How the Phishing Biz Works

Carl Bialik from the WSJ writes "Christopher Abad has spent much of the past six months 'stalking the phisher underground,' Lee Gomes writes in the Wall Street Journal. 'The typical phisher, he discovered, isn't a movie-style villain but a Romanian teenager, albeit one who belongs to a social and economic infrastructure that is both remarkably sophisticated and utterly ragtag. If, in the early days, phishing scams were one-person operations, they have since become so complicated that, just as with medicine or law, the labor has become specialized.' For instance, a phisher in Romania who successfully scores account information for someone in the U.S. may go on IRC to seek out a 'casher' to withdraw money from the target's account, and send a cut back to the phisher."

Re:Feh...

[Otter]

If the Harvard Business School types who descended like vultures on the former eastern bloc countries haven't worked so hard to savagely gut the social protection systems that were in place, there would not be so many criminals in those countries nowadays...

Uh, yeah, because under Ceausescu all these Romanian computer owners (with their free communications with the rest of the world) used their luxurious lifestyles for the betterment of the less fortunate...

Re:A real person phished

[Otter]

I understand the "How could anyone be stupid enough to fall for this?" response to Nigerian email scams. But phishing? Maybe you don't get the good ones, but it's next to impossible for even a relatively sophisticated user to distinguish them from authentic emails. I deal with phishing by deleting everything purporting to be from EBay or PayPal -- I sure as hell wouldn't trust my ability to safely follow links from any of them.

"What?" shriek the Slashbots, "If hot Brazilian chicks can't view the message HTML, traceroute the links and the redirects and WHOIS the resulting information, they shouldn't be allowed to use computers!" Perhaps, and perhaps me neither, but it doesn't surprise me that people get burned.

Re:They have the public..

[leonardluen]

no, the problem is that when you put a person at a computer their intelligence drops 10 fold. they just seem to lose all common sense when a computer is involved.

for example, if a random stranger walked up to you on the street and said that they were a representative from your bank and said that they must verify your account information otherwise they will have to close down your account, you would tell them to fuck off, walk away, and maybe even call the police on them. now, that same person gets an email stating the same thing that the stranger on the street said, and suddenly they worry that "OMG i need to give this strange person all my data or they might close down my account."

they just need to learn to delete and ignore their email, similar to how they would have walked away from the stranger on the street.

social protection systems

[szo]

It didn't became financially unsustainable after the change, it was it well before. In fact, it was a major part of the countries failing economy, and this failing economy was the underlaying cause of the collapse of the soviet systems.

Re:IRC Cashiers Karma

[emmons]

We destroyed their way of life

How so? Their way of life didn't work and the system imploded on itself. Granted we did all we could to speed the process, but we weren't the cause.

Stupid people, or stupid software?

[LKM]

I see plenty of comments qualifying people who fall for these scams as "stupid people", "being ignorant by choice" or worse. I think we should remember a few things here:

• We all have knowledge about computers that is far above average. What might be obvious to us may not be obvious to others at all.
• Computers are a tool. Many of us may play with computers as an end in itself, but others use computers as a means to an end. To them, an E-Mail is very similar to a letter or a phone call. They don't know how to look at the source of the mail, and they don't know how to figure out whether a mail is legitimate or not - and frankly, I don't think they should have to.
• These scams are really well done. My mail app doesn't display HTML, but if you actually open the HTML part of those mails in your browser, it looks totally legit. It's easy to see how people fall for these.

Recently, there's a new, similar scam going on where I live: it's kind of real-world fishing. People install small cameras on those ATMs, and they glue little pass-through card readers on top of the slot where you insert the card. If you use such an ATM to get money, they can read out your card data using the reader and get your pin code using the camera. These things are made in such a way that they "blend" into the ATMs interface and look like they were actually part of the ATM. Do you honestly believe that you would notice this? Do you even think of checking for something like this before getting money? Do you think that everyone should know how the different ATMs look so that they notice it when such a device is installed on them? No? Then why do you expect non-geeks to be able to discern a real mail from Pay Pal from a scam mail? Legitimate mails from many money-related web sites contain clickable links.

Even if you accept that it's the person's own fault if he gives his data to a scam artist, you should grok that you simply can't solve the problem by educating people. That's simply impossible. This is a problem that must be solved using technology. Banks should sign their mails, and mail apps should clearly notify you if a mail is not from where it purports to be. Maybe it shouldn't let the user click on links if the user doesn't have the public key for the mail. Maybe there are entirely different solutions for this problem. But one thing is clear: Educating people won't work, no matter whose fault it is.