Organized Crime Takes a
Hand"> The ratio of risk to reward has drawn the attention of several organized crime groups in Brazil and in Eastern Europe, where the Russian mafia and its offshoots have assembled crews of crackers, fences and code writers who handle everything from creating and sending fraudulent e-mails to converting ill-gotten goods into hard currency, according to law enforcement officials and security experts involved in fighting phishing. "We see a lot of organization in the phishing gangs, but its just one piece of the game for them," said Larry Johnson, special agent in charge of the Criminal Investigative Division at the U.S. Secret Service, in Washington, which, along with the FBI, investigates electronic fraud.Phishing scams began in the mid-1990s as a way to steal Internet access. Back then, when ISPs such as America Online Inc. charged by the minute for dial-up access, scammers would send e-mails purporting to come from AOLs member services department and ask recipients to verify user names and passwords. The scammers would then log on using the victims accounts and run up huge access bills. Click here to read how the private sector and the feds are teaming up against phishing. With the advent of flat-rate broadband connections, the scam fell by the wayside, only to be replaced in the early part of this decade by myriad credit card and bank account schemes. But it wasnt until 2003 that the current wave of phishing attacks began in earnest. The success of online banking and bill-paying services meant millions of customers were comfortable entering account numbers and other sensitive information on Web sites. As a result, few people thought twice when they received e-mails that seemed to come from Bank of America Corp. or PayPal Inc., asking for account information. In January 2003, the Anti-Phishing Working Group, a consortium of security vendors, banks and other concerned parties, recorded 176 unique phishing attacks. By December 2004, the group was seeing more than 1,700 unique attacks. What began as a nuisance had turned into an epidemic in less than two years. "A very large volume of activity came out of nowhere in 2003. These groups that were doing it now were well-organized and had a way to distribute the stolen goods," said Ken Dunham, director of malicious code at iDefense Inc., a security intelligence services company in Reston, Va. "Some of these people are very proficient. The expense is low, and the risk is low, and the ability to make money is very high. Phishing is seriously underreported [by victims]. Its a huge business." For victims, however, its a nightmare come true. Lori Lee-Savage, an administrative assistant who lives in College Park, Md., was Christmas shopping in December when her ATM card was declined for a small purchase. When she contacted her bank, the manager told her she was overdrawn by nearly $200. Baffled, Lee-Savage eventually discovered that someone had stolen her bank account number and online banking credentials and begun draining her account. The thieves had new checks made, complete with a false name and address in Georgia. They stole $3,100 before Lee-Savage discovered the problem. The bank reimbursed the losses, except for about $300 in overdraft penalties. Lee-Savage still doesnt know exactly when she gave her information away. "I know the e-mail scams are fakes, but with the way technology improves, the scam artists are way ahead," Lee-Savage said. "Im pretty thankful it was only $3,000." To maximize earning power and reduce chances of arrest, phishing groups have begun hiring so-called money mules, bank employees who are willing to move dirty money among accounts to launder it and make it more difficult to trace. Some crews have also set up what amount to phishing sweatshops, where people are forced to do the grunt work, such as coding, for tiny cuts of the profits, Dunham said. Phishing came into its own with the organizational resources and manpower of the Russian mafia and Brazilian gangs, and the elusiveness of these groups has made arrests and prosecutions rare. Many in the security industry say the government and federal law enforcement agencies need to commit more resources to the problem. "We need to create an identity theft task force to create clarity and focus on this," said Bill Conner, CEO of Entrust Inc., a security vendor in Addison, Texas, that works closely with federal officials on security issues. "Its got to be cross-departmental in the government. There will be innovation required to solve this." Next Page: Law enforcement officials say theyre doing the best they can.
"These groups are involved in hacking, setting up botnets, writing viruses. But there is a hierarchy like in traditional Mafia groups. The more successful you are, the higher up you go, and the more access you have, the better status you have," Johnson said.