How the Phishing Biz Works

Carl Bialik from the WSJ writes "Christopher Abad has spent much of the past six months 'stalking the phisher underground,' Lee Gomes writes in the Wall Street Journal. 'The typical phisher, he discovered, isn't a movie-style villain but a Romanian teenager, albeit one who belongs to a social and economic infrastructure that is both remarkably sophisticated and utterly ragtag. If, in the early days, phishing scams were one-person operations, they have since become so complicated that, just as with medicine or law, the labor has become specialized.' For instance, a phisher in Romania who successfully scores account information for someone in the U.S. may go on IRC to seek out a 'casher' to withdraw money from the target's account, and send a cut back to the phisher."

A real person phished

[tacensi]

I always thought that only old people would fall for these phishing and scam emails. The problem is, here in Brazil it's not like Korea: it is not so common to see old people using computers, specially for online banking. Then one day I met this beautiful, smart and young lady who lost a big sum of money when she got phished. I was surprised to see a real person that got phished. I think she could get it back from her bank, though. It was probably a national phisher, I don't believe it was a teenager from Romania.

Re:A real person phished

[clausiam]

How about this one then: I use online banking to pay most of my bills. My bank sends me reminders by email when I have a new bill. Those emails include a link to a logon page. Since these are "expected" emails it would be very easy to use in a phishing scheme. Of course, they are targeted to one particular bank and they also include the name of the Payee so that does make it a bit harder to fake, but I'm sure a Phisher could get a lot of hits by using "Bank of America" or "Wachovia" and common payee names like "Bellsouth", "Sprint" etc.

Since I'm a bit paranoid I never follow the links from those emails, but just open a browser and manually navigate to the login page. But I would imagine that most people using this service don't do this.

I wonder when we'll start seing this kind of more targeted phishing scam.

Re:Feh...

[JaredOfEuropa]

The transition to a more free economy in these countries was anything but graceful. But most of the social protection systems were not savagely gutted, as you put it. Often they were left in place but became financially unmaintainable, or they failed to deal with rampant inflation. Pensioners in Russia still get their state pension; the only problem is that it isn't worth anything these days.

In these countries, a lot of shady property deals went down, people got screwed over, there was profiteering, extortion, and theft on a grand scale, but many of these crimes of greed were perpetrated by people who were already criminals, or former socialist potentates (or both). 'Harvard Business school types' had very little to do with it.

Re:Just Received My First Phishing Email

[benwb]

It's fairly clever. The phish links to a mock up of a paypal "This page has moved" screen. Clicking the moved link launches a new browser window without an address bar, but with one simulated using html. To a naive user it would appear that you were logging in to the secure paypal site.

I've always thought

[CastrTroy]

I've always thought that we could use some sort of slashdot effect to curb phishing. When you get a phishing email, report it to some kind of website, once it gets verified as a phishing website, you can kind of just DDOS it. Maybe we could all help out by installing a folding@home type client where phishing urls are DDOSed by a bunch of people. With 100,000 people on such a network, each person would only need a to send out a few requests to each site to make it work. There would be problems with the network hacked for bad uses, but limiting the client to only listening to messages that are properly signed would be a good start.

Re:I've always thought

Your post advocates a

(*) technical ( ) legislative ( ) market-based (*) vigilante

approach to fighting phishing. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Phishers can easily use it to harvest email addresses
(*) Routers and other legitimate traffic would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop phishing for two weeks and then we'll be stuck with it
( ) Users of the net will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from phishers
( ) Requires immediate total cooperation from everybody at once
( ) Many internet users cannot afford to lose business or alienate potential employers
( ) Phishers don't care about invalid addresses in their lists
(*) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

(*) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for the net
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(*) Asshats
(*) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
(*) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of phishing
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with phishers
( ) Dishonesty on the part of phishers themselves
(*) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

( ) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
(*) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
(*) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Using the net should be free
(*) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(*) Feel-good measures do nothing to solve the problem
( ) I don't want the government watching my net usage
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(*) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!

Re:They have the public..

[jonwil]

If the bank sends you a letter asking for personal account information, most people would follow up (especially if it contained bank logos and stuff).

And cluless people tend to associate email with letters. So its not unexpected that an email complete with official looking bank logos and graphics (and wording specifically designed to trick unsuspecting people into believing its genuine) would trick people into falling for it.

Here is a scheme that (if implemented) would almost completly stamp out phishing (for the bank that has implemented it anyway):

Each account that is enabled for online banking has a unique number generated for it, stored in the bank secure online banking database alongside the username and password. (call it S)

The customer is given a little device that would probobly look like a little calculator. This device contains an embedded copy of the number generated in step 1 along with simple logic to implement a hash algorthim and a keypad.

When you access the internet banking site, the bank displays the login and password prompt plus a randomly generated number and a box to put the output hash into.

The number is stored by the bank systems in a way that directly links it to the IP address of the machine logging in and also so that it is no longer valid after a very short period of time (e.g. 20 minutes or something). Refershing the login page would get a new different number.

You would input the number from the login page into your "calculator" thing which would combine it with the secret number inside the "calculator".

Then you input your username, password and the resulting hash into the login screen.

Assuming the hash generated by the "calculator" and by the bank (using the stored copy of the secret number) match, you would be allowed into the banking system.

The hash algorthim (call it F) would be chosen so that there is no number X such that F(S,X) = S for any significant number of values for S

If the "calculator" is stolen or lost or whatever, you could request a new one (with the old secret number being removed from the bank database for good)

Even if the fake login page talked to the banks servers and retrieved a real "challenge code" (to enter into the "calculator") it wouldnt defeat the system since it (and the resulting hash) would expire long before the phisher would actually be able to make use of it.

Another option would be one-time-use values that you get from your bank and use once to access online banking. Although this option would be less safe because of this:
Philsher makes fake login page
Bank customer goes into fake login page and types in username, password and one of their one-time-use values.
Bank customer gets message back saying "system is down". Now phisher has one of the one-time-use values (error message can be written so as to convince bank customer that the one-time-use value he just used is now "used up") and can grab contents of bank account.

Myself, if my bank (The National Australia Bank) implemented the "calculator" idea, I would accept it (even if it did mean more bank fees to pay for the "calculator" device)

Huh?

[mfh]

Communism did not work. Period.

So I guess you prefer the Absolutist way?

Here's the apple: Communist Russia was one of the global super-powers. You are suggesting they got to that status by using a flawed system of government? It's views like yours that START COLD WARS.

The only flaw in Communism is that it can be corrupted and the greedy. But the same can be said about capitalism and democracy.

Re:Huh?

[99BottlesOfBeerInMyF]

Taking away freedom and destroying hope for a better tomorrow is not a flaw for you? I am sure you have never waited in line for 10 hours to get a piece of meat, right?

Hold on there. I agree with your post for the most part but correlation is not causation. Communism is not a form of government, only an economic model. It has been unfortunately paired with corrupt democracies and oligarchies in recent history. In truth neither capitalism nor communism is a workable system. Pretty much every government on earth is implementing some mix of capitalism and socialism. There are plenty of examples of corrupt democracies with horrible, degrading living conditions. The long and short of it is, communism seems to fail more often as economies get larger and capitalism fails more often as economies get smaller. The competitive and innovative advantages of capitalism are useless when applied to very small economies and result in an overabundance of duplicated effort. The collaborative and gestalt advantages of communism become to easily hijacked as economies become large an unwieldy, making profiteering and misinformation too easy.

People are greedy, corrupt, power hungry, stupid, lazy, and downright evil. They are also kind, generous, brilliant, helpful, hard working, determined, and caring. Building a system that capitalizes upon the latter qualities while still buffering against and accounting for the former is not easy. In truth, I think probably a series of communist cells not more than a few hundred thousand people all competing with each other, trading with one another, with free movement between them and with a consistent, democratic government would make for a good utopian experiment.

Eventually the system will probably find a balance, or we will all die in a cataclysmic event. Time will tell.

Phishing in general...

[It+doesn't+come+easy]

I received a very clever phishing email the other day. It was good enough to make one want to click the link and make sure everything was OK. I receive lots of email from the "admins" of eBay concerned that someone is using my account nefariously. Those are always bogus, so not a problem. This one, however, had the following text (I saved it cause it was that good :):

"Dear eBay member, Yes, i can ship to your location, and i accept escrow for payment.
Thank you,cowboyup618"

Then, in a boxed message there was a button with the text "Please respond to the question on eBay by clicking the button below. You'll have the option to display your response directly on the listing."

If you notice, this simple message looks like it was from a seller and he had a bid from me. If I were an active bidder on eBay, I would be concerned that I had won a bid that I had forgotten about. It would be very easy for someone in this position to click on the button.

As phishing emails go, it was a pretty good try.

Re:They have the public..

[Blue+Stone]

"for example, if a random stranger walked up to you on the street and said that they were a representative from your bank and said that they must verify your account information otherwise they will have to close down your account, you would tell them to fuck off, walk away, and maybe even call the police on them."

Interestingly, Derren Brown, a fellow specialising in psychological manipulation and stuff like that, did a stunt in a seaside resort (the clip isn't to be found at the link I gave unfortunately) where he 'simply' went up to people, asked them for directions to somewhere, and then asked them for their wallet/purse.

He was successful about 60% of the time (IIRC) and walked off with the person's cash. The victims all then stood about a little while later, wondering if something wasn't amiss, and then, realised something and chased Derren down (who had only sauntered a little distance down the road) to ask him if they hadn't given him their cash.

One poor chap was given his wallet back, and then Derren took it away from him again, there and then!

Don't be too sure that the internet is to blame. People have been conned in the real world since time began.

Why Romanian tenagers?

[swatthatfly]

I read the article with interest, hoping to find an account of how the Romanian teenagers organized themselves into a sofisticated network of phishers. Instead all I found was a reference about how the typical phisher is Romanian but without any explanation of how they arrived at this conclussion. So why Romanian? I guess it sounds exotic and that's enough to make it interesting. Another load of crap about chat rooms, following other articles with IRC==bad && foreigners==scary in the subject line. How about some info describing what level of sofistication can be achieved in a country where dial-up is the norm and moving out of the city means not having a landline at all, hence no Internet.

Re:They have the public..

[motivator_bob]

they just need to learn to delete and ignore their email, similar to how they would have walked away from the stranger on the street.

The main identifying feature that people use when someone would come up to them on the street is how they appear. How they come across to the person being targetted, which may be heavily based on first impressions.
If this looks legit, (just like an email might look legit) then the target may well think, "well, he looks like the right person", and hand over what is being asked for.

Then again, if they guy is standing there in the fake plastic glasses, big nose and moustache and the person still hands over the info, well, people still need to take responsibility for their actions.

Common sense isn't.