washingtonpost.com
Phishing Feeds Internet Black Markets

By Brian Krebs
washingtonpost.com Staff Writer
Thursday, November 18, 2004 6:34 AM

William Jackson never thought he would be grateful for going bankrupt.

Nine months ago, the 44-year-old resident of Katy, Texas, got an e-mail message from what appeared to be eBay's PayPal online payment division. It warned him that his account would be suspended unless he updated it with his personal financial data. The e-mail directed Jackson to a Web site that looked like PayPal's. He keyed in his checking, credit card, bank routing and Social Security numbers, his birthday, his mother's maiden name and the personal identification number for his bank card.

The Web site was a fake. Within a week, the people who created it used Jackson's data to steal $200 from his PayPal account and run up $1,000 in credit card charges.

Jackson cleared up the problem with his bank after two months, and a short while later the activity ceased. But late this summer, his car insurance company sent him a letter rejecting an application for a $30,000 car loan that he never requested.

The only thing that stopped this latest attempt to use Jackson's identity was the 1997 bankruptcy filing that he and his wife made after the military base where he was stationed closed and his civilian job left them with a hefty pay cut in the face of mounting debt.

"Basically every piece of personal data about me had been compromised," Jackson said. "It's pretty simple to get another credit card number and [e-mail] address and switch banks, but what do you do when these guys know the stuff that doesn't change?"

Thousands of consumers like Jackson are taken in each month by phishing, a rapidly growing form of fraud that blends old-fashioned confidence scams with innovations in technological trickery. The crooks often are members of criminal networks that traffic in stolen data, perpetuating a crime that can haunt victims for years after it was committed.

Jackson's case is typical. The scammers make a few small credit card charges or take little bites from the bank account. Then they stop, giving the account holder a false sense of security. In reality, their data is being moved into online black markets. There, it is sold to criminal gangs based in places such as Russia, Ukraine or West Africa. The gangs profit by using the data to open new credit lines for buying high-priced items that they sell for cash.

Much of this activity occurs in password-protected chat rooms, but open-air "carder" Web sites are showing up more frequently.

One Russian site advertised batches of 10 stolen credit card numbers with limits above $10,000 for $50. That price is common at carder sites, and climbs sharply if the seller offers extra data such as the corresponding "card value verification" number, the three-digit code found on the back of credit cards that many online merchants use to verify that the buyer is the same person holding the card.

A year ago, carders could expect to reap $5 by selling fewer than a dozen stolen credit card numbers, regardless of the limit or other information the thief had about the rightful owners, said John Watters, chief executive officer of iDefense, a Reston, Va.-based online security company.

"[Phishing] has really helped this market to mature, because we're now seeing these offerings being parsed into differently priced segments according to what sorts of other information the seller has," Watters said.

The preferred method of payment also has shifted in a way that suggests a more organized, businesslike clientele is co-opting the once-informal marketplaces, said Marcus Sachs, a former White House cyber-security adviser who directs the Internet Storm Center, which monitors hacker trends.

For years, hackers were content to barter credit card numbers for stolen passwords, custom-made computer code or e-mail address lists. Now, Sachs said, "they just want to get paid."

In these scams, thieves build Web sites hawking everything from sporting goods to contact lenses at bargain-basement prices, advertising the wares with large doses of spam. The Web sites look authentic thanks to pictures and descriptions of goods lifted from real online stores.

"We've seen a lot of really good ones that include fake testimonials and links to their privacy and security policies," said Dan Hubbard, director of security and technology research for Websense, a San Diego-based company that offers online content blocking services for businesses.

Fake e-commerce sites work so well that they recently outpaced the number of phishing sites, according to Websense. In a study released in September, the company found that there are between 800 and 1,100 fraudulent and phishing Web sites online at any time, and slightly more than half of those are pure fraud sites.

The average phishing site usually has a lifespan of a few hours to three days before banks and Internet service providers locate and scuttle them. Bogus e-commerce sites, however, generally stay in business for six to eight days before their operators close up shop and disappear, Websense found.

Phishers who steal login data from eBay and PayPal members typically change passwords to lock the owners out of their accounts. Then they siphon cash from the victim's account or use it to set up phony auctions to sell stolen items. Sometimes the scammers auction off items bought using the victim's financial data.

Frank Carpenter, 53, of Charlotte, N.C., could no longer use his Microsoft MSN e-mail account after falling for an eBay phishing scam. Each time he called MSN to reset his password, the thieves would change it. Carpenter thinks they did this to keep him from seeing the confirmation e-mails that eBay sends when a seller lists auction items.

In the ensuing weeks, his positive eBay feedback rating -- reviews submitted by buyers and sellers to rate the quality of previous transactions -- took a beating as the scammers seized his account and stiffed winning bidders.

Weeks after he discovered the fraud, Carpenter's bank contacted him to verify that he authorized the clearance of a $1,200 electronic check from his account.

"My bank is still trying to get me to pay for that. Meanwhile, I've had to start over again as a new [eBay] member," Carpenter said.

Fraud experts say phishers also are targeting their scams to particular recipients at particular times. According to Netcraft, an Internet security firm based in Bath, England, some of the sneakiest "spear phishing" scams target eBay customers, mainly because buyers and sellers are accustomed to receiving e-mails prompting them to take certain actions at specific times.

In one attack, scammers use eBay's "contact member" form to ask questions of people who have placed bids on a high-priced item, collecting e-mail addresses from bidders who respond to the questions. Days after the auction ends, the bidders receive e-mail messages from someone pretending to be the seller, explaining that the winning bidder backed out and offering them a "second chance." A variation involves sending fake eBay invoices via e-mail to winning bidders shortly after the end of an auction.

"These guys are always trying to get more and more clever, and now they're not only getting better at working out who would be best to send these phishing e-mails to but when," said Paul Mutton, an Internet services developer at Netcraft. "We're certainly going to be seeing a lot more temporal aspects incorporated into phishing, because as the good guys get better at catching up it's really the only way these scams are going to stay lucrative."

"You make one stupid mistake and it's like you get put on some giant idiot list that they sell to people saying here are all the people we've been able to steal stuff from," said the 65-year-old Wales, who restores classic cars for a living. "It's gotten to the point now where I just try to have fun toying with them on the phone."

Two weeks after the scam, the fraudsters made 17 withdrawals of $100 from his PayPal account in one day. For the most part, the fraudulent activity stopped after he changed his checking, credit card and savings account numbers.

Then, one week ago, Wales received a call from a fraud investigator at Gateway.com who wanted to know whether he asked to open a new line of credit with the computer maker. Wales said he had to call the man back to be sure it was not just the beginning of another scam. Later, he verified that someone did try to use his information to secure a $4,000 line of credit.

The constant attacks have left Wales feeling paranoid and angry, and all but ready to give up on e-commerce.

"I'm getting close to disconnecting the phone and throwing the damn computer out the window," he said. "Who needs this kind of aggravation?"

© 2004 Washingtonpost.Newsweek Interactive