The raid was like something out of a Michael Mann movie: Police in four Brazilian states swept through the homes and businesses of dozens of suspects, tagging evidence that included cash, PCs and piles of stolen merchandise. Police said the suspects were involved in a sophisticated, organized criminal ring responsible for stealing cash and property worth more than $30 million. When the October roundup ended, Brazilian authorities had more than 50 suspects in custody.
But in a South American country that sees its share of raids related to drug trafficking and kidnapping, this was no routine monthly roundup of local narcotrafficante. This was a massive, coordinated operation targeting the heart of Brazils burgeoning phishing underworld.
Phishing, which first appeared more than 10 years ago, has grown from humble roots to become the international electronic crime of choice for amateurs and professionals alike.
In its simplest form, phishing involves sending out fake e-mail messages that ask recipients to enter personal information, such as bank account numbers, PINs or credit card numbers, into forms on Web sites that are designed to mimic bank or e-commerce sites.
Once users fall for the trick, the criminals behind the scams use the information they gather to withdraw money directly from victims bank accounts, have new credit cards made under false names and go on frantic shopping sprees.
Alternatively, scammers will sell or trade stolen credit card numbers in online forums, where a single stolen account number typically fetches a dollar or two.
Phishers move fast. From establishing fake sites and sending e-mails to the collection of information and the actual thefts, a typical phishing attack takes less than a week. Many fake sites are online for just two or three days, and most of the actual phishing activity takes place in the first 24 hours after messages are sent, experts say.
The Brazilian phishing gang was using a sophisticated scheme in which thousands of messages were sent to bank customers whose addresses were culled from a list stolen by a bank employee.
The e-mails told customers that they needed to update online banking credentials and included an attachment that was actually a Trojan. Once a user opened the attachment, the Trojan modified the PCs host file to point the machine to a malicious Web site instead of the legitimate banking site.
The allure of such scams is easy to see: With a bare amount of technical skill, huge sums of money can be won with only a slight risk of being caught.
Organized Crime Takes a
The ratio of risk to reward has drawn the attention of several organized crime groups in Brazil and in Eastern Europe, where the Russian mafia and its offshoots have assembled crews of crackers, fences and code writers who handle everything from creating and sending fraudulent e-mails to converting ill-gotten goods into hard currency, according to law enforcement officials and security experts involved in fighting phishing.
“We see a lot of organization in the phishing gangs, but its just one piece of the game for them,” said Larry Johnson, special agent in charge of the Criminal Investigative Division at the U.S. Secret Service, in Washington, which, along with the FBI, investigates electronic fraud.
“These groups are involved in hacking, setting up botnets, writing viruses. But there is a hierarchy like in traditional Mafia groups. The more successful you are, the higher up you go, and the more access you have, the better status you have,” Johnson said.
Phishing scams began in the mid-1990s as a way to steal Internet access. Back then, when ISPs such as America Online Inc. charged by the minute for dial-up access, scammers would send e-mails purporting to come from AOLs member services department and ask recipients to verify user names and passwords. The scammers would then log on using the victims accounts and run up huge access bills.
With the advent of flat-rate broadband connections, the scam fell by the wayside, only to be replaced in the early part of this decade by myriad credit card and bank account schemes. But it wasnt until 2003 that the current wave of phishing attacks began in earnest.
The success of online banking and bill-paying services meant millions of customers were comfortable entering account numbers and other sensitive information on Web sites.
As a result, few people thought twice when they received e-mails that seemed to come from Bank of America Corp. or PayPal Inc., asking for account information.
In January 2003, the Anti-Phishing Working Group, a consortium of security vendors, banks and other concerned parties, recorded 176 unique phishing attacks. By December 2004, the group was seeing more than 1,700 unique attacks. What began as a nuisance had turned into an epidemic in less than two years.
“A very large volume of activity came out of nowhere in 2003. These groups that were doing it now were well-organized and had a way to distribute the stolen goods,” said Ken Dunham, director of malicious code at iDefense Inc., a security intelligence services company in Reston, Va. “Some of these people are very proficient. The expense is low, and the risk is low, and the ability to make money is very high. Phishing is seriously underreported [by victims]. Its a huge business.”
For victims, however, its a nightmare come true. Lori Lee-Savage, an administrative assistant who lives in College Park, Md., was Christmas shopping in December when her ATM card was declined for a small purchase. When she contacted her bank, the manager told her she was overdrawn by nearly $200.
Baffled, Lee-Savage eventually discovered that someone had stolen her bank account number and online banking credentials and begun draining her account.
The thieves had new checks made, complete with a false name and address in Georgia. They stole $3,100 before Lee-Savage discovered the problem. The bank reimbursed the losses, except for about $300 in overdraft penalties. Lee-Savage still doesnt know exactly when she gave her information away.
“I know the e-mail scams are fakes, but with the way technology improves, the scam artists are way ahead,” Lee-Savage said. “Im pretty thankful it was only $3,000.”
To maximize earning power and reduce chances of arrest, phishing groups have begun hiring so-called money mules, bank employees who are willing to move dirty money among accounts to launder it and make it more difficult to trace.
Some crews have also set up what amount to phishing sweatshops, where people are forced to do the grunt work, such as coding, for tiny cuts of the profits, Dunham said.
Phishing came into its own with the organizational resources and manpower of the Russian mafia and Brazilian gangs, and the elusiveness of these groups has made arrests and prosecutions rare. Many in the security industry say the government and federal law enforcement agencies need to commit more resources to the problem.
“We need to create an identity theft task force to create clarity and focus on this,” said Bill Conner, CEO of Entrust Inc., a security vendor in Addison, Texas, that works closely with federal officials on security issues. “Its got to be cross-departmental in the government. There will be innovation required to solve this.”
Law Enforcement Doing Its
Law enforcement officials said theyre doing the best they can under the circumstances. “The sites come and go really fast. We usually target an informant or look for data on an attack in one of the Internet groups where we have people,” said the Secret Services Johnson.
“Its tough to track. Were making a lot of inroads with international prosecution, but there are countries where we dont have agreements. Then we have to have a dialogue to educate law enforcement,” Johnson said.
In one of the few phishing-related arrests in recent months in the United States, law enforcement officials in Massachusetts took down Andrew Schwarmkoff, a suspected member of a Russian organized-crime group who is charged with running an extensive and profitable phishing scheme.
When he was arrested in October, Schwarmkoff was found with about $15,000 in cash, several thousand dollars worth of stolen merchandise and personal data belonging to more than 100 victims, according to law enforcement authorities.
Such cases have the attention of legislators. Congress has introduced a series of bills this year targeting online identity theft. Last week, Sen. Patrick Leahy, D-Vt., launched legislation aimed at phishing.
The ranking Democrat on the Senate Judiciary Committee said wire fraud and ID theft laws are not adequate in this battle because they depend on someone being defrauded first, and phishing scams are often too difficult to track once a victim is identified. The Anti-Phishing Act of 2005 would criminalize fraudulent Web sites created for the purpose of crime.
Meanwhile, federal law enforcement agencies have begun working with private organizations in a bid to respond more quickly to new attacks.
One such group is the Internet Crime Prevention & Control Institute, a cooperative effort between Zero Spam Network Corp. and the University of Miami. Staffed by Miami undergraduate and graduate students and Zero Spam employees, the ICPCI works closely with the Secret Services Electronic Crimes Task Force and ISPs in the United States and abroad to identify and block traffic to machines hosting phishing sites.
Bill Franklin, president of Zero Spam, in Coral Gables, Fla., and his team at the ICPCI, also in Coral Gables, often work directly with CERT teams and service providers in countries such as China, South Korea and Brazil to choke off traffic flowing to phishing sites.
Because many scam sites are hosted by tiny ISPs in remote areas, its often faster and simpler to locate the peering points of the service provider that hosts a phishing site and ask the ISP to block the site, Franklin said. Security teams and most ISPs in foreign countries have proved cooperative and effective at taking down phishing sites, he said.
“Six or eight months ago, it might take 10 or 14 days to get a site taken down, and by then the damage was done,” said Franklin. “Now, I can get someone on the phone any time of the day or night who knows who I am and what to do. We can have sites down in a few hours.”
Blocking traffic or taking sites down is one thing, but finding and prosecuting those responsible for the scams is the real goal, and that has proved difficult.
But despite the continued flood of phishing e-mails, the Secret Services Johnson is optimistic that the problem may have peaked. “I think a lot of people have reached the conclusion that it will go away once everyone is educated,” Johnson said. “Its starting to taper off in terms of success rate.”