The raid was like something out of a Michael Mann movie: Police in four Brazilian states swept through the homes and businesses of dozens of suspects, tagging evidence that included cash, PCs and piles of stolen merchandise. Police said the suspects were involved in a sophisticated, organized criminal ring responsible for stealing cash and property worth more than $30 million. When the October roundup ended, Brazilian authorities had more than 50 suspects in custody.
But in a South American country that sees its share of raids related to drug trafficking and kidnapping, this was no routine monthly roundup of local narcotrafficante. This was a massive, coordinated operation targeting the heart of Brazils burgeoning phishing underworld.
Phishing, which first appeared more than 10 years ago, has grown from humble roots to become the international electronic crime of choice for amateurs and professionals alike.
In its simplest form, phishing involves sending out fake e-mail messages that ask recipients to enter personal information, such as bank account numbers, PINs or credit card numbers, into forms on Web sites that are designed to mimic bank or e-commerce sites.
Once users fall for the trick, the criminals behind the scams use the information they gather to withdraw money directly from victims bank accounts, have new credit cards made under false names and go on frantic shopping sprees.
Alternatively, scammers will sell or trade stolen credit card numbers in online forums, where a single stolen account number typically fetches a dollar or two.
Phishers move fast. From establishing fake sites and sending e-mails to the collection of information and the actual thefts, a typical phishing attack takes less than a week. Many fake sites are online for just two or three days, and most of the actual phishing activity takes place in the first 24 hours after messages are sent, experts say.
The Brazilian phishing gang was using a sophisticated scheme in which thousands of messages were sent to bank customers whose addresses were culled from a list stolen by a bank employee.
The e-mails told customers that they needed to update online banking credentials and included an attachment that was actually a Trojan. Once a user opened the attachment, the Trojan modified the PCs host file to point the machine to a malicious Web site instead of the legitimate banking site.
The allure of such scams is easy to see: With a bare amount of technical skill, huge sums of money can be won with only a slight risk of being caught.