washingtonpost.com: Technology Fueling Wave of Phishing Scams

Technology Fueling Wave of Phishing Scams
'Toolkits' and 'Carder' Sites Help Thieves Cash in on ID Theft

By Brian Krebs
washingtonpost.com Staff Writer
Tuesday, January 18, 2005; 9:49 AM

It was just a name, one of dozens flowing by in a little-known Internet chat room for identity thieves. Sandwiched between requests to barter various kinds of ill-gotten data ("Trading one valid [credit card] for my 5mb proxy list or hosting" ... "[need] linux host to put my site on.. i have cvv2's, msg me to deal") and inane chatter ("wat u upto?") came the simple, unadorned lines: "card type: Debit Card ... Name: Dallas Thomas ... city: Stillwater ... state: ok."

As the chat continued, Thomas's credit card number, her date of birth, Social Security number, mother's maiden name, phone number and address were posted for all to see. A frequent viewer would immediately recognize such postings as enticements -- a sample to lure watchers into buying or trading for personal financial information that can be used to rob the cardholders. The poster was implying that he or she had more stolen data where that came from, and hoped to establish credibility within the community.

Need to know the answer to a cardholder's "secret question"? How much money you can siphon before the credit limit is breached? These "carder" chat rooms are the place to go. Data thieves also use the rooms, known as "channels," to trade and sell access to eBay and PayPal accounts, hacked home computers, and airtime on Internet-based telephone networks. And Thomas, whose information was listed on the chat room for the perusal of dozens of online thieves, had no idea that such places exist.

Reached at the home phone number posted in the chat channel, the 22-year-old college student said she had lost $600 after being lured to a fake PayPal Web site just one week earlier, and had canceled her credit card just two days before. Like many other victims of "phishing" -- the use of official-looking e-mails and Web pages to trick people into divulging financial information -- Thomas was stunned that her data was being openly traded online.

"I can't believe that people are allowed to do this kind of thing," she said. "Why can't [the authorities] do anything about this?"

The answer may be that the economics of online fraud -- which has such low start-up costs that luring only a few victims to divulge personal financial data can turn a huge profit for the perpetrator -- are so much in favor of the criminals that, at least for now, a continued increase in phishing activity is all but certain.

The number of online financial scams grew dramatically in the fall of 2004, driven in part by the proliferation of online fraud forums and phishing software that help users automate the design and deployment of their scams, according to the Anti-Phishing Working Group and other security experts.

The APWG -- a coalition of banks and technology companies -- identified 8,459 new and unique phishing e-mail messages in November, nearly four times the number reported in August. The group tracked 1,518 phishing Web sites in November, a 29 percent increase from October.

"Those numbers indicate that multiple phishing scams are being hosted off of the same Web sites," said Dave Jevans, the group's chairman. "That suggests to us that a lot of these guys are using some form of automation to help set up their scams."

Some toolkits are little more than downloadable packages of Web pages and sample e-mails; others are software programs that allow criminals to select from drop-down menus that contain sample messages, corporate logos and Web site designs.

The kits are just one reason why criminals have the advantage, said Rod Rasmussen, director of operations for Tacoma, Wash.-based Internet Identity, which helps companies combat phishing scams.

Rasmussen said most of the criminals who conduct phishing scams can easily obtain a million e-mail addresses for less than $20 through the Internet black market.

In addition, through their own use of computer viruses or by trading with other criminals, scam authors often control hundreds or even thousands of hijacked personal computers remotely for the purpose of sending phishing e-mails or hosting fake Web sites.

"The production costs for these types of attacks are virtually nil, and all it takes is a couple of people to bite to make it all worthwhile," Rasmussen said.

Much of the planning for and profiteering from phishing scams takes place on obscure Web sites and in anonymous Internet relay chat (IRC) rooms dedicated to "carding," a slang term in the underground community for the process of converting stolen credit card data into cold, hard cash.

IRC is the precursor to modern instant-messaging software, and is used to host hundreds of unmoderated channels dedicated to almost every subject imaginable. Most channels are filled with hobby talk or harmless banter, but IRC's relative anonymity makes it an attractive avenue of communication and commerce for countless hackers and identity thieves.

Online carder sites and IRC channels also offer phishing tutorials and lists of so-called "cardable" Web sites that allow the buyer to bill items bought with stolen cards to one address and ship them to another.

Amir Orad, executive vice president for Cyota, a New York-based company that sells anti-phishing services, said learning how to phish has never been easier because everything a beginner needs to start a scam is available for free or for a small fee, provided the novice knows where on the Internet to look.

"For the past few months we've started to see phishing attacks from subcontractors, people who buy and use ready-made phishing toolkits and e-mail lists," Orad said. "It's gotten to the point where you don't need to know anything about spamming or computer programming to pull this off."

A handful of Web sites even offer to manage the more complicated aspects of phishing -- such as sending fraudulent e-mail and hosting the fake Web sites anonymously. One carder site, carderportal.org, proudly advertises "spam hosting from $20 per month, and fraud hosting from $30 per month."

Taken together, carder IRC channels and Web sites have removed the technical and logistical barriers to large-scale online identity theft and credit card fraud, said Lance Spitzner, president of the Honeynet Project, a volunteer security research organization that studies new trends in Internet crime.

"What was surprising to us was all the novice users we saw on these channels and how many people that are just starting to get into this kind of fraud," Spitzner said. "The scary part is that what we're seeing here is probably just the low-hanging fruit. The serious criminals on the Internet are usually too paranoid to communicate out in the open like this, so it makes you wonder just what kinds of information the organized mafia types have access to."

Honor Among Thieves?

Innovation has made it easier for phishers to separate unwitting consumers from their financial information, but in the underground world of hacking for profit, stealing credit card numbers is considered the easy part; it is in selling and purchasing that information where things become more complicated.

The seller must find a trustworthy "casher" -- someone who will convert stolen credit cards into cash without absconding with more than their agreed-upon portion of the money -- while trying to stay one step ahead of law enforcement and corporate sleuths. For the buyer, the tough part is verifying that the data for sale is legitimate and usable.

But experts say that over the past year and a half, some of the more popular carder IRC channels have been taken over by anonymous individuals who help members verify the authenticity of stolen credit card data while blacklisting "rippers" -- people who sell the same list of stolen credit cards to multiple clients -- or deadbeat buyers who never pay for their cards.

On any one of nearly a dozen IRC channels dedicated to financial fraud, 16-digit credit card numbers can be found sandwiched between snippets of churlish chat conversation scrolling across the computer screen. Each credit card number is preceded by a two- to three-letter "command" that tells the channel operator what type of information the poster is seeking.

In most cases, the operator responds instantaneously with the requested data, notifying the poster whether the card is still active, its spending limit, the bank issuer, the expiration date, or even its "CVV2" number, the three- or four-digit code on the back of credit cards that many online merchants use to verify that the buyer is the same person holding the card.

Members of Spitzner's Honeynet Project spent several weeks studying IRC activity. The project found that the verified credit data appears to be automated by a program that is drawing information from e-commerce sites whose credit card records have been compromised. Thieves also can check the validity of a credit card by creating fake merchant accounts, services that legitimate businesses use to verify an account with the bank that issued the credit card.

Marcus Sachs, a former cyber-security adviser to the White House who now directs the Bethesda, Md.-based SANS Internet Storm Center, said that if the information posted by the IRC channel operators is legitimate, then they are likely working with people on the inside at the major credit card issuers. But Sachs said he suspects that by "verifying" credit card information posted by other chat room members, those running the IRC channels are more interested in scamming the phishers.

"As evil as it all sounds, the people who know what they're doing in this area operate their phishing scams like a business," Sachs said. "They learn from their mistakes, they outsource, they consolidate, and they cut costs by automating things. But most of all, they profit by any means available."

Hooking the Phishers

The major credit card companies monitor known fraud sites and IRC channels for stolen credit card information, but experts say that in many cases thieves have stolen as much as they can by the time a credit card gets posted online.

Online financial fraud resources are difficult for authorities to shutter because their operators move them from one hijacked Web server to another -- often several times a day.

"We had one that we shut down three times in one week. Each time we closed it down, it would appear in another country," said Sergio Pinon, senior vice president of global security for MasterCard International Inc.

Last fall, in an undercover investigation dubbed "Operation Firewall," the U.S. Secret Service and international authorities shut down some of the most popular carder Web sites by infiltrating a service that credit card thieves used to check whether stolen accounts were still active. In that case, Secret Service agents forwarded submitted numbers to their respective bank issuers, all the while building trust with a core group of more than three dozen thieves they would later arrest.

Since then, however, a number of new carder Web sites have sprung up to fill the void, driven by continuing high demand, Pinon said.

But Pinon and sources in the law enforcement community said ongoing investigations into online financial fraud rings will yield numerous arrests in the very near future.

"So many of these criminals think the Internet gives them the freedom to take whatever they want from people," Pinon said. "We're working very hard to let them know that they're not going to get away with it."