Technology Fueling Wave of Phishing Scams

In addition, through their own use of computer viruses or by trading with other criminals, scam authors often control hundreds or even thousands of hijacked personal computers remotely for the purpose of sending phishing e-mails or hosting fake Web sites.

"The production costs for these types of attacks are virtually nil, and all it takes is a couple of people to bite to make it all worthwhile," Rasmussen said.

Much of the planning for and profiteering from phishing scams takes place on obscure Web sites and in anonymous Internet relay chat (IRC) rooms dedicated to "carding," a slang term in the underground community for the process of converting stolen credit card data into cold, hard cash.

IRC is the precursor to modern instant-messaging software, and is used to host hundreds of unmoderated channels dedicated to almost every subject imaginable. Most channels are filled with hobby talk or harmless banter, but IRC's relative anonymity makes it an attractive avenue of communication and commerce for countless hackers and identity thieves.

Online carder sites and IRC channels also offer phishing tutorials and lists of so-called "cardable" Web sites that allow the buyer to bill items bought with stolen cards to one address and ship them to another.

Amir Orad, executive vice president for Cyota, a New York-based company that sells anti-phishing services, said learning how to phish has never been easier because everything a beginner needs to start a scam is available for free or for a small fee, provided the novice knows where on the Internet to look.

"For the past few months we've started to see phishing attacks from subcontractors, people who buy and use ready-made phishing toolkits and e-mail lists," Orad said. "It's gotten to the point where you don't need to know anything about spamming or computer programming to pull this off."

A handful of Web sites even offer to manage the more complicated aspects of phishing -- such as sending fraudulent e-mail and hosting the fake Web sites anonymously. One carder site, carderportal.org, proudly advertises "spam hosting from $20 per month, and fraud hosting from $30 per month."

Taken together, carder IRC channels and Web sites have removed the technical and logistical barriers to large-scale online identity theft and credit card fraud, said Lance Spitzner, president of the Honeynet Project, a volunteer security research organization that studies new trends in Internet crime.

"What was surprising to us was all the novice users we saw on these channels and how many people that are just starting to get into this kind of fraud," Spitzner said. "The scary part is that what we're seeing here is probably just the low-hanging fruit. The serious criminals on the Internet are usually too paranoid to communicate out in the open like this, so it makes you wonder just what kinds of information the organized mafia types have access to."

The seller must find a trustworthy "casher" -- someone who will convert stolen credit cards into cash without absconding with more than their agreed-upon portion of the money -- while trying to stay one step ahead of law enforcement and corporate sleuths. For the buyer, the tough part is verifying that the data for sale is legitimate and usable.

But experts say that over the past year and a half, some of the more popular carder IRC channels have been taken over by anonymous individuals who help members verify the authenticity of stolen credit card data while blacklisting "rippers" -- people who sell the same list of stolen credit cards to multiple clients -- or deadbeat buyers who never pay for their cards.