[funsec] First Monday: The Economy of Phishing.
Dr. Neal Krawetz
hf at hackerfactor.com
Thu Sep 15 11:39:47 CDT 2005
On Wed Sep 14 18:16:35 2005, Roland Dobbins wrote:
Wow. Excellent writeup.
Much of his findings match work done by a groups in Germany and Australia,
as well as my own work in this area.
(I focus more on tracking individuals rather than groups, but there is
a lot of crossover work.)
A few points:
- Abad does not specify "which" IRC network he is tracking.
This could be any of a half-dozen core networks, or he could be
spanning IRC networks.
- His phishing flow is very accurate, but I would recommend a few changes:
- Cashing should be segmenting into categories:
bouncing (if you cannot cash out, then keep the money moving to
obscure the trail)
And the different types of cashing out (merchandise, eBay, PayPal,
Western Union transfers, ATM, ID etc.)
- Both designs should be prefaced by a mirror person.
The person that mirrors the web site is not always the person that
creates the scam.
Same goes for script writers. The graphic designers/HTML writers
do not always write the PHP/CGI scripts.
(And, of course, the proxy providers.)
- He mentions botnets but doesn't mention the service bots.
("!state mn" responds with "Minnesota", etc.)
These belong in the flow diagram. As do their maintainers.
- He is missing insider information.
Just knowing that the bank's admin is out sick with a cold is
very valuable to an attacker.
- He does not mention where the organized structure comes from.
My research suggests that this is NOT organized crime in the "mafia"
sense. Rather, this is organization out of chaos. (Think AI
"genetic algorithm", or Internet architecture. There is no
overall architecture, but rather a collection of components that
work well together.) I call these "chaotic phishing groups", using
the mathematical definition of chaos: a single point is random, but
all the points show clearly defined structure. (A single phisher
is stupid. But together they are brilliant.)
- He does not discuss the revenue stream.
Cashiers take a cut, then pass money back.
Much of the work is performed on spec rather than through "pay first".
As such, the furthest back people may wait a month or longer before
seeing payment for services.
- His bank graphs are missing labels. My own data suggests that
these are linear graphs. (Not logarithmic, etc.)
But the overall magnitude looks right.
- He doesn't mention the importance of the bank volume thresholds.
Basically, the more frequent banks are easier to move money out of.
(There is a huge convenience factor here.)
I showed this paper to a coworker that is a business strategy expert.
He called it a basic business organizational process -- well organized
and a good business practice.
I asked him how to go about killing it.
He smiled and said, "Legalize and regulate it."
Neal Krawetz, Ph.D.
Hacker Factor Solutions
More information about the funsec