Technology Fueling Wave of Phishing Scams

On any one of nearly a dozen IRC channels dedicated to financial fraud, 16-digit credit card numbers can be found sandwiched between snippets of churlish chat conversation scrolling across the computer screen. Each credit card number is preceded by a two- to three-letter "command" that tells the channel operator what type of information the poster is seeking.

In most cases, the operator responds instantaneously with the requested data, notifying the poster whether the card is still active, its spending limit, the bank issuer, the expiration date, or even its "CVV2" number, the three- or four-digit code on the back of credit cards that many online merchants use to verify that the buyer is the same person holding the card.

Members of Spitzner's Honeynet Project spent several weeks studying IRC activity. The project found that the verified credit data appears to be automated by a program that is drawing information from e-commerce sites whose credit card records have been compromised. Thieves also can check the validity of a credit card by creating fake merchant accounts, services that legitimate businesses use to verify an account with the bank that issued the credit card.

Marcus Sachs, a former cyber-security adviser to the White House who now directs the Bethesda, Md.-based SANS Internet Storm Center, said that if the information posted by the IRC channel operators is legitimate, then they are likely working with people on the inside at the major credit card issuers. But Sachs said he suspects that by "verifying" credit card information posted by other chat room members, those running the IRC channels are more interested in scamming the phishers.

"As evil as it all sounds, the people who know what they're doing in this area operate their phishing scams like a business," Sachs said. "They learn from their mistakes, they outsource, they consolidate, and they cut costs by automating things. But most of all, they profit by any means available."

Online financial fraud resources are difficult for authorities to shutter because their operators move them from one hijacked Web server to another -- often several times a day.

"We had one that we shut down three times in one week. Each time we closed it down, it would appear in another country," said Sergio Pinon, senior vice president of global security for MasterCard International Inc.

Last fall, in an undercover investigation dubbed "Operation Firewall," the U.S. Secret Service and international authorities shut down some of the most popular carder Web sites by infiltrating a service that credit card thieves used to check whether stolen accounts were still active. In that case, Secret Service agents forwarded submitted numbers to their respective bank issuers, all the while building trust with a core group of more than three dozen thieves they would later arrest.

Since then, however, a number of new carder Web sites have sprung up to fill the void, driven by continuing high demand, Pinon said.

But Pinon and sources in the law enforcement community said ongoing investigations into online financial fraud rings will yield numerous arrests in the very near future.

"So many of these criminals think the Internet gives them the freedom to take whatever they want from people," Pinon said. "We're working very hard to let them know that they're not going to get away with it."