Phishing Feeds Internet Black Markets

By Brian Krebs Staff Writer
Thursday, November 18, 2004; 6:34 AM

William Jackson never thought he would be grateful for going bankrupt.

Nine months ago, the 44-year-old resident of Katy, Texas, got an e-mail message from what appeared to be eBay's PayPal online payment division. It warned him that his account would be suspended unless he updated it with his personal financial data. The e-mail directed Jackson to a Web site that looked like PayPal's. He keyed in his checking, credit card, bank routing and Social Security numbers, his birthday, his mother's maiden name and the personal identification number for his bank card.

The Web site was a fake. Within a week, the people who created it used Jackson's data to steal $200 from his PayPal account and run up $1,000 in credit card charges.

Jackson cleared up the problem with his bank after two months, and a short while later the activity ceased. But late this summer, his car insurance company sent him a letter rejecting an application for a $30,000 car loan that he never requested.

The only thing that stopped this latest attempt to use Jackson's identity was the 1997 bankruptcy filing that he and his wife made after the military base where he was stationed closed and his civilian job left them with a hefty pay cut in the face of mounting debt.

"Basically every piece of personal data about me had been compromised," Jackson said. "It's pretty simple to get another credit card number and [e-mail] address and switch banks, but what do you do when these guys know the stuff that doesn't change?"

Thousands of consumers like Jackson are taken in each month by phishing, a rapidly growing form of fraud that blends old-fashioned confidence scams with innovations in technological trickery. The crooks often are members of criminal networks that traffic in stolen data, perpetuating a crime that can haunt victims for years after it was committed.

Jackson's case is typical. The scammers make a few small credit card charges or take little bites from the bank account. Then they stop, giving the account holder a false sense of security. In reality, their data is being moved into online black markets. There, it is sold to criminal gangs based in places such as Russia, Ukraine or West Africa. The gangs profit by using the data to open new credit lines for buying high-priced items that they sell for cash.

Much of this activity occurs in password-protected chat rooms, but open-air "carder" Web sites are showing up more frequently.

One Russian site advertised batches of 10 stolen credit card numbers with limits above $10,000 for $50. That price is common at carder sites, and climbs sharply if the seller offers extra data such as the corresponding "card value verification" number, the three-digit code found on the back of credit cards that many online merchants use to verify that the buyer is the same person holding the card.

A year ago, carders could expect to reap $5 by selling fewer than a dozen stolen credit card numbers, regardless of the limit or other information the thief had about the rightful owners, said John Watters, chief executive officer of iDefense, a Reston, Va.-based online security company.

"[Phishing] has really helped this market to mature, because we're now seeing these offerings being parsed into differently priced segments according to what sorts of other information the seller has," Watters said.

CONTINUED     1        >

© 2004 The Washington Post Company