even call the police on them. now, that same person gets an email stating the same thing that the stranger on the street said, and suddenly they worry that "OMG i need to give this strange person all my data or they might close down my account."

they just need to learn to delete and ignore their email, similar to how they would have walked away from the stranger on the street.

social protection systems

[szo]

It didn't became financially unsustainable after the change, it was it well before. In fact, it was a major part of the countries failing economy, and this failing economy was the underlaying cause of the collapse of the soviet systems.

Re:IRC Cashiers Karma

[emmons]

We destroyed their way of life

How so? Their way of life didn't work and the system imploded on itself. Granted we did all we could to speed the process, but we weren't the cause.

Re:IRC Cashiers Karma

[wwwojtek]

We destroyed their way of life and now they are stealing from our grandparents

How is that "interesting" and not "-1 clueless?"

Communism did not work. Period. That's why it failed. It was our "way of life" because the alternative way of life was taken away. It was destroyed because it failed miserably. Actually, it destroyed itself. Yes, US probably helped (though proving it is hard), but the core reason why communism failed were its own inadequacies: if you destroy economic incentives, you are going downhill and there is no way around it. It does not necessarily mean the collapse of the system - you can vegetate for years on the substistence level (Cuba) or below it (North Korea). If you really helped us destroying our old way of life - big thank you, I am deeply grateful that you did so.

Stupid people, or stupid software?

[LKM]

I see plenty of comments qualifying people who fall for these scams as "stupid people", "being ignorant by choice" or worse. I think we should remember a few things here:

• We all have knowledge about computers that is far above average. What might be obvious to us may not be obvious to others at all.
• Computers are a tool. Many of us may play with computers as an end in itself, but others use computers as a means to an end. To them, an E-Mail is very similar to a letter or a phone call. They don't know how to look at the source of the mail, and they don't know how to figure out whether a mail is legitimate or not - and frankly, I don't think they should have to.
• These scams are really well done. My mail app doesn't display HTML, but if you actually open the HTML part of those mails in your browser, it looks totally legit. It's easy to see how people fall for these.

Recently, there's a new, similar scam going on where I live: it's kind of real-world fishing. People install small cameras on those ATMs, and they glue little pass-through card readers on top of the slot where you insert the card. If you use such an ATM to get money, they can read out your card data using the reader and get your pin code using the camera. These things are made in such a way that they "blend" into the ATMs interface and look like they were actually part of the ATM. Do you honestly believe that you would notice this? Do you even think of checking for something like this before getting money? Do you think that everyone should know how the different ATMs look so that they notice it when such a device is installed on them? No? Then why do you expect non-geeks to be able to discern a real mail from Pay Pal from a scam mail? Legitimate mails from many money-related web sites contain clickable links.

Even if you accept that it's the person's own fault if he gives his data to a scam artist, you should grok that you simply can't solve the problem by educating people. That's simply impossible. This is a problem that must be solved using technology. Banks should sign their mails, and mail apps should clearly notify you if a mail is not from where it purports to be. Maybe it shouldn't let the user click on links if the user doesn't have the public key for the mail. Maybe there are entirely different solutions for this problem. But one thing is clear: Educating people won't work, no matter whose fault it is.

Advantages of a Distributed Crime Network

[borkus]

One thing that the article points out is that phishing isn't just about gullibility. It suceeds because the players act as a distributed network. Because perpetrators are so unlike to get caught, it's hard to deter people from doing it.

• Each part of the network is separate. They guy who gets the information on an account, versus the guy who breaks into it, versus the guy you receives the money. Knowing who is using the account doesn't help you catch the guy who sent the original phishing e-mail. The fact that the network is international makes coordination by law enforcement even harder.
• Roles are interchangeable. From the article, it appears that phishers don't have to use the same cashers all of the time. You can't take out one piece of the network and cripple it. Phishers just move onto another casher.
• Communication is largely anonymous. In old fashioned criminal networks, you had to be face to face at some point - to exchange money for narcotics, stolen property or bootleg liquor. In these new networks, no-one knows the actual person they're dealing with. If you do apprehend one member of the network, that member has very little information useful in arresting others.

Re:Huh?

[wwwojtek]

Don't put the words in my mouth. Believing that something is unambiguously wrong does not necessarily mean that I believe there is an absolute truth (whether I do believe it or not is off topic)

Yes, and I do believe that you can become an absolute power with a flawed economic system and a flawed system of government. The problem is you cannot stay an absolute power. Here is how it worked: heavy industry was the way to go in the 20s and 30s. Let's invest all we have in coal, steel and whatever else we can think of. That does work, the system is not efficient but we put so much resources into it that it's going to show results. The problem is though that world changes, technology changes and without capitalist incentives you will not be able to make the right decisions. It's actually quite simple: in capitalism everyone has an influence on where the system is going through their pockets. In communism, it is only the "elite" that does and the elite does not have full information and will not be able to make all the right decisions.

The only flaw in Communism is that it can be corrupted and the greedy. But the same can be said about capitalism and democracy.

I have never understood how people who have never seen communism in action feel free to make these kinds of statements. Taking away freedom and destroying hope for a better tomorrow is not a flaw for you? I am sure you have never waited in line for 10 hours to get a piece of meat, right? Have you seen how towns designed by communist planners look like? Did you know that pollution magically fell after collapse of communism? What about the fact that the average lifespan in countries like Hungary, Czech Republic and Poland increased by more than 5 years since 1989? None of these was because of corruption or greediness, they were due to some (often highly educated) nitwits in the government thinking that they make the right decisions