[funsec] First Monday: The Economy of Phishing.

Dr. Neal Krawetz hf at hackerfactor.com
Thu Sep 15 11:39:47 CDT 2005 

On Wed Sep 14 18:16:35 2005, Roland Dobbins wrote:
> 
> http://firstmonday.org/issues/issue10_9/abad/
> 

Wow.  Excellent writeup.

Much of his findings match work done by a groups in Germany and Australia,
as well as my own work in this area.
(I focus more on tracking individuals rather than groups, but there is
a lot of crossover work.)

A few points:

- Abad does not specify "which" IRC network he is tracking.
  This could be any of a half-dozen core networks, or he could be
  spanning IRC networks.

- His phishing flow is very accurate, but I would recommend a few changes:
  - Cashing should be segmenting into categories:
    mules, mule-driving
    bouncing (if you cannot cash out, then keep the money moving to
      obscure the trail)
    And the different types of cashing out (merchandise, eBay, PayPal,
    Western Union transfers, ATM, ID etc.)

  - Both designs should be prefaced by a mirror person.
    The person that mirrors the web site is not always the person that
    creates the scam.
    Same goes for script writers.  The graphic designers/HTML writers
    do not always write the PHP/CGI scripts.
    (And, of course, the proxy providers.)

  - He mentions botnets but doesn't mention the service bots.
    ("!state mn" responds with "Minnesota", etc.)
    These belong in the flow diagram.  As do their maintainers.

  - He is missing insider information.
    Just knowing that the bank's admin is out sick with a cold is
    very valuable to an attacker.

  - He does not mention where the organized structure comes from.
    My research suggests that this is NOT organized crime in the "mafia"
    sense.  Rather, this is organization out of chaos.  (Think AI
    "genetic algorithm", or Internet architecture.  There is no
    overall architecture, but rather a collection of components that
    work well together.)  I call these "chaotic phishing groups", using
    the mathematical definition of chaos: a single point is random, but
    all the points show clearly defined structure.  (A single phisher
    is stupid.  But together they are brilliant.)

- He does not discuss the revenue stream.
  Cashiers take a cut, then pass money back.
  Much of the work is performed on spec rather than through "pay first".
  As such, the furthest back people may wait a month or longer before
  seeing payment for services.

- His bank graphs are missing labels.  My own data suggests that
  these are linear graphs.  (Not logarithmic, etc.)
  But the overall magnitude looks right.

- He doesn't mention the importance of the bank volume thresholds.
  Basically, the more frequent banks are easier to move money out of.
  (There is a huge convenience factor here.)


I showed this paper to a coworker that is a business strategy expert.
He called it a basic business organizational process -- well organized
and a good business practice.
I asked him how to go about killing it.
He smiled and said, "Legalize and regulate it."

:-)

					-Neal
--
Neal Krawetz, Ph.D.
Hacker Factor Solutions
http://www.hackerfactor.com/

More information about the funsec mailing list