Technology Fueling Wave of Phishing Scams
Tuesday, January 18, 2005; 9:49 AM
It was just a name, one of dozens flowing by in a little-known Internet chat room for identity thieves. Sandwiched between requests to barter various kinds of ill-gotten data ("Trading one valid [credit card] for my 5mb proxy list or hosting" ... "[need] linux host to put my site on.. i have cvv2's, msg me to deal") and inane chatter ("wat u upto?") came the simple, unadorned lines: "card type: Debit Card ... Name: Dallas Thomas ... city: Stillwater ... state: ok."
As the chat continued, Thomas's credit card number, her date of birth, Social Security number, mother's maiden name, phone number and address were posted for all to see. A frequent viewer would immediately recognize such postings as enticements -- a sample to lure watchers into buying or trading for personal financial information that can be used to rob the cardholders. The poster was implying that he or she had more stolen data where that came from, and hoped to establish credibility within the community.
Need to know the answer to a cardholder's "secret question"? How much money you can siphon before the credit limit is breached? These "carder" chat rooms are the place to go. Data thieves also use the rooms, known as "channels," to trade and sell access to eBay and PayPal accounts, hacked home computers, and airtime on Internet-based telephone networks. And Thomas, whose information was listed on the chat room for the perusal of dozens of online thieves, had no idea that such places exist.
Reached at the home phone number posted in the chat channel, the 22-year-old college student said she had lost $600 after being lured to a fake PayPal Web site just one week earlier, and had canceled her credit card just two days before. Like many other victims of "phishing" -- the use of official-looking e-mails and Web pages to trick people into divulging financial information -- Thomas was stunned that her data was being openly traded online.
"I can't believe that people are allowed to do this kind of thing," she said. "Why can't [the authorities] do anything about this?"
The answer may be that the economics of online fraud -- which has such low start-up costs that luring only a few victims to divulge personal financial data can turn a huge profit for the perpetrator -- are so much in favor of the criminals that, at least for now, a continued increase in phishing activity is all but certain.
The number of online financial scams grew dramatically in the fall of 2004, driven in part by the proliferation of online fraud forums and phishing software that help users automate the design and deployment of their scams, according to the Anti-Phishing Working Group and other security experts.
The APWG -- a coalition of banks and technology companies -- identified 8,459 new and unique phishing e-mail messages in November, nearly four times the number reported in August. The group tracked 1,518 phishing Web sites in November, a 29 percent increase from October.
"Those numbers indicate that multiple phishing scams are being hosted off of the same Web sites," said Dave Jevans, the group's chairman. "That suggests to us that a lot of these guys are using some form of automation to help set up their scams."
Some toolkits are little more than downloadable packages of Web pages and sample e-mails; others are software programs that allow criminals to select from drop-down menus that contain sample messages, corporate logos and Web site designs.
The kits are just one reason why criminals have the advantage, said Rod Rasmussen, director of operations for Tacoma, Wash.-based Internet Identity, which helps companies combat phishing scams.
Rasmussen said most of the criminals who conduct phishing scams can easily obtain a million e-mail addresses for less than $20 through the Internet black market.