[funsec] First Monday: The Economy of Phishing.

Nick FitzGerald nick at virus-l.demon.co.uk
Thu Sep 15 18:45:33 CDT 2005

Dr. Neal Krawetz wrote:

> - His phishing flow is very accurate, but I would recommend a few changes:
>   - Cashing should be segmenting into categories:
>     mules, mule-driving
>     bouncing (if you cannot cash out, then keep the money moving to
>       obscure the trail)
>     And the different types of cashing out (merchandise, eBay, PayPal,
>     Western Union transfers, ATM, ID etc.)

He touched very briefly on this in the "Tracking and credential demand" 

   There are varying degrees of difficulty to cashing out certain
   credentials. For banking credentials, the preferred though more
   difficult method is ATM fraud, where the casher actually encodes the
   banking information (tracking) onto an ATM card and withdraws the
   maximum daily funds from that account. The popularity of tracking
   has grown because it has become increasingly difficult to ship
   purchased goods to countries where credit card fraud is a major

His interest seems to be mostly in tracking though -- perhaps because 
that is the cashing method most accessible to him to study, 
particularly in terms of having access to the IT/techie/fraud 
investigator/etc staff of some of the affected institutions?

>   - He mentions botnets but doesn't mention the service bots.
>     ("!state mn" responds with "Minnesota", etc.)
>     These belong in the flow diagram.  As do their maintainers.

I'm not sure I understand the functio you are describing here -- can 
you give a few more details?

>   - He is missing insider information.
>     Just knowing that the bank's admin is out sick with a cold is
>     very valuable to an attacker.

And an excellent source of such information is to be a quasi-regular 
poster to the major IT security mailing lists...    8-)

>   - He does not mention where the organized structure comes from.

I beg to disagree.

Re-read paying attention to the mention of scale-free networks.  This 
is NOT my area, but my understanding of what he is saying is that the 
organization does not come from anywhere; that is, (largely) "it just 
happens" and such networks tend to be scale-free and thus generally 
fairly resilient.  Phishing does not persist because it is well 
organized but because the structure of its "accidental organization" is 

If I have misunderstood this, could someone who better understands the 
underlying theoretical work explain what he did mean?

If you disagree with him, I'm interested in hearing that too, but if my 
understanding of the what he is saying is right, it sounds plausible...

>     My research suggests that this is NOT organized crime in the "mafia"
>     sense.  Rather, this is organization out of chaos.  (Think AI
>     "genetic algorithm", or Internet architecture.  There is no
>     overall architecture, but rather a collection of components that
>     work well together.)  I call these "chaotic phishing groups", using
>     the mathematical definition of chaos: a single point is random, but
>     all the points show clearly defined structure.  (A single phisher
>     is stupid.  But together they are brilliant.)

As I said, I think he is saying much the same thing.  Is there any 
theoretical relationship between scale-free networks and (mathematical) 

> - He does not discuss the revenue stream.
>   Cashiers take a cut, then pass money back.
>   Much of the work is performed on spec rather than through "pay first".
>   As such, the furthest back people may wait a month or longer before
>   seeing payment for services.

I was wondering about some of these issues while reading, so thanks for 
the extra info.  It seems then that it all (or mostly) works through 
distributed trust; "honour among theives"...

> - He doesn't mention the importance of the bank volume thresholds.
>   Basically, the more frequent banks are easier to move money out of.
>   (There is a huge convenience factor here.)

Is there a word missing in there?  I cannot parse "the more frequent 
banks are easier to move money out of"...

> I showed this paper to a coworker that is a business strategy expert.
> He called it a basic business organizational process -- well organized
> and a good business practice.
> I asked him how to go about killing it.
> He smiled and said, "Legalize and regulate it."
> :-)



Nick FitzGerald

More information about the funsec mailing list