[Shadow_Group] Fw: Phishing Feeds Internet Black Markets BEWARE

[shadowgroup-l at lists.resist.ca]

washingtonpost.com

Phishing Feeds Internet Black Markets

By Brian Krebs
washingtonpost.com Staff Writer
Thursday, November 18, 2004; 6:34 AM 

William Jackson never thought he would be grateful for going bankrupt. 

Nine months ago, the 44-year-old resident of Katy, Texas, got an e-mail
message from what appeared to be eBay's PayPal online payment division.
It warned him that his account would be suspended unless he updated it
with his personal financial data. The e-mail directed Jackson to a Web
site that looked like PayPal's. He keyed in his checking, credit card,
bank routing and Social Security numbers, his birthday, his mother's
maiden name and the personal identification number for his bank card. 

 
The Web site was a fake. Within a week, the people who created it used
Jackson's data to steal $200 from his PayPal account and run up $1,000 in
credit card charges. 

Jackson cleared up the problem with his bank after two months, and a
short while later the activity ceased. But late this summer, his car
insurance company sent him a letter rejecting an application for a
$30,000 car loan that he never requested. 

The only thing that stopped this latest attempt to use Jackson's identity
was the 1997 bankruptcy filing that he and his wife made after the
military base where he was stationed closed and his civilian job left
them with a hefty pay cut in the face of mounting debt. 

"Basically every piece of personal data about me had been compromised,"
Jackson said. "It's pretty simple to get another credit card number and
[e-mail] address and switch banks, but what do you do when these guys
know the stuff that doesn't change?" 

Thousands of consumers like Jackson are taken in each month by phishing,
a rapidly growing form of fraud that blends old-fashioned confidence
scams with innovations in technological trickery. The crooks often are
members of criminal networks that traffic in stolen data, perpetuating a
crime that can haunt victims for years after it was committed. 

Jackson's case is typical. The scammers make a few small credit card
charges or take little bites from the bank account. Then they stop,
giving the account holder a false sense of security. In reality, their
data is being moved into online black markets. There, it is sold to
criminal gangs based in places such as Russia, Ukraine or West Africa.
The gangs profit by using the data to open new credit lines for buying
high-priced items that they sell for cash. 

Much of this activity occurs in password-protected chat rooms, but
open-air "carder" Web sites are showing up more frequently. 

One Russian site advertised batches of 10 stolen credit card numbers with
limits above $10,000 for $50. That price is common at carder sites, and
climbs sharply if the seller offers extra data such as the corresponding
"card value verification" number, the three-digit code found on the back
of credit cards that many online merchants use to verify that the buyer
is the same person holding the card. 

A year ago, carders could expect to reap $5 by selling fewer than a dozen
stolen credit card numbers, regardless of the limit or other information
the thief had about the rightful owners, said John Watters, chief
executive officer of iDefense, a Reston, Va.-based online security
company. 

"[Phishing] has really helped this market to mature, because we're now
seeing these offerings being parsed into differently priced segments
according to what sorts of other information the seller has," Watters
said. 

The preferred method of payment also has shifted in a way that suggests a
more organized, businesslike clientele is co-opting the once-informal
marketplaces, said Marcus Sachs, a former White House cyber-security
adviser who directs the Internet Storm Center, which monitors hacker
trends. 

For years, hackers were content to barter credit card numbers for stolen
passwords, custom-made computer code or e-mail address lists. Now, Sachs
said, "they just want to get paid." 

Pure Fakery

Another trick that harkens back to the dawn of the World Wide Web is
starting to see new life: fake online storefronts that harvest credit
card information. 

In these scams, thieves build Web sites hawking everything from sporting
goods to contact lenses at bargain-basement prices, advertising the wares
with large doses of spam. The Web sites look authentic thanks to pictures
and descriptions of goods lifted from real online stores. 

"We've seen a lot of really good ones that include fake testimonials and
links to their privacy and security policies," said Dan Hubbard, director
of security and technology research for Websense, a San Diego-based
company that offers online content blocking services for businesses. 

Fake e-commerce sites work so well that they recently outpaced the number
of phishing sites, according to Websense. In a study released in
September, the company found that there are between 800 and 1,100
fraudulent and phishing Web sites online at any time, and slightly more
than half of those are pure fraud sites. 

The average phishing site usually has a lifespan of a few hours to three
days before banks and Internet service providers locate and scuttle them.
Bogus e-commerce sites, however, generally stay in business for six to
eight days before their operators close up shop and disappear, Websense
found. 

Target eBay

William Jackson's case placed him in the company of thousands of online
shoppers who responded to e-mails that they thought were from eBay or
PayPal. From January to October this year, almost 30 percent of all
phishing attacks targeted those customers, according to the Anti-Phishing
Working Group, a coalition of banks and technology companies dedicated to
fighting phishing fraud. 

Phishers who steal login data from eBay and PayPal members typically
change passwords to lock the owners out of their accounts. Then they
siphon cash from the victim's account or use it to set up phony auctions
to sell stolen items. Sometimes the scammers auction off items bought
using the victim's financial data. 

Frank Carpenter, 53, of Charlotte, N.C., could no longer use his
Microsoft MSN e-mail account after falling for an eBay phishing scam.
Each time he called MSN to reset his password, the thieves would change
it. Carpenter thinks they did this to keep him from seeing the
confirmation e-mails that eBay sends when a seller lists auction items. 

In the ensuing weeks, his positive eBay feedback rating -- reviews
submitted by buyers and sellers to rate the quality of previous
transactions -- took a beating as the scammers seized his account and
stiffed winning bidders. 

Weeks after he discovered the fraud, Carpenter's bank contacted him to
verify that he authorized the clearance of a $1,200 electronic check from
his account. 

"My bank is still trying to get me to pay for that. Meanwhile, I've had
to start over again as a new [eBay] member," Carpenter said. 

Fraud experts say phishers also are targeting their scams to particular
recipients at particular times. According to Netcraft, an Internet
security firm based in Bath, England, some of the sneakiest "spear
phishing" scams target eBay customers, mainly because buyers and sellers
are accustomed to receiving e-mails prompting them to take certain
actions at specific times. 

In one attack, scammers use eBay's "contact member" form to ask questions
of people who have placed bids on a high-priced item, collecting e-mail
addresses from bidders who respond to the questions. Days after the
auction ends, the bidders receive e-mail messages from someone pretending
to be the seller, explaining that the winning bidder backed out and
offering them a "second chance." A variation involves sending fake eBay
invoices via e-mail to winning bidders shortly after the end of an
auction. 

"These guys are always trying to get more and more clever, and now
they're not only getting better at working out who would be best to send
these phishing e-mails to but when," said Paul Mutton, an Internet
services developer at Netcraft. "We're certainly going to be seeing a lot
more temporal aspects incorporated into phishing, because as the good
guys get better at catching up it's really the only way these scams are
going to stay lucrative." 

Marked for Life

Some phishing victims find that they become an attractive target to other
fraudsters. Woodland Hills, Calif., resident Gary Wales fell for a PayPal
phishing attack almost a year ago, but hardly a day goes by without a
suspicious e-mail or phone call from someone asking for his personal
information. Most recently, Wales said, someone called claiming to be a
New York stockbroker in charge of his investment account. Figuring it was
another con, Wales left him on hold until he hung up. 

"You make one stupid mistake and it's like you get put on some giant
idiot list that they sell to people saying here are all the people we've
been able to steal stuff from," said the 65-year-old Wales, who restores
classic cars for a living. "It's gotten to the point now where I just try
to have fun toying with them on the phone." 

Two weeks after the scam, the fraudsters made 17 withdrawals of $100 from
his PayPal account in one day. For the most part, the fraudulent activity
stopped after he changed his checking, credit card and savings account
numbers. 

Then, one week ago, Wales received a call from a fraud investigator at
Gateway.com who wanted to know whether he asked to open a new line of
credit with the computer maker. Wales said he had to call the man back to
be sure it was not just the beginning of another scam. Later, he verified
that someone did try to use his information to secure a $4,000 line of
credit. 

The constant attacks have left Wales feeling paranoid and angry, and all
but ready to give up on e-commerce. 

"I'm getting close to disconnecting the phone and throwing the damn
computer out the window," he said. "Who needs this kind of aggravation?"



 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.resist.ca/pipermail/shadowgroup-l/attachments/20041123/be98f567/attachment.html>