Phishing attacks will continue to evolve and grow more sophisticated as they continue to provide organized criminal elements with access to easy profits.
According to the Anti-Phishing Working Group, phishing is a “social-engineering scheme [that] use[s] ‘spoofed’ e-mails to lead consumers to counterfeit websites designed to trick recipients into divulging financial data such as credit card numbers, account usernames, passwords and social security numbers.” As such, phishing is both the engine that drives the cyber crime underworld and the link between cyber crime and the physical world. This piece will describe a classic phishing attack, the actors responsible for a phishing attack, and why phishing is a security threat.
THE ATTACK
From a victim’s perspective, a typical attack starts with an unsolicited email spoofing a trusted service provider, often a bank. The email will inform the victim of a purported problem with his account and ask that the victim follow a link in the email to the bank’s web site to update his account information. The victim is directed to a spoofed web site that mimicks the bankl. Therefore, when the user attempts to update his personal information, he hands his identity over to the hacker. The spoofed web site may also install malware that will log the users’ keystrokes in order to steal more personal information and boost the hacker’s profits.
THE PLAYERS
A typical phishing attack involves a number of actors, each specializing in a unique aspect of the attack. A subset of these actors includes the criminal hacker who develops the malware that steals data from victims. The botnet operator rents out an army of bots that send spam email containing the phishing attack. Finally, the casher uses the personal information to steal cash from the victims’ accounts. Each of these actors may coalesce into a fully functional on-line criminal gang, or they may contract their services out to other criminals on an ad hoc basis.
Typically, the hacker sits atop this pyramid of cyber criminals because he aggregates and controls the data stolen during the phishing attack. As the other specialists, especially the cashers, typically lack the sophisticated technical skill of the hackers, they sit at the bottom of the cyber crime pyramid. However, the hackers rely on the lower rungs of the pyramid to realize the profits from a phishing attack. When a casher withdraws money from a stolen account, he will wire the proceeds, minus commission, through an on-line remittance system, like e-Gold, back to hackers.
THE DANGERS OF PHISHING
According to Federal Trade Commission, approximately 10 million Americans had their identities stolen in 2003 with an aggregate economic loss of $48 billion. Certainly, many of these thefts were the result of dumpster diving and other types of off-line theft, but a portion was also the result of phishing. The direct cost of phishing and identity theft only tells part of the story. The indirect cost may include customers that shy away from on-line transactions or from specific on-line banks, exacerbating the negative economic impact of phishing and identity theft.
While it is unclear how closely linked organized crime is to phishing attacks, many attacks originate in Russia and other former Eastern Block countries. Therefore, many criminal syndicates are directly responsible for or otherwise profit from the rash of phishing attacks around the world. According to Ken Dunham of iDefense, “There’s a well-developed criminal underground market that’s connected to the mafia in Russia and Web gangs and loosely affiliated mob groups around the world. They’re all involved in this explosion of phishing and online crime activity.” Given organized crime’s traditional disrespect for the law, it is dangerous to allow them unfettered access to such an easy source of funding.
