Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Spam Government The Courts News

How the Phishing Biz Works 321

Carl Bialik from the WSJ writes "Christopher Abad has spent much of the past six months 'stalking the phisher underground,' Lee Gomes writes in the Wall Street Journal. 'The typical phisher, he discovered, isn't a movie-style villain but a Romanian teenager, albeit one who belongs to a social and economic infrastructure that is both remarkably sophisticated and utterly ragtag. If, in the early days, phishing scams were one-person operations, they have since become so complicated that, just as with medicine or law, the labor has become specialized.' For instance, a phisher in Romania who successfully scores account information for someone in the U.S. may go on IRC to seek out a 'casher' to withdraw money from the target's account, and send a cut back to the phisher."
This discussion has been archived. No new comments can be posted.

How the Phishing Biz Works

Comments Filter:
  • by Anonymous Coward on Monday June 20, 2005 @07:45AM (#12862141)
    Looks like I caught a big one! A 12-lb FP!
  • by dances with elks ( 863490 ) on Monday June 20, 2005 @07:49AM (#12862174)
    I think it involves 3. ??? somewhere
  • by sandstorming ( 850026 ) <johnsee@NospAm.sandstorming.com> on Monday June 20, 2005 @07:50AM (#12862184)
    But not as prettyful as... This Technology [internetperils.com]
  • Feh... (Score:2, Insightful)

    by Pig Hogger ( 10379 )
    If the Harvard Business School types who descended like vultures on the former eastern bloc countries haven't worked so hard to savagely gut the social protection systems that were in place, there would not be so many criminals in those countries nowadays...
    • Re:Feh... (Score:5, Interesting)

      by JaredOfEuropa ( 526365 ) on Monday June 20, 2005 @08:09AM (#12862311) Journal
      The transition to a more free economy in these countries was anything but graceful. But most of the social protection systems were not savagely gutted, as you put it. Often they were left in place but became financially unmaintainable, or they failed to deal with rampant inflation. Pensioners in Russia still get their state pension; the only problem is that it isn't worth anything these days.

      In these countries, a lot of shady property deals went down, people got screwed over, there was profiteering, extortion, and theft on a grand scale, but many of these crimes of greed were perpetrated by people who were already criminals, or former socialist potentates (or both). 'Harvard Business school types' had very little to do with it.
      • many of these crimes of greed were perpetrated by people who were already criminals, or former socialist potentates (or both). 'Harvard Business school types' had very little to do with it.
        They supplied the ideological plumbing details (the precise instructions on how to do it).
      • by szo ( 7842 ) on Monday June 20, 2005 @08:39AM (#12862526)
        It didn't became financially unsustainable after the change, it was it well before. In fact, it was a major part of the countries failing economy, and this failing economy was the underlaying cause of the collapse of the soviet systems.
    • Re:Feh... (Score:5, Insightful)

      by Otter ( 3800 ) on Monday June 20, 2005 @08:09AM (#12862312) Journal
      If the Harvard Business School types who descended like vultures on the former eastern bloc countries haven't worked so hard to savagely gut the social protection systems that were in place, there would not be so many criminals in those countries nowadays...

      Uh, yeah, because under Ceausescu all these Romanian computer owners (with their free communications with the rest of the world) used their luxurious lifestyles for the betterment of the less fortunate...

    • Outsourcing (Score:3, Funny)

      by Tipa ( 881911 )
      Phishing is a job? Wow, finally a new sort of tech job and it is immediately shipped oversees.... can't even buy a break these days.
  • by tacensi ( 706781 ) on Monday June 20, 2005 @07:58AM (#12862255)
    I always thought that only old people would fall for these phishing and scam emails. The problem is, here in Brazil it's not like Korea: it is not so common to see old people using computers, specially for online banking. Then one day I met this beautiful, smart and young lady who lost a big sum of money when she got phished. I was surprised to see a real person that got phished. I think she could get it back from her bank, though. It was probably a national phisher, I don't believe it was a teenager from Romania.
    • by Otter ( 3800 ) on Monday June 20, 2005 @08:18AM (#12862361) Journal
      I understand the "How could anyone be stupid enough to fall for this?" response to Nigerian email scams. But phishing? Maybe you don't get the good ones, but it's next to impossible for even a relatively sophisticated user to distinguish them from authentic emails. I deal with phishing by deleting everything purporting to be from EBay or PayPal -- I sure as hell wouldn't trust my ability to safely follow links from any of them.

      "What?" shriek the Slashbots, "If hot Brazilian chicks can't view the message HTML, traceroute the links and the redirects and WHOIS the resulting information, they shouldn't be allowed to use computers!" Perhaps, and perhaps me neither, but it doesn't surprise me that people get burned.

      • it's very simple. no real company would send you an email asking for personal details. and they remind you of this every time they do send you a legitimate email as well as when you sign up.
        • The paypal ones can be a little tricky sometimes, like "There has a been an e-mail change request, go here to tell us if this is wrong"

          Then you go there and unwittingly give your password to some stranger. Now if you have a credit card or checking account tied to your paypal account you could be in trouble.

          But yeah, forms that ask for personal information are easier to avoid. You know the same people that fill those out and click "send" would probably never give the same information out to a person stan
        • How about this one then: I use online banking to pay most of my bills. My bank sends me reminders by email when I have a new bill. Those emails include a link to a logon page. Since these are "expected" emails it would be very easy to use in a phishing scheme. Of course, they are targeted to one particular bank and they also include the name of the Payee so that does make it a bit harder to fake, but I'm sure a Phisher could get a lot of hits by using "Bank of America" or "Wachovia" and common payee names l
      • I've witnessed an otherwise normal 18 year old man give out his credit card details over the phone and then proceed to exclaim with joy to all in the room that he had just won a free scholarship.

        Another classic that hits my old neighborhood in st. louis every now and then. They put a letter on the doors of every house in the neighborhood proclaiming that their house represents a normal suburban dwelling and some movie producer in hollywood would like to do a test shoot to determine if they could use it fo
        • You say there is no shortage of suckers in America like there aren't just as many per capita in every other country.

          I don't understand why people think people in other countries are somehow fundamentally different.

          People are people. Stupid, brilliant, funny, boring, fat, scrawny, beautiful, ugly etc, nationality doesn't enter into it.

          Go pick up A Perfect Circle's eMOTIVe and become a dreamer.
      • by cmstremi ( 206046 ) on Monday June 20, 2005 @09:13AM (#12862823) Homepage
        Uh - what? Sorry - You lost me at "hot Brazilian chicks"...
  • by usernumber31337 ( 512825 ) on Monday June 20, 2005 @08:01AM (#12862270)
    "'The typical phisher, he discovered, isn't a movie-style villain but a Romanian teenager"

    A Romanian teenager is a typical movie style villain. Haven't they ever seen Blade?
  • by ras_b ( 193300 ) on Monday June 20, 2005 @08:09AM (#12862313)
    Maybe you guys are getting these all the time, but i don't email much and just received my first phishing email. I never read or open anything if it looks even remotely sketchy, but this one was pretty good. i believed it for a few seconds, until i logged in to paypal through a separate browser and verified no changes had been made to my account. I then forwarded the email to spoof@paypal.com as paypal requests. they wrote back to verify that the email was a scam. Another giveaway was that every link in the email, including the phony email address, had the following url behind them (i never clicked it- don't know whats there): h t t p ://linux.fal.pt/fundicao/img/cmd/index.html

    original message (i added spaces to urls so they wouldn't be links):

    From : PayPal Inc.
    Sent : Tuesday, June 14, 2005 3:58 PM
    To : my_email@hotmail.com
    Subject : Unauthorized Access: (Routing Code: P101-K001-Q-P090)

    You have added funstuff12@aol.com as a new email address for your
    PayPal account.

    If you did not authorize this change or if you need assistance with
    your account, please contact PayPal customer service at:

    h ttps://www.paypal.com/cgi-bin/webscr?cmd=_login-ru n

    Thank you for using PayPal!
    The PayPal Team

    Please do not reply to this e-mail. Mail sent to this address cannot be
    answered. For assistance, log in to your PayPal account and choose the
    "Help" link in the header of any page.

    PROTECT YOUR PASSWORD

    NEVER give your password to anyone and ONLY log in at
    h ttps://www.paypal.com/.Protect yourself against fraudulent websites
    by opening a new web browser (e.g. Internet Explorer or Netscape) and typing
    in the PayPal URL every time you log in to your account.

    PayPal Email ID PP1507
    • hey if you get those emails, forward it back to spoof@paypal.com
    • It's fairly clever. The phish links to a mock up of a paypal "This page has moved" screen. Clicking the moved link launches a new browser window without an address bar, but with one simulated using html. To a naive user it would appear that you were logging in to the secure paypal site.
    • I actually get them quite a bit, but unlike you, I actually follow the links and fill in bogus information...usually supplemented with a lot of profanity.

      I figure someone, somewhere, must read the info, and at the very least, they get an earful (or an eyeful)
    • Thanks for your post. I just tried it out; it's pretty clever. The IP address is 62.48.224.25 for that URL you posted (h t t p ://linux.fal.pt/fundicao/img/cmd/index.html -- spaces inserted intentionally). whois 62.48.224.25 shows: inetnum: 62.48.224.24 - 62.48.224.31
      netname: FAL-NET
      descr: FAL - FUNDICAO ALTO LIXA, SA
      descr: Alto da Lixa - Lixa
      country: PT
      admin-c: PT4010-RIPE
      tech-c: JMF13-RIPE
      status: ASSIGNED PA
      mnt-by: AS15525-MNT
      source: R
  • by CABAN ( 818466 ) <.moc.liamg. .ta. .adelleda.> on Monday June 20, 2005 @08:12AM (#12862332)
    You should know your enemy. http://honeynet.org/papers/phishing/ [honeynet.org]
  • I've always thought (Score:4, Interesting)

    by CastrTroy ( 595695 ) on Monday June 20, 2005 @08:39AM (#12862512)
    I've always thought that we could use some sort of slashdot effect to curb phishing. When you get a phishing email, report it to some kind of website, once it gets verified as a phishing website, you can kind of just DDOS it. Maybe we could all help out by installing a folding@home type client where phishing urls are DDOSed by a bunch of people. With 100,000 people on such a network, each person would only need a to send out a few requests to each site to make it work. There would be problems with the network hacked for bad uses, but limiting the client to only listening to messages that are properly signed would be a good start.
    • Lycos, the popular (sort of) internet portal, once tried this, launching a screensaver that would, when activated, essentially DDoS spamming/phishing sites and other such nasties. It got pulled pretty quickly because of, amongst other things, fear that the network could get hacked (or the phishers pointing their DNS records back to Lycos, essentially reflecting the DDoS back onto them) and doubts over the legality of such an attack, especially with someone with as deep pockets as Lycos to sue if it all came
      • The kinks in such a network could be worked out. As far as pointing the dns to somewhere else, well, you could just resolve the IP, and then attack an IP address, rather than using the domain name. Using digital signatures to sign the messages that are real will help to avoid fake ones. There are probably some legal issues, but I doubt that any court would convict people for doing this.
        • Ever heard someone quip about being tried by 12 people who aren't smart enough to get out of jury duty?

          The people who are on juries come from the same pool of people as phishing victims. If they're not smart enough to recognize the scam when it happens to them, do you really want them deciding your fate?

          Courts and laws are very slow to change. The reason phishing and ID theft are so popular is that it's hard to convict someone of a crime you don't understand.
          • How do you suggest we arrest phishers in Romania? I'm pretty sure that phishers who are charged, would be convicted by a jury. Charging them in the first place is the hard part. Especially when they are located in other countries.
    • until somebody submit http://www.kibbee.ca/ [kibbee.ca] as phishing website.
      • That's why it should be verified before it sends out the message for everyone to DDOS it. Make this someone we can trust. I'm not sure who that is, but there could be a system where a site is checked by multiple people to ensure it is a phishing website. However, there is the problem of sites being hosted on shared boxes, such as the one you mentioned, and a DDOS would probably take down all the sites on the box.
    • by UnknowingFool ( 672806 ) on Monday June 20, 2005 @11:13AM (#12864005)
      When you get a phishing email, report it to some kind of website, once it gets verified as a phishing website, you can kind of just DDOS it.

      Unfortunately the problem with this approach is the collateral damage if the scam artists do not use their own machines to host the scam. The ISP or host company gets pummelled and if they didn't know anything about the scam, they're innocent bystanders.

  • Stereotype (Score:5, Funny)

    by williamhooligan ( 892067 ) on Monday June 20, 2005 @08:44AM (#12862558)
    "The typical phisher, he discovered, isn't a movie-style villain but a Romanian teenager, albeit one who belongs to a social and economic infrastructure that is both remarkably sophisticated and utterly ragtag."

    This is a vast exaggeration. The image of an eastern europe, 'ragtag' social and economic infrastructure is, for example, in complete contrast to the well-dressed, hip, bling-bling superstars that make up my crew.

    We call it Fly Phishing.

  • by Willeh ( 768540 ) <rwillem@xs4all.nl> on Monday June 20, 2005 @09:02AM (#12862717)
    As per the article, all this is is just plain old playing it by the numbers. Send out 1000k+ emails, some of them are bound to be hits, then profit from there. This article really doesn't prove much beyond what was already pretty much known.

    Also i have to say i doubt the notion that there are "phishers 'r us" websites/ lists/ organisattions that can a). operate for any decent lengh of time before going down by infighting and b). stay out of the public eye for however many years now?

    What i'd really like to see though, is an effort by governments to curb this kind of criminal behavior first, and then going after petty internet crime like music piracy et al. Hell, if they can bust a warez ring, a phishers ring with real, tangible damage to both banks and customers would be even easier. Especially if they (supposedly) already have leaks, like Mr. Incredible here who used his massive skills to write a vague article that really doesn't tell us much.

  • by hacker ( 14635 ) <hacker@gnu-designs.com> on Monday June 20, 2005 @09:07AM (#12862755)

    There are some very simple ways to solve this, en-masse...

    1. Set up a milter that calls HTML::Strip [cpan.org] to strip out all HTML from email. I don't want my webpages on port 25, just like I don't want my email on port 80. Users don't know or care anyway, set it up at the MTA side and they'll get clean emails.

    2. Use a real MUA, like pine, mutt or other that allows you to see the actual content of the message, not its abstracted "rendered" equivalent. I simply hit 'h' in pine, and can see the resulting link that the phisher is trying to send me to... if it doesn't match the anchor tag, it gets deleted (and forwarded to spam-$USER, see dspam below).

    3. Don't run Windows. Nothing need more be said here. When the same ActiveX control is used by Exchange to "render" email into your mailbox as MSIE to "render" maliscious HTML to your browser, you should be concerned.

    4. Install and configure dspam [nuclearelephant.com]. Problem solved after only a few phish emails come through. Simply send them back to your internal spam-$USER address and you'll never see them again, including future ones that are similar. If you want to see them again, go into the web interface and send them to your mail, which will automagically re-score them lower so they get through. My users and I haven't seen a single spam get through to any of our mailboxes in MONTHS, not a single one. Beats the pants off of anything else out there that I've used.

    5. Education. Teach your users that they should never respond or click URLs in email, ever, period. Show them that PayPal and eBay and other companies never ask you to log back in to verify any personal information. Show them how these systems work, and reinforce it all the time by asking them questions about it. Drill it into them.

    • to strip out all HTML from email. I don't want my webpages on port 25,

      And what is wrong with sending formatted text as email? Maybe all the HTML email you get is spam, but people actually use HTML email for real work (messages including tables, images, etc.). HTML email sure beats Microsoft Word attachments, which is what people would be using otherwise.

      With a decent mail reader, this is not a problem either, since they disable remote images and render HTML in a way that prevents phishing attacks.

      If w
      • by hacker ( 14635 )

        And what is wrong with sending formatted text as email? Maybe all the HTML email you get is spam, but people actually use HTML email for real work (messages including tables, images, etc.). HTML email sure beats Microsoft Word attachments, which is what people would be using otherwise.

        I don't get HTML email, actually, because its automatically stripped at the MTA, same for all of my users, and I've never heard a single complaint yet.

        I was being simplistic when I suggested using HTML::Strip. The ful

  • by LKM ( 227954 ) on Monday June 20, 2005 @09:37AM (#12863067)

    I see plenty of comments qualifying people who fall for these scams as "stupid people", "being ignorant by choice" or worse. I think we should remember a few things here:

    • We all have knowledge about computers that is far above average. What might be obvious to us may not be obvious to others at all.
    • Computers are a tool. Many of us may play with computers as an end in itself, but others use computers as a means to an end. To them, an E-Mail is very similar to a letter or a phone call. They don't know how to look at the source of the mail, and they don't know how to figure out whether a mail is legitimate or not - and frankly, I don't think they should have to.
    • These scams are really well done. My mail app doesn't display HTML, but if you actually open the HTML part of those mails in your browser, it looks totally legit. It's easy to see how people fall for these.

    Recently, there's a new, similar scam going on where I live: it's kind of real-world fishing. People install small cameras on those ATMs, and they glue little pass-through card readers on top of the slot where you insert the card. If you use such an ATM to get money, they can read out your card data using the reader and get your pin code using the camera. These things are made in such a way that they "blend" into the ATMs interface and look like they were actually part of the ATM. Do you honestly believe that you would notice this? Do you even think of checking for something like this before getting money? Do you think that everyone should know how the different ATMs look so that they notice it when such a device is installed on them? No? Then why do you expect non-geeks to be able to discern a real mail from Pay Pal from a scam mail? Legitimate mails from many money-related web sites contain clickable links.

    Even if you accept that it's the person's own fault if he gives his data to a scam artist, you should grok that you simply can't solve the problem by educating people. That's simply impossible. This is a problem that must be solved using technology. Banks should sign their mails, and mail apps should clearly notify you if a mail is not from where it purports to be. Maybe it shouldn't let the user click on links if the user doesn't have the public key for the mail. Maybe there are entirely different solutions for this problem. But one thing is clear: Educating people won't work, no matter whose fault it is.

  • by borkus ( 179118 ) on Monday June 20, 2005 @09:46AM (#12863158) Homepage
    One thing that the article points out is that phishing isn't just about gullibility. It suceeds because the players act as a distributed network. Because perpetrators are so unlike to get caught, it's hard to deter people from doing it.
    • Each part of the network is separate. They guy who gets the information on an account, versus the guy who breaks into it, versus the guy you receives the money. Knowing who is using the account doesn't help you catch the guy who sent the original phishing e-mail. The fact that the network is international makes coordination by law enforcement even harder.
    • Roles are interchangeable. From the article, it appears that phishers don't have to use the same cashers all of the time. You can't take out one piece of the network and cripple it. Phishers just move onto another casher.
    • Communication is largely anonymous. In old fashioned criminal networks, you had to be face to face at some point - to exchange money for narcotics, stolen property or bootleg liquor. In these new networks, no-one knows the actual person they're dealing with. If you do apprehend one member of the network, that member has very little information useful in arresting others.
  • by amiable1 ( 770808 ) on Monday June 20, 2005 @09:50AM (#12863203)
    I got a phishing attack today. They ask me to log in to https://www.paypal.com/ [paypal.com] Note the extra s. Non-obviously, it's fake. How does this redirection work?
  • Phish email schemes would not succeed if braindead email programs reported the ACTUAL source of the email, instead of the meaningless From line in the body of the email. If you knew that the source of the email you received was dialup.158.97.202.fai.ro and not accounting.citibank.com, wouldn't you be a tad more suspicious? Its in the headers. SPF would work for well-known sites, although changing one character in a domain name can still get by that.
  • This scam is huge. It got me. Not sure if you'd call it phishing, maybe just unscrupulous activity by the shopping cart provider, but this will rob you just by supplying an email address. http://adam.rosi-kessel.org/weblog/the_man/webloya lty_aka_wli_reservations_is_a_scam.html [rosi-kessel.org] I purchased movie tickets from Fandango.com two years ago. Evidently a popup appeared after my transaction offering a discount for filling in a survey (must have been using the girlfriend's Windows box w/ IE). I gave my dispo
    • by Animats ( 122034 ) on Monday June 20, 2005 @12:55PM (#12864962) Homepage
      Now, a patented phishing scam! The CEO of WebLoyalty, Vincent D'Agostino, has two [uspto.gov] patents [uspto.gov] on the technology, both titled "Method and system for cross-marketing products and services over a distributed communication network".

      Here's the WebLoyalty online demo. [vcart.com]. This is triggered after checkout from some other store. All the customer provides is an E-mail address, or at least a click on the big red button below the E-mail address form. Their credit card information is taken automatically from the previous transaction.

      The key to WebLoyalty is that it's embedded in VirtualCart, a popular shopping cart program, and is on by default. [vcart.com] It's quite possible for a merchant to be serving the WebLoyalty scam without even being aware of it. The merchant can't even turn it off directly. From the VirtualCart WebLoyalty FAQ: [vcart.com]

      • Q. How can webloyalty.com afford to offer Special Rewards and not get paid?
      • A. webloyalty.com ultimately generates its revenue from the customer. Each customer who claims the Special Reward is offered the chance to join a discount shopping and protection service (Reservation Rewards), discount travel service (Travel Values Plus), shopping protection service (Buyer Assurance), or credit card and identity protection service (Wallet Shield). Although there is never an obligation for the customer to continue after the 30-day free trial, many customers choose to continue a service for its valuable benefits. This subset of consumers provides revenue to webloyalty.com.
      • Q. Why allow the customer the opportunity to transfer his information as opposed to re-entering it?
      • A. We believe the customer is always right. And after chatting with hundreds of customers, we heard one thing loud and clear... they want convenience. Most consumers believe allowing them to transfer their personal and financial information with their express permission is much more convenient than re-entering it. Just ask Amazon.com's customers!
      • Q. How do I opt-out of this program?
      • A. Send us an e-mail to support@vcart.com with your cart ID and we will be more than happy to review your account for removal from this program. virtualCART reserves the right to require all merchants to participate in the program.

      And there you have it, the world's most successful phishing scam, run by a Harvard MBA.

      If you need to sue those guys, look them up at the Secretary of State of Connecticut [ct.gov], web site, which has their real address and the names and addresses of the corporate officers. Their actual business name is "WebLoyalty.com, Inc."

  • by It doesn't come easy ( 695416 ) * on Monday June 20, 2005 @10:09AM (#12863401) Journal
    I received a very clever phishing email the other day. It was good enough to make one want to click the link and make sure everything was OK. I receive lots of email from the "admins" of eBay concerned that someone is using my account nefariously. Those are always bogus, so not a problem. This one, however, had the following text (I saved it cause it was that good :):

    "Dear eBay member, Yes, i can ship to your location, and i accept escrow for payment.
    Thank you,cowboyup618"

    Then, in a boxed message there was a button with the text "Please respond to the question on eBay by clicking the button below. You'll have the option to display your response directly on the listing."

    If you notice, this simple message looks like it was from a seller and he had a bid from me. If I were an active bidder on eBay, I would be concerned that I had won a bid that I had forgotten about. It would be very easy for someone in this position to click on the button.

    As phishing emails go, it was a pretty good try.
  • by samkass ( 174571 ) on Monday June 20, 2005 @10:10AM (#12863413) Homepage Journal
    "Hello, I am a Nigerian 'phishing' hacker who steals money. But I have no way to withdraw the money from the accounts I've collected. I will give you an account number containing $50,000 in exchange for $1000 pre-paid into my account. Once I verify the money is in my account, you will receive instructions for how to access the $50,000."
  • I don't think it is fair to just pick on the Romulans...wait a second...this isn't the STNG forum? What the hell are ROMANIANS anyway?
  • by SmithB1 ( 893516 ) on Monday June 20, 2005 @10:26AM (#12863554)
    I hope no one has posted this yet, but The University of Phoenix Online now has a one year introductory course on phishing (along with 739 other degrees in great careers.) A Master's program will be introduced next year if there is enough interest!
  • by swatthatfly ( 808033 ) on Monday June 20, 2005 @10:30AM (#12863590)
    I read the article with interest, hoping to find an account of how the Romanian teenagers organized themselves into a sofisticated network of phishers. Instead all I found was a reference about how the typical phisher is Romanian but without any explanation of how they arrived at this conclussion. So why Romanian? I guess it sounds exotic and that's enough to make it interesting. Another load of crap about chat rooms, following other articles with IRC==bad && foreigners==scary in the subject line. How about some info describing what level of sofistication can be achieved in a country where dial-up is the norm and moving out of the city means not having a landline at all, hence no Internet.

Real Programmers think better when playing Adventure or Rogue.

Working...