Computer Crime Research Center


Big phishers can be hard to hook

Date: April 11, 2005
By: Dan Fost

Just how slippery are phishers?

While some amateur scammers have been snared, the big phish have been tough to catch.

Professional phishing groups have a hierarchy similar to organized crime, with everyone from kingpins down to mules, said Lance James, who runs Secure Science, a San Diego firm that identifies phishers and gives the information to law enforcement.

These phishing groups -- James counts 46 of them in operation -- use what he calls online base camps. These are the dedicated servers the thieves use to share lists of potential victims, computer codes for viruses and Trojan horses, the fake Web pages used in phishing e-mails, lists of "zombie" computers, and all the data they've stolen, such as passwords and credit card numbers.

When someone responds to a phishing attack by providing a password, credit card or Social Security number, the phisher routes that data through an online labyrinth to avoid detection.

James said the pros use blind drops, often setting up an e-mail account to get the information they need, then closing the account before anyone can catch them.

"There are multiple drop points," said Lars Harvey, director of customer relations for Internet Identity, a Tacoma, Wash., firm that shuts down the bogus Web sites phishers use to steal personal data. "One free e-mail account is forwarded to another free e-mail account, and the e-mail gets picked up at a cybercafe. There are lots of ways to cover your tracks on the Net, and they're good at that stuff."

Convicted hacker Kevin Mitnick, who is now a cybersecurity consultant and author, said the phishers may not even be where they seem to be.

"Think of an attacker at a Starbucks T-Mobile (wireless) hot spot from his car," Mitnick said. "What are the chances that that person's going to get caught?"

Even trickier are the phishes sent from overseas computers.

"The Internet is global," Harvey said. "You can be sitting in Antarctica, and you can touch any computer anywhere."

For Internet Identity, such situations present language barriers, time zone challenges and cultural differences. And getting a court order in a foreign country is much tougher than in the United States.

"In many countries, it's the national phone company" that can be notoriously difficult to deal with, he said.

Internet Identity operates around the clock -- in the early morning to reach Asian countries and late at night for Europe.

"We do some of our best work between midnight and 3 a.m.," he said.

In addition to the efforts of the security firms, software giant Microsoft has also made a big splash in fighting phishers.

Late last month, Microsoft filed 117 lawsuits against phishing-site operators, all of whom remain unknown at this point. The suits will enable Microsoft to subpoena Internet service providers, which will help them to determine the phishers' identities.

"We're assisting the criminal authorities in bringing criminal charges against phishers," said Aaron Kornblum, Microsoft's Internet safety enforcement attorney. "It brings enhanced deterrence to see a phisher on a TV screen in an orange jail jumpsuit."

In each of the lawsuits, Microsoft contends that one of its Web sites, such as MSN or Hotmail, was copied and used as a way to steal data.

Microsoft's first successful phishing prosecution began in October 2003, when it was tipped to someone sending out e-mails telling users of MSN's Internet service that they needed to update their credit card information. Microsoft filed a lawsuit against a John Doe in its home state of Washington, enabling the company to use subpoenas in its hunt for the phisher.
Original article

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo