[funsec] First Monday: The Economy of Phishing.
nick at virus-l.demon.co.uk
Thu Sep 15 18:45:33 CDT 2005
Dr. Neal Krawetz wrote:
> - His phishing flow is very accurate, but I would recommend a few changes:
> - Cashing should be segmenting into categories:
> mules, mule-driving
> bouncing (if you cannot cash out, then keep the money moving to
> obscure the trail)
> And the different types of cashing out (merchandise, eBay, PayPal,
> Western Union transfers, ATM, ID etc.)
He touched very briefly on this in the "Tracking and credential demand"
There are varying degrees of difficulty to cashing out certain
credentials. For banking credentials, the preferred though more
difficult method is ATM fraud, where the casher actually encodes the
banking information (tracking) onto an ATM card and withdraws the
maximum daily funds from that account. The popularity of tracking
has grown because it has become increasingly difficult to ship
purchased goods to countries where credit card fraud is a major
His interest seems to be mostly in tracking though -- perhaps because
that is the cashing method most accessible to him to study,
particularly in terms of having access to the IT/techie/fraud
investigator/etc staff of some of the affected institutions?
> - He mentions botnets but doesn't mention the service bots.
> ("!state mn" responds with "Minnesota", etc.)
> These belong in the flow diagram. As do their maintainers.
I'm not sure I understand the functio you are describing here -- can
you give a few more details?
> - He is missing insider information.
> Just knowing that the bank's admin is out sick with a cold is
> very valuable to an attacker.
And an excellent source of such information is to be a quasi-regular
poster to the major IT security mailing lists... 8-)
> - He does not mention where the organized structure comes from.
I beg to disagree.
Re-read paying attention to the mention of scale-free networks. This
is NOT my area, but my understanding of what he is saying is that the
organization does not come from anywhere; that is, (largely) "it just
happens" and such networks tend to be scale-free and thus generally
fairly resilient. Phishing does not persist because it is well
organized but because the structure of its "accidental organization" is
If I have misunderstood this, could someone who better understands the
underlying theoretical work explain what he did mean?
If you disagree with him, I'm interested in hearing that too, but if my
understanding of the what he is saying is right, it sounds plausible...
> My research suggests that this is NOT organized crime in the "mafia"
> sense. Rather, this is organization out of chaos. (Think AI
> "genetic algorithm", or Internet architecture. There is no
> overall architecture, but rather a collection of components that
> work well together.) I call these "chaotic phishing groups", using
> the mathematical definition of chaos: a single point is random, but
> all the points show clearly defined structure. (A single phisher
> is stupid. But together they are brilliant.)
As I said, I think he is saying much the same thing. Is there any
theoretical relationship between scale-free networks and (mathematical)
> - He does not discuss the revenue stream.
> Cashiers take a cut, then pass money back.
> Much of the work is performed on spec rather than through "pay first".
> As such, the furthest back people may wait a month or longer before
> seeing payment for services.
I was wondering about some of these issues while reading, so thanks for
the extra info. It seems then that it all (or mostly) works through
distributed trust; "honour among theives"...
> - He doesn't mention the importance of the bank volume thresholds.
> Basically, the more frequent banks are easier to move money out of.
> (There is a huge convenience factor here.)
Is there a word missing in there? I cannot parse "the more frequent
banks are easier to move money out of"...
> I showed this paper to a coworker that is a business strategy expert.
> He called it a basic business organizational process -- well organized
> and a good business practice.
> I asked him how to go about killing it.
> He smiled and said, "Legalize and regulate it."
More information about the funsec