Friday, February 23, 2007
Before and after that "please enter your account details" scam
Researcher Guillaume Lovet explains the economics and organization of criminal activity online.
There's a whole marketplace of skills and labor behind online scams. According to Lovet, when you get one of those emails telling you that your account at Third Second First Bank will be closed unless you log in immediately with your account number, banking password, Social Security number, all of these people will have been involved:
Developer -- This is the person who writes up plausible-sounding scam email and makes the tools to set up a phony web site that looks like your bank and records your password.
Operator -- the person who sends out the spam telling you to log in. This person uses the tools from the developer and is often a juvenile.
So, the operator winds up with passwords for a bunch of bank accounts. What to do with those? Transferring the money to the operator's own bank account would be astonishingly stupid. So the usual approach is to sell the account information to the
Launderers -- based on some country with vague or poorly enforced laws, these people buy the passwords from the operator (maybe $400 for a large account), log in, steal the money, and maybe send a cut back to the operator if they're honest, which by definition they aren't.
All these people get together in virtual bazaars in chat rooms, though there's some suspicion that organized crime may have some permanent infrastructure. Money changes hands outside the normal banking system, by Western Union or some of its virtual equivalents.
Stolen credit cards are a separate market. They typically come from breakins at merchants and are sold in blocks of 10, 100, or even more. They're laundered by buying and shipping resalable goods to confederates and selling them on eBay.
The paper also explains why people try to put adware on your computer.
There aren't any really new security lessons for end users. Remember that you're up against organized crime when you pick a place to type your banking password, and remember that if you're rich and anyone finds out about it then it's worth $400 to somebody to trick you out of your login information.
|
There's a whole marketplace of skills and labor behind online scams. According to Lovet, when you get one of those emails telling you that your account at Third Second First Bank will be closed unless you log in immediately with your account number, banking password, Social Security number, all of these people will have been involved:
Developer -- This is the person who writes up plausible-sounding scam email and makes the tools to set up a phony web site that looks like your bank and records your password.
Operator -- the person who sends out the spam telling you to log in. This person uses the tools from the developer and is often a juvenile.
So, the operator winds up with passwords for a bunch of bank accounts. What to do with those? Transferring the money to the operator's own bank account would be astonishingly stupid. So the usual approach is to sell the account information to the
Launderers -- based on some country with vague or poorly enforced laws, these people buy the passwords from the operator (maybe $400 for a large account), log in, steal the money, and maybe send a cut back to the operator if they're honest, which by definition they aren't.
All these people get together in virtual bazaars in chat rooms, though there's some suspicion that organized crime may have some permanent infrastructure. Money changes hands outside the normal banking system, by Western Union or some of its virtual equivalents.
Stolen credit cards are a separate market. They typically come from breakins at merchants and are sold in blocks of 10, 100, or even more. They're laundered by buying and shipping resalable goods to confederates and selling them on eBay.
The paper also explains why people try to put adware on your computer.
There aren't any really new security lessons for end users. Remember that you're up against organized crime when you pick a place to type your banking password, and remember that if you're rich and anyone finds out about it then it's worth $400 to somebody to trick you out of your login information.
# posted by Frederick @ 12:37 PM Email to a friend:
Haloscan: they provide trackback