The kits are just one reason why criminals have the advantage, said Rod Rasmussen, director of operations for Tacoma, Wash.-based Internet Identity, which helps companies combat phishing scams.
Rasmussen said most of the criminals who conduct phishing scams can easily obtain a million e-mail addresses for less than $20 through the Internet black market.
Catch the Phish: Take the Quiz
Companies Forced to Fight Phishing (washingtonpost.com, Nov 19, 2004)
Phishing Feeds Internet Black Markets (washingtonpost.com, Nov 18, 2004)
Phishing Schemes Scar Victims (washingtonpost.com, Nov 18, 2004)
A Brief History of Phishing (washingtonpost.com, Nov 18, 2004)
How to Fend off Phishing (washingtonpost.com, Nov 18, 2004)
Complete Cybercrime Coverage
In addition, through their own use of computer viruses or by trading with other criminals, scam authors often control hundreds or even thousands of hijacked personal computers remotely for the purpose of sending phishing e-mails or hosting fake Web sites.
"The production costs for these types of attacks are virtually nil, and all it takes is a couple of people to bite to make it all worthwhile," Rasmussen said.
Much of the planning for and profiteering from phishing scams takes place on obscure Web sites and in anonymous Internet relay chat (IRC) rooms dedicated to "carding," a slang term in the underground community for the process of converting stolen credit card data into cold, hard cash.
IRC is the precursor to modern instant-messaging software, and is used to host hundreds of unmoderated channels dedicated to almost every subject imaginable. Most channels are filled with hobby talk or harmless banter, but IRC's relative anonymity makes it an attractive avenue of communication and commerce for countless hackers and identity thieves.
Online carder sites and IRC channels also offer phishing tutorials and lists of so-called "cardable" Web sites that allow the buyer to bill items bought with stolen cards to one address and ship them to another.
Amir Orad, executive vice president for Cyota, a New York-based company that sells anti-phishing services, said learning how to phish has never been easier because everything a beginner needs to start a scam is available for free or for a small fee, provided the novice knows where on the Internet to look.
"For the past few months we've started to see phishing attacks from subcontractors, people who buy and use ready-made phishing toolkits and e-mail lists," Orad said. "It's gotten to the point where you don't need to know anything about spamming or computer programming to pull this off."
A handful of Web sites even offer to manage the more complicated aspects of phishing -- such as sending fraudulent e-mail and hosting the fake Web sites anonymously. One carder site, carderportal.org, proudly advertises "spam hosting from $20 per month, and fraud hosting from $30 per month."